Form 10-Q
Table of Contents

 

 

UNITED STATES

SECURITIES AND EXCHANGE COMMISSION

WASHINGTON, DC 20549

 

 

FORM 10-Q

 

 

(Mark One)

QUARTERLY REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934

For the quarterly period ended September 30, 2016

OR

 

TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934

For the transition period from                      to                     

Commission File Number: 001-37496

 

 

RAPID7, INC.

(Exact Name of Registrant as Specified in its Charter)

 

 

 

Delaware   35-2423994

(State or other jurisdiction of

incorporation or organization)

 

(I.R.S. Employer

Identification No.)

100 Summer Street

Boston, MA

  02110
(Address of principal executive offices)   (Zip Code)

Registrant’s telephone number, including area code: (617) 247-1717

 

 

Indicate by check mark whether the registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days.    Yes  ☒    No  ☐

Indicate by check mark whether the registrant has submitted electronically and posted on its corporate Web site, if any, every Interactive Data File required to be submitted and posted pursuant to Rule 405 of Regulation S-T (§ 232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit and post such files).    Yes  ☒    No  ☐

Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, or a smaller reporting company. See the definitions of “large accelerated filer,” “accelerated filer” and “smaller reporting company” in Rule 12b-2 of the Exchange Act.

 

Large accelerated filer      Accelerated filer  
Non-accelerated filer   ☒  (Do not check if a small reporting company)    Small reporting company  

Indicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Exchange Act).    Yes  ☐    No  ☒

As of October 31, 2016, there were 42,495,607 shares of the registrant’s common stock, $0.01 par value per share, outstanding.

 

 

 


Table of Contents

Table of Contents

 

         Page  

PART I.

  FINANCIAL INFORMATION   
Item 1.  

Financial Statements

     1   
 

Consolidated Balance Sheets

     1   
 

Consolidated Statements of Operations

     2   
 

Consolidated Statements of Cash Flows

     3   
 

Notes to Consolidated Financial Statements

     4   
Item 2.  

Management’s Discussion and Analysis of Financial Condition and Results of Operations

     12   
Item 3.  

Quantitative and Qualitative Disclosures About Market Risk

     27   
Item 4.  

Controls and Procedures

     28   

PART II.

  OTHER INFORMATION      29   
Item 1.  

Legal Proceedings

     29   
Item 1A.  

Risk Factors

     29   
Item 2.  

Unregistered Sales of Equity Securities and Use of Proceeds

     49   
Item 3.  

Defaults Upon Senior Securities

     49   
Item 4.  

Mine Safety Disclosures

     49   
Item 5.  

Other Information

     49   
Item 6.  

Exhibits

     49   
Signatures      51   
Exhibit Index      52   

 

i


Table of Contents

PART I—FINANCIAL INFORMATION

 

Item 1. Financial Statements.

RAPID7, INC.

Consolidated Balance Sheets (Unaudited)

(in thousands, except share and per share data)

 

     September 30, 2016     December 31, 2015  

Assets

    

Current assets:

    

Cash and cash equivalents

   $ 87,715      $ 86,553   

Accounts receivable, net of allowance for doubtful accounts of $958 and $730 at September 30, 2016 and December 31, 2015, respectively

     38,286        44,164   

Prepaid expenses and other current assets

     6,705        6,148   
  

 

 

   

 

 

 

Total current assets

     132,706        136,865   

Property and equipment, net

     8,009        7,532   

Goodwill

     75,110        74,565   

Intangible assets, net

     9,450        11,385   

Other assets

     760        214   
  

 

 

   

 

 

 

Total assets

   $ 226,035      $ 230,561   
  

 

 

   

 

 

 

Liabilities and Stockholders’ Equity

    

Current liabilities:

    

Accounts payable

   $ 2,675      $ 2,038   

Accrued expenses

     22,226        24,707   

Deferred revenue, current portion

     104,663        87,917   

Other current liabilities

     1,352        1,105   
  

 

 

   

 

 

 

Total current liabilities

     130,916        115,767   

Deferred revenue, non-current portion

     44,601        42,400   

Other long-term liabilities

     2,872        4,319   
  

 

 

   

 

 

 

Total liabilities

     178,389        162,486   

Stockholders’ equity:

    

Preferred stock, $0.01 par value per share; 10,000,000 shares authorized at September 30, 2016 and December 31, 2015; 0 shares issued at September 30, 2016 and December 31, 2015

     —          —     

Common stock, $0.01 par value per share; 100,000,000 shares authorized at September 30, 2016 and December 31, 2015; 42,929,120 and 41,942,026 shares issued at September 30, 2016 and December 31, 2015, respectively; 42,480,491 and 41,540,400 shares outstanding at September 30, 2016 and December 31, 2015, respectively

     425        415   

Additional paid-in-capital

     430,939        411,524   

Accumulated deficit

     (379,564     (340,338

Treasury stock, at cost, 448,629 and 401,626 shares at September 30, 2016 and December 31, 2015, respectively

     (4,154     (3,526
  

 

 

   

 

 

 

Total stockholders’ equity

     47,646        68,075   
  

 

 

   

 

 

 

Total liabilities and stockholders’ equity

   $ 226,035      $ 230,561   
  

 

 

   

 

 

 

The accompanying notes are an integral part of these unaudited consolidated financial statements.

 

1


Table of Contents

RAPID7, INC.

Consolidated Statements of Operations (Unaudited)

(in thousands, except share and per share data)

 

     Three Months Ended September 30,     Nine Months Ended September 30,  
     2016     2015     2016     2015  

Revenue:

        

Products

   $ 23,108      $ 16,240      $ 64,709      $ 44,524   

Maintenance and support

     9,694        7,002        27,037        19,054   

Professional services

     7,537        5,070        20,657        14,095   
  

 

 

   

 

 

   

 

 

   

 

 

 

Total revenue

     40,339        28,312        112,403        77,673   

Cost of revenue:

        

Products

     3,415        1,504        8,700        4,389   

Maintenance and support

     1,801        1,505        5,240        4,127   

Professional services

     4,822        4,054        14,103        11,766   
  

 

 

   

 

 

   

 

 

   

 

 

 

Total cost of revenue

     10,038        7,063        28,043        20,282   
  

 

 

   

 

 

   

 

 

   

 

 

 

Total gross profit

     30,301        21,249        84,360        57,391   
  

 

 

   

 

 

   

 

 

   

 

 

 

Operating expenses:

        

Research and development

     11,616        9,945        36,890        24,490   

Sales and marketing

     21,284        16,265        65,732        43,952   

General and administrative

     7,605        5,537        20,842        14,638   
  

 

 

   

 

 

   

 

 

   

 

 

 

Total operating expenses

     40,505        31,747        123,464        83,080   
  

 

 

   

 

 

   

 

 

   

 

 

 

Loss from operations

     (10,204     (10,498     (39,104     (25,689

Other income (expense), net:

        

Interest income (expense), net

     44        (1,067     55        (2,489

Other income (expense), net

     36        (49     184        (191
  

 

 

   

 

 

   

 

 

   

 

 

 

Loss before income taxes

     (10,124     (11,614     (38,865     (28,369

Provision for income taxes

     70        211        361        382   
  

 

 

   

 

 

   

 

 

   

 

 

 

Net loss

     (10,194     (11,825     (39,226     (28,751

Accretion of preferred stock to redemption value

     —          —          —          (35,061

Beneficial conversion charge relating to IPO participation payment

     —          (14,161     —          (14,161
  

 

 

   

 

 

   

 

 

   

 

 

 

Net loss attributable to common stockholders

   $ (10,194   $ (25,986   $ (39,226   $ (77,973
  

 

 

   

 

 

   

 

 

   

 

 

 

Net loss per share attributable to common stockholders, basic and diluted

   $ (0.25   $ (0.79   $ (0.96   $ (3.99
  

 

 

   

 

 

   

 

 

   

 

 

 

Weighted-average common shares outstanding, basic and diluted

     41,482,173        33,020,484        41,033,080        19,544,759   
  

 

 

   

 

 

   

 

 

   

 

 

 

The accompanying notes are an integral part of these unaudited consolidated financial statements.

 

2


Table of Contents

RAPID7, INC.

Consolidated Statements of Cash Flows (Unaudited)

(in thousands)

 

     Nine Months Ended September 30,  
     2016     2015  

Cash flows from operating activities:

    

Net loss

   $ (39,226   $ (28,751

Adjustments to reconcile net loss to net cash provided by (used in) operating activities:

    

Depreciation and amortization

     5,330        3,700   

Amortization of debt discount

     —          1,129   

Non-cash interest expense

     168        130   

Stock-based compensation expense

     13,337        2,833   

Provision for doubtful accounts

     504        576   

Impairment of long-lived assets

     —          483   

Foreign currency re-measurement (gain) loss

     (166     90   

Changes in assets and liabilities:

    

Accounts receivable

     5,134        (6,649

Prepaid expenses and other assets

     (1,076     (521

Accounts payable

     549        (1,601

Accrued expenses

     (1,607     1,591   

Deferred revenue

     18,948        25,068   

Other liabilities

     166        (58
  

 

 

   

 

 

 

Net cash provided by (used in) operating activities

     2,061        (1,980
  

 

 

   

 

 

 

Cash flows from investing activities:

    

Business acquisitions, net of cash acquired

     —          (3,344

Purchases of property and equipment

     (3,307     (2,839
  

 

 

   

 

 

 

Net cash used in investing activities

     (3,307     (6,183
  

 

 

   

 

 

 

Cash flows from financing activities:

    

Proceeds from initial public offering and concurrent private placement, net of offering costs of $2,456

     —          112,916   

Repayments of term loan and related termination fee

     —          (18,540

Payments of capital lease obligations

     (68     (187

Taxes paid related to net share settlement of equity awards

     (3,826     —     

Proceeds from employee stock purchase plan

     3,724        —     

Proceeds from stock option exercises

     2,518        1,275   
  

 

 

   

 

 

 

Net cash provided by financing activities

     2,348        95,464   
  

 

 

   

 

 

 

Effect of exchange rate changes on cash and cash equivalents

     60        (140
  

 

 

   

 

 

 

Net increase in cash and cash equivalents

     1,162        87,161   

Cash and cash equivalents, beginning of period

     86,553        36,823   
  

 

 

   

 

 

 

Cash and cash equivalents, end of period

   $ 87,715      $ 123,984   
  

 

 

   

 

 

 

Supplemental cash flow information:

    

Cash paid for income taxes

   $ 480      $ 291   

Cash paid for interest

   $ 1      $ 1,424   

Supplemental non-cash investing and financing information:

    

Common stock issued for acquisitions

   $ —        $ 99   

Initial public offering costs incurred but not yet paid

   $ —        $ 641   

The accompanying notes are an integral part of these unaudited consolidated financial statements.

 

3


Table of Contents

RAPID7, INC.

Notes to Consolidated Financial Statements (Unaudited)

Note 1. Description of Business, Basis of Presentation and Consolidation and Significant Accounting Policies

Description of Business

Rapid7, Inc. and its wholly-owned subsidiaries (“we,” “us” or “our”) is a leading provider of security data and analytics solutions that enable organizations to implement an active, analytics-driven approach to cyber security. Our solutions empower organizations to prevent cyber attacks by providing visibility into vulnerabilities and to rapidly detect compromises, respond to breaches and correct the underlying causes of cyber attacks.

Basis of Presentation and Consolidation

The accompanying unaudited consolidated financial statements have been prepared by us in accordance with accounting principles generally accepted in the United States of America (U.S. GAAP) as well as pursuant to the rules and regulations of the Securities and Exchange Commission (SEC) regarding interim financial reporting. Accordingly, certain information and note disclosures normally included in the financial statements prepared in accordance with GAAP have been condensed or omitted pursuant to such rules and regulations. These consolidated financial statements should be read in conjunction with the consolidated financial statements and related notes included in our Annual Report on Form 10-K for the year ended December 31, 2015 filed with the SEC on March 10, 2016.

The consolidated financial statements include our results of operations and those of our wholly-owned subsidiaries and reflect all adjustments (consisting solely of normal, recurring adjustments) which are, in the opinion of management, necessary for a fair statement of results for the interim periods presented. All intercompany transactions and balances have been eliminated in consolidation. The results of operations for the three and nine months ended September 30, 2016 are not necessarily indicative of the results to be expected for any future period or the entire fiscal year.

Significant Accounting Policies

There have been no significant changes to our significant accounting policies as of and for the three and nine months ended September 30, 2016, as compared to the significant accounting policies described in our Annual Report on Form 10-K for the year ended December 31, 2015, except with respect to changes in our policy on Cash and Cash Equivalents as noted below.

Cash and Cash Equivalents

We consider all highly liquid instruments with original maturities of three months or less at the date of purchase to be cash equivalents. Cash and cash equivalents are recorded at cost, which approximates fair value. As of September 30, 2016, $30.0 million of our cash equivalents were invested in money market funds.

Recent Accounting Pronouncements

In June 2016, the Financial Accounting Standards Board (FASB) issued Accounting Standards Update (ASU) 2016-13, Financial Instruments-Credit Losses (Topic 326): Measurement of Credit Losses on Financial Instruments. The ASU requires measurement and recognition of expected credit losses for financial assets including trade receivables and capital lease receivables held at the reporting date based on historical experience, current conditions, and reasonable and supportable forecasts. This is different from the current guidance which requires a credit loss to not be recognized until the loss is probable. The guidance is effective January 1, 2020, with early adoption permitted on January 1, 2019. We are currently evaluating the impact this update will have on our consolidated financial statements.

In March 2016, the FASB issued ASU 2016-09, Compensation-Stock Compensation (Topic 718): Improvements to Employee Share-Based Payment Accounting. The ASU is intended to simplify several aspects of the accounting for share-based payment transactions, including the accounting for income taxes, forfeitures and statutory tax withholding requirements, as well as classification on the statement of cash flows. The ASU will be effective for us in the first quarter of 2017, with early adoption permitted. We do not expect this ASU to have a material impact on our consolidated financial statements.

In February 2016, the FASB issued ASU 2016-02, Leases (Topic 842). The ASU requires companies to recognize on the balance sheet the assets and liabilities for the rights and obligations created by leased assets. The ASU will be effective for us in the first quarter of 2019, with early adoption permitted. We are currently evaluating the impact that the adoption of this ASU will have on our consolidated financial statements.

 

4


Table of Contents

In November 2015, the FASB issued ASU 2015-17, Income Taxes (Topic 740) – Balance Sheet Classification of Deferred Taxes. The ASU requires that deferred tax liabilities and assets be classified as noncurrent in a classified balance sheet simplifying current GAAP, which requires an entity to separate deferred tax liabilities and assets into current and noncurrent amounts in the balance sheet. The ASU will be effective for us in the first quarter of 2017, and may be applied prospectively or retrospectively at our election. We do not expect that the adoption of this ASU will have a material impact on our consolidated financial statements.

In September 2015, the FASB issued ASU 2015-16, Business Combinations (Topic 805) – Simplifying the Accounting for Measurement-Period Adjustments. The ASU requires that an acquirer recognize adjustments to provisional amounts that are identified during the measurement period in the reporting period in which the adjustment amounts are determined. The ASU requires that the acquirer record, in the same period’s financial statements, the effect on earnings of changes in depreciation, amortization, or other income effects, if any, as a result of the change to the provisional amounts, calculated as if the accounting had been completed at the acquisition date. The ASU requires an entity to present separately on the face of the income statement or disclose in the notes the portion of the amount recorded in current-period earnings by line item that would have been recorded in previous reporting periods if the adjustment to the provisional amounts had been recognized as of the acquisition date. This ASU was adopted on January 1, 2016 and did not have a material impact on our consolidated financial statements.

In April 2015, the FASB issued ASU 2015-05, Intangibles – Goodwill and Other – Internal Use Software (Subtopic 350-40): Customer’s Accounting for Fees Paid in a Cloud Computing Arrangement, which provides guidance on accounting for fees paid in a cloud computing arrangement. Under the ASU, if a cloud computing arrangement includes a software license which also grants the contractual rights and practical ability to take possession of the software, the software license element should be accounted for consistent with the purchase of other software licenses. If the cloud computing arrangement does not include a software license, as defined, it should be accounted for as a service contract. This ASU was adopted on January 1, 2016 and did not have a material impact on our consolidated financial statements.

In May 2014, the FASB issued ASU 2014-09, Revenue from Contracts with Customers (Topic 606). The ASU outlines a single, comprehensive model for accounting for revenue from contracts with customers and requires more detailed disclosure to enable users of financial statements to understand the nature, amount, timing and uncertainty of revenue and cash flows arising from such contracts. In August 2015, the FASB issued ASU 2015-14, which provides a one year deferral in the effective date of ASU 2014-09. ASU 2014-09 will now be effective for us beginning January 1, 2018; however, early adoption will be permitted as of the original effective date. The new standard may be applied retrospectively to each prior period presented or prospectively with the cumulative effect recognized on the date of adoption. We are currently evaluating the impact that the standard will have on our consolidated financial statements.

Note 2. Business Combinations

Prior Year Acquisitions

RevelOps, Inc.

On October 13, 2015, we acquired 100% of the outstanding equity of RevelOps, Inc. (d/b/a Logentries) for total consideration of $68.1 million. We made an initial payment of $36.2 million in cash, issued 1,252,627 shares of our common stock with an aggregate fair value of $27.4 million, inclusive of a discount from the quoted market price due to certain trading restrictions associated with the shares, and issued vested replacement options with respect to 221,759 shares of our common stock to certain continuing employees with an aggregate fair value of $4.5 million upon the closing of the acquisition. The fair value of the vested replacement options included in the purchase price was based on the fair value of the vested Logentries options on the acquisition date. The excess fair value when comparing the fair value of the new vested replacement options and the vested Logentries options of $0.3 million was expensed immediately in the post-combination financial statements of the combined entity.

Assets acquired and liabilities assumed were recorded at their estimated fair values as of the acquisition date. The excess of the purchase price over the assets acquired and liabilities assumed was recorded as goodwill. The fair values of goodwill, intangible assets and net assets were $59.2 million, $9.4 million and $(0.5) million, respectively.

Pro Forma Financial Information

The unaudited pro forma financial information in the table below summarizes the combined results of our operations and Logentries, on a pro forma basis, as though we had acquired Logentries on January 1, 2014. The unaudited pro forma financial information for all periods presented also includes the effects of business combination accounting resulting from the acquisition, including amortization expense from acquired intangibles assets, reversal of acquisition related expenses and the stock-compensation expense recorded to retain certain employees.

 

5


Table of Contents
     Three Months Ended      Nine Months Ended  
     September 30, 2015      September 30, 2015  
     (in thousands)  

Total revenue

   $ 29,114       $ 79,612   

Net loss

   $ (16,605    $ (39,962

NT OBJECTives, Inc.

On April 30, 2015, we acquired 100% of the outstanding equity of NT OBJECTives, Inc. (NTO), a web application security testing company, which has allowed us to expand the web application testing capabilities of our threat exposure management product offering. We acquired NTO for total consideration of $6.1 million. We made an initial payment of $3.4 million in cash and issued 9,091 shares of our common stock with an aggregate fair value of $0.1 million. We are obligated to pay $0.1 million in cash for the settlement of a working capital adjustment and are obligated to make two additional payments of $1.5 million each, less the amount of any indemnity claims. The net present value of these two additional payments, or $2.5 million, was included in the total purchase consideration paid.

Assets acquired and liabilities assumed were recorded at their estimated fair values as of the acquisition date. The excess of the purchase price over the assets acquired and liabilities assumed was recorded as goodwill. The fair values of goodwill, intangible assets and net assets were $4.6 million, $2.1 million and $(0.6) million, respectively.

Pro forma results of operations have not been included in this Quarterly Report, as the acquisition of NTO was not material to our results of operations for any periods presented.

In May 2015, we entered into loan agreements with certain retained employees of NTO. The terms of these agreements require the employees to pay us the total amount borrowed, with accrued interest at 1.7% per annum, within 18 months of the agreement date. The loan agreements are secured by restricted stock awards granted to the employees. The aggregate amount of these loans was $0.5 million and is currently classified as prepaid expenses and other current assets on our consolidated balance sheets.

Note 3. Fair Value Measurements

We measure certain financial assets at fair value. Fair value is determined based upon the exit price that would be received to sell an asset or paid to transfer a liability in an orderly transaction between market participants, as determined by either the principal market or the most advantageous market. Inputs used in the valuation techniques to derive fair values are classified based on a three-level hierarchy, as follows:

Level 1: Observable inputs that reflect quoted prices (unadjusted) for identical assets or liabilities in active markets.

Level 2: Observable inputs other than Level 1 prices such as quoted prices for similar assets or liabilities; quoted prices in markets with insufficient volume or infrequent transactions (less active markets); or model-derived valuations in which all significant inputs are observable or can be derived principally from or corroborated by observable market data for substantially the full term of the assets or liabilities.

Level 3: Unobservable inputs that are supported by little or no market activity and that are significant to the fair value of the asset or liability.

The following table presents our assets that are measured at fair value on a recurring basis using the above input categories:

 

     As of September 30, 2016  
     Level 1      Level 2      Level 3      Total  
     (in thousands)  

Assets:

           

Cash equivalents

           

Money market funds

   $ 30,004       $ —         $ —         $ 30,004   
  

 

 

    

 

 

    

 

 

    

 

 

 

Total assets measured at fair value

   $ 30,004       $ —         $ —         $ 30,004   
  

 

 

    

 

 

    

 

 

    

 

 

 

 

6


Table of Contents

Note 4. Goodwill and Intangible Assets

The change in the carrying amount of goodwill for the nine months ended September 30, 2016 was as follows:

 

     Amount  
     (in thousands)  

Balance as of December 31, 2015

   $ 74,565   

Logentries acquisition accounting adjustments

     545   
  

 

 

 

Balance as of September 30, 2016

   $ 75,110   
  

 

 

 

Identifiable intangible assets consist of the following:

 

            As of September 30, 2016      As of December 31, 2015  
     Weighted-
Average
Life (years)
     Gross Carrying
Amount
     Accumulated
Amortization
    Net Book Value      Gross Carrying
Amount
     Accumulated
Amortization
    Net Book Value  
            (in thousands)  

Intangible assets subject to amortization:

                  

Developed technology

     6.3       $ 11,231       $ (2,672   $ 8,559       $ 12,851       $ (2,955   $ 9,896   

Trade names

     6.1         519         (481     38         719         (389     330   

Customer relationships

     6.7         1,000         (159     841         1,000         (43     957   

Non-compete agreements

     2.0         40         (28     12         540         (338     202   
     

 

 

    

 

 

   

 

 

    

 

 

    

 

 

   

 

 

 

Total intangible assets

      $ 12,790       $ (3,340   $ 9,450       $ 15,110       $ (3,725   $ 11,385   
     

 

 

    

 

 

   

 

 

    

 

 

    

 

 

   

 

 

 

Amortization expense was $0.8 million and $0.3 million for the three months ended September 30, 2016 and 2015, respectively, and $1.9 million and $0.8 million for the nine months ended September 30, 2016 and 2015, respectively.

During the third quarter of 2016, we discontinued our Mobilisafe product offering and accelerated the amortization of the remaining $0.2 million net book value. In addition, we wrote-off the $2.3 million gross carrying amount and related accumulative amortization.

Estimated future amortization expense of the acquired identifiable intangible assets as of September 30, 2016 is as follows (in thousands):

 

2016 (for the remaining three months)

   $ 504   

2017

     1,930   

2018

     1,886   

2019

     1,859   

2020

     1,837   

2021 and thereafter

     1,434   
  

 

 

 

Total

   $ 9,450   
  

 

 

 

Note 5. Property and Equipment

Property and equipment are recorded at cost and consist of the following:

 

     As of      As of  
     September 30, 2016      December 31, 2015  
     (in thousands)  

Computer equipment and software

   $ 12,126       $ 9,858   

Furniture and fixtures

     2,741         2,409   

Leasehold improvements

     8,192         6,943   
  

 

 

    

 

 

 

Total

     23,059         19,210   

Less accumulated depreciation

     (15,050      (11,678
  

 

 

    

 

 

 

Property and equipment, net

   $ 8,009       $ 7,532   
  

 

 

    

 

 

 

Depreciation expense was $1.2 million and $1.1 million for the three months ended September 30, 2016 and 2015, respectively, and $3.4 million and $2.9 million for the nine months ended September 30, 2016 and 2015, respectively.

 

7


Table of Contents

Note 6. Stock-Based Compensation Expense

 

  (a) General

Stock-based compensation expense for restricted stock, restricted stock units, stock options and issuances of common stock pursuant to our employee stock purchase plan was classified in the accompanying consolidated statements of operations as follows:

 

     Three Months Ended
September 30,
     Nine Months Ended
September 30,
 
     2016      2015      2016      2015  
     (in thousands)  

Stock-based compensation expense:

           

Cost of revenue

   $ 166       $ 102       $ 445       $ 203   

Research and development

     1,600         507         4,617         917   

Sales and marketing

     1,328         418         5,453         728   

General and administrative

     1,083         400         2,822         985   
  

 

 

    

 

 

    

 

 

    

 

 

 

Total stock-based compensation expense

   $ 4,177       $ 1,427       $ 13,337       $ 2,833   
  

 

 

    

 

 

    

 

 

    

 

 

 

We recognize compensation cost of all awards on a straight-line basis over the applicable vesting period, which is generally four years.

 

  (b) Restricted Stock and Restricted Stock Units

Restricted stock and restricted stock unit activity during the nine months ended September 30, 2016 was as follows:

 

     Restricted Stock      Weighted
Average
Grant Date
Fair Value
 

Unvested balance as of December 31, 2015

     1,149,257       $ 19.34   

Granted

     800,791         13.12   

Vested

     (494,554      19.86   

Forfeited

     (101,880      14.27   
  

 

 

    

Unvested balance as of September 30, 2016

     1,353,614       $ 15.85   
  

 

 

    

As of September 30, 2016, the unrecognized compensation expense related to our unvested restricted stock and restricted stock units expected to vest was $15.4 million. This unrecognized compensation expense will be recognized over an estimated weighted-average amortization period of 2.6 years.

During the nine months ended September 30, 2016, we repurchased 47,003 shares of our common stock in settlement of employee tax withholding obligations due upon the vesting of restricted stock.

 

  (c) Stock Options

Stock option activity during the nine months ended September 30, 2016 was as follows:

 

     Shares     Weighted
Average
Exercise
Price
     Weighted
Average
Remaining
Contractual Life
(in years)
     Aggregate
Intrinsic
Value

(in thousands)
 

Outstanding as of December 31, 2015

     4,246,525      $ 5.99         

Granted

     1,279,034        13.12         

Exercised

     (576,154     4.29          $ 5,791   

Forfeited/cancelled

     (429,343     10.69         
  

 

 

         

Outstanding as of September 30, 2016

     4,520,062        7.89         7.4       $ 44,403   
  

 

 

         

Vested and exercisable as of September 30, 2016

     2,725,099        5.35         6.5       $ 33,624   

Vested and expected to vest as of September 30, 2016

     4,174,837        7.51         7.3       $ 42,556   

 

8


Table of Contents

As of September 30, 2016, the unrecognized compensation expense related to our unvested stock options expected to vest was $7.2 million. This unrecognized compensation expense will be recognized over an estimated weighted-average amortization period of 2.7 years.

The total fair value of stock options vested in the nine months ended September 30, 2016 was $2.6 million. The weighted-average grant date fair value of stock options granted in the nine months ended September 30, 2016 was $6.44 per share.

 

  (d) Employee Stock Purchase Plan

Under the Rapid7, Inc. 2015 Employee Stock Purchase Plan (ESPP), employees may set aside up to 15% of their gross earnings, on an after-tax basis, to purchase our common shares at a discounted price, which is calculated at 85% of the lesser of: (i) the market value of our common stock at the beginning of each offering period and (ii) the market value of our common stock on the applicable purchase date.

On March 15, 2016, we issued 192,676 shares of common stock to employees for aggregate proceeds of $2.1 million. The purchase price of the shares of common stock was $10.88 per share, which was discounted in accordance with the terms of the ESPP from the closing price of our common stock on March 15, 2016 of $12.80.

On September 15, 2016, we issued 153,602 shares of common stock to employees for aggregate proceeds of $1.6 million. The purchase price of the shares of common stock was $10.60 per share, which was discounted in accordance with the terms of the ESPP from the closing price of our common stock on March 16, 2016 of $12.47.

 

  (e) Employee Transition and Release Agreement

On August 5, 2016, we entered into a transition and release agreement with Steven Gatoff, our Chief Financial Officer. Under the agreement, we made certain modifications to his outstanding stock options and restricted stock units which will generate incremental stock-based compensation expense of $0.3 million. Of the $0.3 million incremental stock-based compensation expense, $0.1 million was recorded within general and administrative expense in the three months ended September 30, 2016.

Note 7. Net Loss per Share

The following table summarizes the computation of basic and diluted net loss per share of our common stock for the three and nine months ended September 30, 2016 and 2015:

 

     Three Months Ended
September 30,
    Nine Months Ended
September 30,
 
     2016     2015     2016     2015  
     (in thousands, except share and per share data)  

Numerator:

        

Net loss

   $ (10,194   $ (11,825   $ (39,226   $ (28,751

Accretion of preferred stock to redemption value

     —          —          —          (35,061

Beneficial conversion charge relating to IPO participation payment

     —          (14,161     —          (14,161
  

 

 

   

 

 

   

 

 

   

 

 

 

Net loss attributable to common stockholders, basic and diluted

   $ (10,194   $ (25,986   $ (39,226   $ (77,973
  

 

 

   

 

 

   

 

 

   

 

 

 

Denominator:

        

Weighted-average common shares outstanding, basic and diluted

     41,482,173        33,020,484        41,033,080        19,544,759   
  

 

 

   

 

 

   

 

 

   

 

 

 

Net loss per share attributable to common stockholders, basic and diluted

   $ (0.25   $ (0.79   $ (0.96   $ (3.99
  

 

 

   

 

 

   

 

 

   

 

 

 

The following potentially dilutive securities outstanding, prior to the use of the treasury stock method or if-converted method, have been excluded from the computation of diluted weighted-average shares outstanding for the respective periods below because they would have been anti-dilutive:

 

     Three and Nine Months Ended
September 30,
 
     2016      2015  

Options to purchase common stock

     4,520,062         4,060,480   

Unvested restricted stock

     696,187         372,775   

Unvested restricted stock units

     657,427         —     

Warrants to purchase common stock

     —           200,000   

Shares to be issued under ESPP

     15,087         —     
  

 

 

    

 

 

 

Total

     5,888,763         4,633,255   
  

 

 

    

 

 

 

 

9


Table of Contents

Note 8. Commitments and Contingencies

 

  (a) Warranty

We provide limited product warranties. Historically, any payments made under these provisions have been immaterial.

 

  (b) Litigation and Claims

From time to time, we are and may be a party to litigation and subject to claims incident to the ordinary course of business. Although the results of litigation and claims cannot be predicted with certainty, we currently believe that the final outcome of these ordinary course matters will not have a material adverse effect on our business. Regardless of the outcome, litigation can have an adverse impact on us because of defense and settlement costs, diversion of management resources and other factors.

During the third quarter of 2016, we entered into a settlement and licensing agreement, which requires us to make a total cash payment of $0.4 million to a third party. The settlement has been recorded as general and administrative expense in the three months ended September 30, 2016.

 

  (c) Indemnification Obligations

We agree to standard indemnification provisions in the ordinary course of business. Pursuant to these provisions, we agree to indemnify, hold harmless and reimburse the indemnified party for losses suffered or incurred by the indemnified party, generally our customers, in connection with any United States patent, copyright or other intellectual property infringement claim by any third party arising from the use of our products or services in accordance with the agreement or arising from our gross negligence, willful misconduct or violation of the law (provided that there is not gross or willful misconduct on the part of the other party) with respect to our products or services. The term of these indemnification provisions is generally perpetual from the time of execution of the agreement. We carry insurance that covers certain third-party claims relating to our services and limits our exposure. We have never incurred costs to defend lawsuits or settle claims related to these indemnification provisions.

 

  (d) Contingent Grant from Northern Ireland

In the three months ended September 30, 2016, we received a $0.6 million grant from Invest Northern Ireland for creating and maintaining a certain number of jobs in Northern Ireland, which we agreed to maintain over a certain period of time. The grant proceeds were recorded as a reduction to operating expense, as we determined there is reasonable assurance that we will meet the compliance criteria related to the grant. If we fail to meet the compliance criteria, then a pro rata portion of the grant proceeds would be required to be returned.

Note 9. Segment Information and Information about Geographic Areas

We operate in one segment. Our chief operating decision maker is our Chief Executive Officer, who makes operating decisions, assesses performance and allocates resources on a consolidated basis.

Net revenues by geographic area presented based upon the location of the customer were as follows:

 

     Three Months Ended
September 30,
     Nine Months Ended
September 30,
 
     2016      2015      2016      2015  
     (in thousands)  

North America

   $ 34,538       $ 24,878       $ 96,957       $ 67,839   

Other

     5,801         3,434         15,446         9,834   
  

 

 

    

 

 

    

 

 

    

 

 

 

Total

   $ 40,339       $ 28,312       $ 112,403       $ 77,673   
  

 

 

    

 

 

    

 

 

    

 

 

 

Of the total net revenues generated in North America, 94% and 96% of the revenues were generated in the United States for the three and nine months ended September 30, 2016, respectively, and 96% of the revenues were generated in the United States for the three and nine months ended September 30, 2015.

 

10


Table of Contents

Property and equipment, net by geographic area was as follows:

 

     As of      As of  
     September 30, 2016      December 31, 2015  
     (in thousands)  

United States

   $ 6,946       $ 6,633   

Other

     1,063         899   
  

 

 

    

 

 

 

Total

   $ 8,009       $ 7,532   
  

 

 

    

 

 

 

 

11


Table of Contents
Item 2. Management’s Discussion and Analysis of Financial Condition and Results of Operations.

The following discussion and analysis of our financial condition and results of operations should be read in conjunction with (1) our consolidated financial statements and related notes appearing elsewhere in this Quarterly Report on Form 10-Q and (2) the audited consolidated financial statements and the related notes and management’s discussion and analysis of financial condition and results of operations for the fiscal year ended December 31, 2015 included in our Annual Report on Form 10-K, as filed with the SEC on March 10, 2016.

This Quarterly Report on Form 10-Q contains “forward-looking statements” within the meaning of Section 27A of the Securities Act of 1933, as amended, or the Securities Act, and Section 21E of the Securities Exchange Act of 1934, as amended, or the Exchange Act. These statements are often identified by the use of words such as “anticipate,” “believe,” “continue,” “could,” “estimate,” “expect,” “intend,” “may,” “plan,” “project,” “will,” “would” or the negative or plural of these words or similar expressions or variations. Such forward-looking statements are subject to a number of risks, uncertainties, assumptions and other factors that could cause actual results and the timing of certain events to differ materially from future results expressed or implied by the forward-looking statements. Factors that could cause or contribute to such differences include, but are not limited to, those identified herein, and those discussed in the section titled “Risk Factors,” set forth in Part II, Item 1A of this Quarterly Report on Form 10-Q and in our other SEC filings. You should not rely upon forward-looking statements as predictions of future events. Furthermore, such forward-looking statements speak only as of the date of this report. Except as required by law, we undertake no obligation to update any forward-looking statements to reflect events or circumstances after the date of such statements.

Overview

Rapid7 is a leading provider of security data and analytics solutions that enable organizations to implement an active, analytics-driven approach to cyber security. Our security data and analytics platform was purpose built for today’s increasingly complex and chaotic IT environment. We combine our extensive experience in security data and analytics and deep insight into attacker behaviors and techniques to make sense of the wealth of data available to organizations about their IT environments and users. There has been an explosion of increasingly sophisticated cyber attacks as the proliferation of mobile devices, cloud-based applications and solutions relying on user credentials has eliminated the boundaries that previously defined an organization’s network perimeter and expanded the threat surface that organizations must now defend. Our powerful and proprietary analytics enable organizations to contextualize and prioritize the threats facing their physical, virtual and cloud assets, including those posed by the behaviors of their users. Leveraging our security data and analytics platform, our solutions enable organizations to strategically and dynamically manage their cyber security exposure. Our solutions empower organizations to prevent attacks by providing visibility into vulnerabilities and to rapidly detect compromises, respond to breaches and correct the underlying causes of attacks. This balanced and analytics-focused approach ultimately better secures organizations’ environments and reduces the likelihood of, and risks associated with, cyber attacks. We believe our technology and solutions revolutionize the practice of cyber security and are central and critical to implementing a modern security program.

We primarily market and sell our products and professional services to global organizations of all sizes, including mid-market businesses, enterprises, non-profits, educational institutions and government agencies. Our customers span a wide variety of industries such as technology, energy, financial services, healthcare and life sciences, manufacturing, media and entertainment, retail, education, real estate, transportation, government and professional services. As of September 30, 2016, we had over 5,800 customers in more than 110 countries, including 37% of the Fortune 1000. Our revenue was not concentrated with any individual customer or group of customers, and no customer represented more than 2% of our revenue for the three or nine months ended September 30, 2016. For the three and nine months ended September 30, 2015, no customer represented more than 1% of our revenue.

We sell our products and services through direct inside and field sales teams and indirect channel partner relationships. Our sales teams are organized by geography as well as by target organization size. Our global channel partner network complements our sales organization, working closely with our sales teams to extend our geographic reach and to close sales of our offerings as part of larger purchases, particularly in key markets such as Europe, the Middle East and Africa, Asia Pacific and Latin America.

Our Business Model

We have three offerings: (1) threat exposure management, which includes our Nexpose, Metasploit and AppSpider products, (2) incident detection and response, which includes our InsightUBA (formerly known as UserInsight), InsightIDR, Analytic Response and Logentries products as well as our incident response services and (3) security advisory services.

We offer our products through a variety of delivery models to meet the needs of our diverse customer base, including:

 

   

Licensed software, including both term and perpetual licenses, and the simultaneous sale of maintenance and support. Our Nexpose, Metasploit and AppSpider products are offered through perpetual or term software licenses, with a substantial majority of our customers selecting a perpetual license. Substantially all of our customers who purchase software licenses

 

12


Table of Contents
 

also purchase (1) an agreement for maintenance and support, which provides our customers with telephone and web-based support and ongoing bug fixes and repairs during the term of the maintenance and support agreement and (2) content subscriptions, which provide our customers with real-time access to the latest vulnerabilities and exploits. Our maintenance and support and content subscription agreements are typically for one to three-year terms.

 

    Cloud-based subscriptions, where our software capabilities are provided to our customers through cloud access and on a Software as a Service, or SaaS, basis. Our InsightUBA, InsightIDR, AppSpider and Logentries products are offered on a cloud-based subscription basis, generally with one to three-year terms.

 

    Managed services, where we operate our software and provide our capabilities on behalf of our customers. Our Nexpose, AppSpider and Analytic Response products are offered on a managed service basis, generally pursuant to one to three-year agreements.

We also offer various professional services across all of our offerings, including deployment and training services related to our Nexpose, Metasploit, AppSpider, InsightUBA and InsightIDR software products, incident response services and security advisory services. Customers can purchase our professional services together with our product offerings or on a stand-alone basis pursuant to fixed fee or time-and-materials agreements.

An important component of our revenue growth strategy is to have our existing customers renew their agreements with us and purchase additional products from us. To assess our performance against this objective, we monitor the renewal rates of our existing customers. We calculate our renewal rate by dividing the dollar value of renewed customer agreements, including upsells and cross-sells of additional products, but excluding professional services, on a monthly basis in a trailing 12-month period by the dollar value of the corresponding expiring customer agreements, and then determining the average for the three months in the quarter. We also calculate an expiring renewal rate that does not take into account any upsells or cross-sells. As a result of this methodology, we would not expect our expiring renewal rate to exceed 100%. Our renewal rate was 121% and 122% for the third quarter of 2016 and 2015, respectively, and our expiring revenue renewal rate was 89% and 88% for the third quarter of 2016 and 2015, respectively. Our goal is to maintain what we believe are strong renewal rates, and work to increase them over time. However, our renewal rates may decline or fluctuate as a result of a number of factors, including customers’ satisfaction or dissatisfaction with our products and professional services, pricing, economic conditions or overall reductions in our customers’ spending levels.

We generate revenue from selling products, maintenance and support, and professional services. For the three months ended September 30, 2016 and 2015, 81% and 82% of our revenue, respectively, was derived from sales of products and associated maintenance and support, while the remaining 19% and 18%, respectively, was derived from the sale of professional services. For the nine months ended September 30, 2016 and 2015, 82% of our revenue was derived from sales of products and associated maintenance and support, while the remaining 18% was derived from the sale of professional services.

For the three and nine months ended September 30, 2016 and 2015, recurring revenue, defined as sales of content subscriptions, managed services, cloud-based subscriptions and maintenance and support, remained consistent at 62% of total revenue. We generally bill customers and collect payment for both our products and services up front.

For the three months ended September 30, 2016 and 2015, 87% and 84%, respectively, of our total revenue came from deferred revenue on the balance sheet at the beginning of the respective periods. For the nine months ended September 30, 2016 and 2015, 65% and 64%, respectively, of our total revenue came from deferred revenue on the balance sheet at the beginning of the respective periods.

Key Metrics

We monitor the following key metrics to help us measure and evaluate the effectiveness of our operations:

 

     Three Months Ended
September 30,
    Nine Months Ended
September 30,
 
     2016     2015     2016     2015  
     (dollars in thousands)  

Total revenue

   $ 40,339      $ 28,312      $ 112,403      $ 77,673   

Year-over-year growth

     42.5     39.3     44.7     41.4

Operating cash flow

   $ 1,790      $ 2,273      $ 2,061      $ (1,980

 

     As of September 30,  
     2016      2015  

Deferred revenue

   $ 149,264       $ 110,152   

Number of customers

     5,873         4,423   

 

13


Table of Contents

Total Revenue and Growth. We are focused on driving continued revenue growth through increased sales of our products and professional services to new and existing customers.

Operating Cash Flow. We monitor our operating cash flow as a measure of our overall business performance, which enables us to analyze our financial performance without the effects of certain non-cash items such as stock-based compensation expenses and depreciation and amortization. Additionally, operating cash flow takes into account the increase in deferred revenue as a result of increases in sales of products and services, which reflects the receipt of cash payment for products before they are recognized into revenue. Our operating cash flow is significantly impacted by changes in deferred revenue, timing of commission and bonus payments and collections of accounts receivable.

Deferred Revenue. We believe that deferred revenue is an important metric as it provides visibility into the revenue to be recognized in future periods. Our deferred revenue consists of amounts that have been invoiced to customers but that have not yet been recognized as revenue. Our deferred revenue balance primarily consists of the portion of products, maintenance and support and professional services revenue that will be recognized ratably over the applicable maintenance and support contract period. Revenue from professional services that are sold on a stand-alone basis is recognized as those services are rendered.

Number of Customers. We believe that the size of our customer base is an indicator of our global market penetration and that our net customer additions are an indicator of the growth of our business. We define a customer as any entity that has (1) an active Rapid7 contract or a contract that expired within 90 days or less of the applicable measurement date, (2) purchased Rapid7 professional services within the 12 months preceding the applicable measurement date or (3) an active subscription to our Logentries product with a contract value equal to or greater than $2,400 per year.

Non-GAAP Financial Results

To supplement our consolidated financial statements, which are prepared and presented in accordance with generally accepted accounting principles in the United States, or GAAP, we provide investors with certain non-GAAP financial measures, including non-GAAP gross profit, non-GAAP operating loss, non-GAAP net loss, and non-GAAP net loss per share, which we collectively refer to as non-GAAP financial measures. These non-GAAP financial measures exclude all or a combination of the following (as reflected in the following reconciliation tables): stock-based compensation expense, amortization of acquired intangible assets, acquisition related expenses and impairment of long-lived assets. The presentation of the non-GAAP financial measures is not intended to be considered in isolation or as a substitute for, or superior to, the financial information prepared and presented in accordance with GAAP. We use these non-GAAP financial measures for financial and operational decision-making purposes and as a means to evaluate period-to-period comparisons, and use certain non-GAAP financial measures as performance measures under our executive bonus plan. We believe that these non-GAAP financial measures provide useful information about our operating results, enhance the overall understanding of past financial performance and future prospects and allow for greater transparency with respect to metrics used by our management in its financial and operational decision-making. While our non-GAAP financial measures are an important tool for financial and operational decision-making and for evaluating our own operating results over different periods of time, you should consider our non-GAAP financial measures alongside our GAAP financial results.

We exclude stock-based compensation expense because of varying available valuation methodologies, subjective assumptions and the variety of equity instruments that can impact our non-cash expense. We believe that providing non-GAAP financial measures that exclude stock-based compensation expense allow for more meaningful comparisons between our operating results from period to period. We believe that excluding the impact of amortization of intangible assets allows for more meaningful comparisons between operating results from period to period as the intangibles are valued at the time of acquisition and are amortized over several years after the acquisition. We also exclude the impact of costs directly related to acquisitions and asset impairments as these costs are unrelated to the current operations and neither comparable to the prior period nor predictive of future results, which we believe allows for a more meaningful comparison between the operating results from period to period. Accordingly, we believe that excluding these expenses provides investors and management with greater visibility into the underlying performance of our business operations, facilitates comparison of our results with other periods and may also facilitate comparison with the results of other companies in our industry.

There are limitations in using non-GAAP financial measures because the non-GAAP financial measures are not prepared in accordance with GAAP, may be different from non-GAAP financial measures used by other companies and exclude expenses that may have a material impact upon our reported financial results. Further, stock-based compensation expense has been and will continue to be for the foreseeable future a significant recurring expense in our business and an important part of the compensation provided to our employees.

 

14


Table of Contents

The following tables reconcile GAAP gross profit to non-GAAP gross profit for the three and nine months ended September 30, 2016 and 2015:

 

     Three Months Ended September 30,      Nine Months Ended September 30,  
     2016      2015      2016      2015  
     (in thousands)  

GAAP total gross profit

   $ 30,301       $ 21,249       $ 84,360       $ 57,391   

Stock-based compensation expense

     166         102         445         203   

Amortization of intangible assets

     447         285         1,338         764   
  

 

 

    

 

 

    

 

 

    

 

 

 

Non-GAAP total gross profit

   $ 30,914       $ 21,636       $ 86,143       $ 58,358   
  

 

 

    

 

 

    

 

 

    

 

 

 
     Three Months Ended September 30,      Nine Months Ended September 30,  
     2016      2015      2016      2015  
     (in thousands)  

GAAP gross profit – products and maintenance and support

   $ 27,586       $ 20,233       $ 77,806       $ 55,062   

Stock-based compensation expense

     52         23         196         34   

Amortization of intangible assets

     447         285         1,338         764   
  

 

 

    

 

 

    

 

 

    

 

 

 

Non-GAAP gross profit – products and maintenance and support

   $ 28,085       $ 20,541       $ 79,340       $ 55,860   
  

 

 

    

 

 

    

 

 

    

 

 

 
     Three Months Ended September 30,      Nine Months Ended September 30,  
     2016      2015      2016      2015  
     (in thousands)  

GAAP gross profit – professional services

   $ 2,715       $ 1,016       $ 6,554       $ 2,329   

Stock-based compensation expense

     114         79         249         169   
  

 

 

    

 

 

    

 

 

    

 

 

 

Non-GAAP gross profit – professional services

   $ 2,829       $ 1,095       $ 6,803       $ 2,498   
  

 

 

    

 

 

    

 

 

    

 

 

 

The following table reconciles GAAP loss from operations to non-GAAP loss from operations for the three and nine months ended September 30, 2016 and 2015:

 

     Three Months Ended September 30,     Nine Months Ended September 30,  
     2016     2015     2016     2015  
     (in thousands)  

GAAP loss from operations

   $ (10,204   $ (10,498   $ (39,104   $ (25,689

Stock-based compensation expense

     4,177        1,427        13,337        2,833   

Amortization of intangible assets

     769        285        1,935        764   

Acquisition related expenses

     —          551        —          967   

Impairment of long-lived assets

     —          483        —          483   
  

 

 

   

 

 

   

 

 

   

 

 

 

Non-GAAP loss from operations

   $ (5,258   $ (7,752   $ (23,832   $ (20,642
  

 

 

   

 

 

   

 

 

   

 

 

 

 

15


Table of Contents

The following table reconciles GAAP net loss attributable to common shareholders to non-GAAP net loss for the three and nine months ended September 30, 2016 and 2015:

 

     Three Months Ended September 30,     Nine Months Ended September 30,  
     2016     2015     2016     2015  
     (in thousands, except share and per share data)  

GAAP net loss attributable to common stockholders

   $ (10,194   $ (25,986   $ (39,226   $ (77,973

Accretion of preferred stock to redemption value

     —          —          —          35,061   

Beneficial conversion charge relating to IPO participation payment

     —          14,161        —          14,161   
  

 

 

   

 

 

   

 

 

   

 

 

 

GAAP net loss

     (10,194     (11,825     (39,226     (28,751

Stock-based compensation expense

     4,177        1,427        13,337        2,833   

Amortization of intangible assets

     769        285        1,935        764   

Acquisition related expenses

     —          551        —          967   

Impairment of long-lived assets

     —          483        —          483   
  

 

 

   

 

 

   

 

 

   

 

 

 

Non-GAAP net loss

   $ (5,248   $ (9,079   $ (23,954   $ (23,704
  

 

 

   

 

 

   

 

 

   

 

 

 

Non-GAAP net loss per share, basic and diluted

   $ (0.13   $ (0.27   $ (0.58   $ (1.21
  

 

 

   

 

 

   

 

 

   

 

 

 

Weighted-average common shares outstanding, basic and diluted

     41,482,173        33,020,484        41,033,080        19,544,759   
  

 

 

   

 

 

   

 

 

   

 

 

 

Components of Results of Operations

Revenue

We generate revenue primarily from selling products, maintenance and support and professional services through a variety of delivery models to meet the needs of our diverse customer base. We generally bill customers and collect payment for both our products and services up front.

Products

We generate products revenue from the sale of (1) perpetual or term software licenses and associated content subscriptions for our Nexpose, Metasploit and AppSpider products, (2) managed services for our Nexpose, AppSpider and Analytic Response products and (3) cloud-based subscriptions for our InsightUBA, InsightIDR, AppSpider and Logentries products. We also generate an immaterial amount of appliance revenue that is included in our products revenue and is associated with hardware sold as part of our Nexpose product to certain customers. Revenue for software licenses and any other products and services that are sold along with the software license is deferred on our balance sheet and recognized as revenue on our consolidated statements of operations ratably over the contractual period of the maintenance and support, which is typically one to three years.

Maintenance and Support

We generate maintenance and support revenue when customers purchase or renew agreements for maintenance and support of their Nexpose, Metasploit and AppSpider deployments. Substantially all of our customers purchase an agreement for maintenance and support in connection with their purchase of a Nexpose, Metasploit or AppSpider software license. Revenue from maintenance and support is typically recognized ratably over the term of the applicable agreement.

Professional Services

We generate professional service revenue from the sale of deployment and training services related to our products, incident response services and security advisory services. Revenue from professional services sold together with our other product offerings is recognized ratably over the term of the applicable agreement. Revenue from professional services sold on a stand-alone basis is recognized as those services are rendered.

Cost of Revenue

Our total cost of revenue consists of the costs of products, maintenance and support and professional services revenue.

Cost of Products

Cost of products consists of personnel and related costs for our content and cloud operations team, including salaries and other payroll related costs, bonuses, stock-based compensation and allocated overhead costs, which consist of IT, information security, recruiting, facilities and depreciation and are allocated based on relative headcount. Also included in cost of products are software license fees, hardware, cloud computing costs and internet connectivity expenses directly related to delivering our products, as well as amortization of intangible assets.

Cost of Maintenance and Support

Cost of maintenance and support consists of personnel and related costs for our support team, including salaries and other payroll related costs, bonuses, stock-based compensation and allocated overhead.

 

16


Table of Contents

Cost of Professional Services

Cost of professional services consists of personnel and related costs for our professional services team, including salaries and other payroll related costs, bonuses, stock-based compensation, costs of contracted third-party vendors, travel and entertainment expenses and allocated overhead.

We expect our cost of revenue to increase on an absolute dollar basis in the near term as we continue to grow our revenue.

Gross Margin

Gross margin, or gross profit as a percentage of revenue, has been and will continue to be affected by a variety of factors, including the average sales price of our products and services, transaction volume growth and the mix of revenue among products and services. We expect our gross margins to fluctuate over time depending on the factors described above.

Operating Expenses

Operating expenses consist of research and development, sales and marketing, and general and administrative expenses. Operating expenses include allocated overhead costs for depreciation, facilities, IT, information security and recruiting. Our allocated costs for IT include costs for compensation of IT personnel and costs associated with our IT infrastructure. All such costs are allocated based on relative headcount.

Research and Development Expense

Research and development expense consists of personnel costs for our research and development team, including salaries, bonuses, stock-based compensation and other related costs. Additional expenses include subcontracting, consulting and professional fees for third-party development resources as well as allocated overhead.

We expect research and development expense to increase on an absolute dollar basis in the near term as we continue to increase investments in our products and technology platform innovation, but to decrease as a percentage of total revenue.

Sales and Marketing Expense

Sales and marketing expense consists of personnel costs for our sales and marketing team, including salaries, commissions, bonuses, stock-based compensation and other related costs. Additional expenses include marketing activities and promotional events, travel and entertainment, training costs, amortization of certain intangible assets and allocated overhead.

We expect sales and marketing expense to increase on an absolute dollar basis in the near term as we continue to increase investments to drive our revenue growth, but to decrease as a percentage of total revenue.

General and Administrative Expense

General and administrative expense consists of personnel costs for our administrative, legal, human resources, and finance and accounting teams, including salaries, bonuses, stock-based compensation and other related costs. Additional expenses include travel and entertainment, subcontracting, professional fees, insurance, acquisition related expenses, amortization of certain intangible assets and allocated overhead.

We expect general and administrative expense to increase on an absolute dollar basis in the near term as we continue to increase investments to support our growth and operations as a public company, but to decrease as a percentage of total revenue.

Interest Income (Expense), Net

Interest income (expense), net consists primarily of interest income on our cash and cash equivalents, and in prior years, consisted primarily of interest incurred on our term loan obligation and related discount amortization.

Other Income (Expense), Net

Other income (expense), net consists primarily of unrealized and realized gains and losses related to changes in foreign currency exchange rates.

 

17


Table of Contents

Provision for Income Taxes

Provision for income taxes relates primarily to U.S. federal and state, as well as certain foreign jurisdiction, income taxes. We have generated net losses in all periods to date and recorded a full valuation allowance against our U.S. and Ireland deferred tax assets. We expect to maintain a full valuation allowance on our U.S. and Ireland deferred tax assets in the near term. Realization of our U.S. and Ireland deferred tax assets depends upon future earnings, the timing and amount of which are uncertain.

 

18


Table of Contents

Results of Operations

The following table sets forth our selected consolidated statements of operations data:

 

     Three Months Ended September 30,     Nine Months Ended September 30,  
     2016     2015     2016     2015  
     (in thousands)  

Consolidated Statement of Operations Data:

        

Revenue:

        

Products

   $ 23,108      $ 16,240      $ 64,709      $ 44,524   

Maintenance and support

     9,694        7,002        27,037        19,054   

Professional services

     7,537        5,070        20,657        14,095   
  

 

 

   

 

 

   

 

 

   

 

 

 

Total revenue

     40,339        28,312        112,403        77,673   

Cost of revenue:(1)

        

Products

     3,415        1,504        8,700        4,389   

Maintenance and support

     1,801        1,505        5,240        4,127   

Professional services

     4,822        4,054        14,103        11,766   
  

 

 

   

 

 

   

 

 

   

 

 

 

Total cost of revenue

     10,038        7,063        28,043        20,282   

Operating expenses:(1)

        

Research and development

     11,616        9,945        36,890        24,490   

Sales and marketing

     21,284        16,265        65,732        43,952   

General and administrative

     7,605        5,537        20,842        14,638   
  

 

 

   

 

 

   

 

 

   

 

 

 

Total operating expenses

     40,505        31,747        123,464        83,080   
  

 

 

   

 

 

   

 

 

   

 

 

 

Loss from operations

     (10,204     (10,498     (39,104     (25,689

Interest income (expense), net

     44        (1,067     55        (2,489

Other income (expense), net

     36        (49     184        (191
  

 

 

   

 

 

   

 

 

   

 

 

 

Loss before income taxes

     (10,124     (11,614     (38,865     (28,369

Provision for income taxes

     70        211        361        382   
  

 

 

   

 

 

   

 

 

   

 

 

 

Net loss

     (10,194     (11,825     (39,226     (28,751

Accretion of preferred stock to redemption value

     —          —          —          (35,061

Beneficial conversion charge relating to IPO participation payment

     —          (14,161     —          (14,161
  

 

 

   

 

 

   

 

 

   

 

 

 

Net loss attributable to common stockholders

   $ (10,194   $ (25,986   $ (39,226   $ (77,973
  

 

 

   

 

 

   

 

 

   

 

 

 

 

(1)  Cost of revenue and operating expenses include stock-based compensation expense and depreciation and amortization expense as follows:

 

     Three Months Ended September 30,      Nine Months Ended September 30,  
     2016      2015      2016      2015  
     (in thousands)  

Stock-based compensation expense:

           

Cost of revenue

   $ 166       $ 102       $ 445       $ 203   

Research and development

     1,600         507         4,617         917   

Sales and marketing

     1,328         418         5,453         728   

General and administrative

     1,083         400         2,822         985   
  

 

 

    

 

 

    

 

 

    

 

 

 

Total stock-based compensation expense

   $ 4,177       $ 1,427       $ 13,337       $ 2,833   
  

 

 

    

 

 

    

 

 

    

 

 

 
     Three Months Ended September 30,      Nine Months Ended September 30,  
     2016      2015      2016      2015  
     (in thousands)  

Depreciation and amortization expense:

           

Cost of revenue

   $ 648       $ 467       $ 1,916       $ 1,254   

Research and development

     262         294         875         771   

Sales and marketing

     497         432         1,450         1,186   

General and administrative

     504         146         1,089         489   
  

 

 

    

 

 

    

 

 

    

 

 

 

Total depreciation and amortization expense

   $ 1,911       $ 1,339       $ 5,330       $ 3,700   
  

 

 

    

 

 

    

 

 

    

 

 

 

 

19


Table of Contents

The following table sets forth our selected consolidated statements of operations data expressed as a percentage of revenue:

 

     Three Months Ended
September 30,
    Nine Months Ended
September 30,
 
     2016     2015     2016     2015  

Consolidated Statement of Operations Data:

        

Revenue:

        

Products

     57.3     57.4     57.6     57.3

Maintenance and support

     24.0        24.7        24.0        24.5   

Professional services

     18.7        17.9        18.4        18.2   
  

 

 

   

 

 

   

 

 

   

 

 

 

Total revenue

     100.0        100.0        100.0        100.0   

Cost of revenue:

        

Products

     8.5        5.3        7.7        5.7   

Maintenance and support

     4.5        5.3        4.7        5.3   

Professional services

     11.9        14.3        12.5        15.1   
  

 

 

   

 

 

   

 

 

   

 

 

 

Total cost of revenue

     24.9        24.9        24.9        26.1   

Operating expenses:

        

Research and development

     28.8        35.1        32.8        31.5   

Sales and marketing

     52.8        57.4        58.5        56.6   

General and administrative

     18.8        19.6        18.5        18.9   
  

 

 

   

 

 

   

 

 

   

 

 

 

Total operating expenses

     100.4        112.1        109.8        107.0   
  

 

 

   

 

 

   

 

 

   

 

 

 

Loss from operations

     (25.3     (37.0     (34.7     (33.1

Interest income (expense), net

     0.1        (3.8     —          (3.2

Other income (expense), net

     0.1        (0.2     0.1        (0.2
  

 

 

   

 

 

   

 

 

   

 

 

 

Loss before income taxes

     (25.1     (41.0     (34.6     (36.5

Provision for income taxes

     0.2        0.8        0.3        0.5   
  

 

 

   

 

 

   

 

 

   

 

 

 

Net loss

     (25.3     (41.8     (34.9     (37.0

Accretion of preferred stock to redemption value

     —          —          —          (45.2

Beneficial conversion charge relating to IPO participation payment

     —          (50.0     —          (18.2
  

 

 

   

 

 

   

 

 

   

 

 

 

Net loss attributable to common stockholders

     (25.3 )%      (91.8 )%      (34.9 )%      (100.4 )% 
  

 

 

   

 

 

   

 

 

   

 

 

 

Comparison of the Three Months Ended September 30, 2016 and 2015

Revenue

 

     Three Months Ended
September 30,
     Change  
     2016      2015      $      %  
     (dollars in thousands)  

Revenue:

           

Products

   $ 23,108       $ 16,240       $ 6,868         42.3

Maintenance and support

     9,694         7,002         2,692         38.4   

Professional services

     7,537         5,070         2,467         48.7   
  

 

 

    

 

 

    

 

 

    

Total revenue

   $ 40,339       $ 28,312       $ 12,027         42.5
  

 

 

    

 

 

    

 

 

    

Total revenue increased by $12.0 million in the three months ended September 30, 2016 compared to the same period in 2015, primarily due to an increase of $11.4 million in revenue recognized from our deferred revenue balance. The remaining increase was the result of purchases of additional products and services in the amount of $0.4 million by our existing customers and $0.2 million in sales to new customers that were acquired in the three months ended September 30, 2016. The increase in total revenue in the three months ended September 30, 2016 was comprised of $9.6 million generated from sales in North America and $2.4 million generated from sales from the rest of the world. We added 245 net new customers during the three months ended September 30, 2016, bringing our total customer count to 5,873 as of September 30, 2016, as compared to adding 267 net new customers, resulting in a total customer count of 4,423 for the same period in 2015. Products revenue and maintenance and support revenue increased primarily due to the same contributors that drove our increase in total revenue. Professional services revenue increased primarily due to increased demand for our assessment services and deployment and training services.

 

20


Table of Contents

Cost of Revenue

 

     Three Months Ended
September 30,
    Change  
     2016     2015     $      %  
     (dollars in thousands)  

Cost of revenue:

         

Products

   $ 3,415      $ 1,504      $ 1,911         127.1

Maintenance and support

     1,801        1,505        296         19.7   

Professional services

     4,822        4,054        768         18.9   
  

 

 

   

 

 

   

 

 

    

Total cost of revenue

   $ 10,038      $ 7,063      $ 2,975         42.1
  

 

 

   

 

 

   

 

 

    

Gross margin %:

         

Products

     85.2     90.7     

Maintenance and support

     81.4        78.5        

Professional services

     36.0        20.0        
  

 

 

   

 

 

      

Total gross margin %

     75.1     75.1     
  

 

 

   

 

 

      

Total cost of revenue increased by $3.0 million in the three months ended September 30, 2016 compared to the same period in 2015, partially due to a $1.1 million increase in personnel costs as a result of our increase in headcount from 129 as of September 30, 2015 to 160 as of September 30, 2016 in order to support our growing customer base. Our increase in total cost of revenue also included a $1.1 million increase in cloud computing costs, a $0.3 million increase in allocated overhead and a $0.2 million increase in amortization of intangible assets acquired as part of the Logentries acquisition. The increase in cost of revenue in the three months ended September 30, 2016 also included a write-off of obsolete appliance inventory in the amount of $0.3 million.

Total gross margin percentage for the three months ended September 30, 2016 remained constant compared to the same period in 2015. Products gross margin decreased for the three months ended September 30, 2016 compared to the same period in 2015, largely due to the increase in cloud computing costs, which are directly related to our cloud-based subscriptions, and the aforementioned write-off of obsolete appliance inventory. Professional services gross margin increased primarily due to scale efficiencies driven by increased demand for our assessment services and deployment and training services.

Operating Expenses

Research and Development Expense

 

     Three Months Ended
September 30,
    Change  
     2016     2015     $      %  
     (dollars in thousands)  

Research and development

   $ 11,616      $ 9,945      $ 1,671         16.8

% of revenue

     28.8     35.1     

Research and development expense increased by $1.7 million in the three months ended September 30, 2016 compared to the same period in 2015, primarily due to a $1.6 million increase in personnel costs as a result of our increase in headcount of our research and development teams from 166 as of September 30, 2015 to 240 as of September 30, 2016 intended to support our product innovation. Included in the increase in personnel cost was a $1.1 million increase in stock-based compensation expense and $0.8 million of additional cost attributable to the Logentries acquisition, partially offset by $0.5 million in government grant proceeds received in Northern Ireland. Our increase in research and development expense also included a $0.6 million increase in allocated overhead, offset by a $0.5 million reduction related to a charge taken in 2015 for the write-off of capitalized product development costs.

Sales and Marketing Expense

 

     Three Months Ended
September 30,
    Change  
     2016     2015     $      %  
     (dollars in thousands)  

Sales and marketing

   $ 21,284      $ 16,265      $ 5,019         30.9

% of revenue

     52.8     57.4     

 

21


Table of Contents

Sales and marketing expense increased by $5.0 million in the three months ended September 30, 2016 compared to the same period in 2015, primarily due to a $3.4 million increase in personnel costs as a result of our increase in headcount from 267 as of September 30, 2015 to 350 as of September 30, 2016, intended to drive additional sales of our products and services. Included in the increase in personnel costs was a $0.9 million increase in stock-based compensation expense and $0.9 million of additional costs attributable to the Logentries acquisition. Our increase in sales and marketing expense also included a $0.8 million increase in advertising and marketing programs, a $0.4 million increase in partner referral fees and a $0.4 million increase in allocated overhead.

General and Administrative Expense 

 

     Three Months Ended
September 30,
    Change  
     2016     2015     $      %  
     (dollars in thousands)  

General and administrative

   $ 7,605      $ 5,537      $ 2,068         37.3

% of revenue

     18.8     19.6     

General and administrative expense increased by $2.1 million in the three months ended September 30, 2016 compared to the same period in 2015, primarily due to a $1.4 million increase in personnel costs as a result of our increase in headcount from 87 as of September 30, 2015 to 118 as of September 30, 2016 in order to support our overall company growth as well as our operations as a public company. Included in the increase in personnel costs was a $0.7 million increase in stock-based compensation expense. Our increase in general and administrative expense also included a $0.3 million increase in amortization of intangible assets acquired as part of the Logentries acquisition, as well as a $0.4 million increase related to a settlement and licensing agreement with a third party and $0.3 million related to global structuring of our intellectual property and international entities, partially offset by acquisition related expenses of $0.5 million in the three months ended September 30, 2015.

Interest Income (Expense), Net

 

     Three Months Ended
September 30,
    Change  
     2016     2015     $      %  
     (dollars in thousands)  

Interest income (expense), net

   $ 44      $ (1,067   $ 1,111         NM   

% of revenue

     0.1     (3.8 )%      

Interest income (expense), net increased by $1.1 million in the three months ended September 30, 2016 compared to the same period in 2015 primarily due to the repayment in full and termination of our term loan in July 2015, which significantly reduced our interest expense.

Other Income (Expense), Net

 

     Three Months Ended
September 30,
    Change  
     2016     2015     $      %  
     (dollars in thousands)  

Other income (expense), net

   $ 36      $ (49   $ 85         NM   

% of revenue

     0.1     (0.2 )%      

Other income (expense), net increased by $0.1 million in the three months ended September 30, 2016 compared to the same period in 2015 primarily due to realized and unrealized foreign currency losses, specifically related to the Euro and British Pound.

Provision for Income Taxes

 

     Three Months Ended
September 30,
    Change  
     2016     2015     $      %  
     (dollars in thousands)  

Provision for income taxes

   $ 70      $ 211      $ (141      (66.8 )% 

% of revenue

     0.2     0.8     

Provision for income taxes decreased by $0.1 million in the three months ended September 30, 2016 compared to the same period in 2015, primarily due to research and development tax credit refund claims in applicable foreign jurisdictions.

 

22


Table of Contents

Comparison of the Nine Months Ended September 30, 2016 and 2015

Revenue

 

     Nine Months Ended
September 30,
     Change  
     2016      2015      $      %  
     (dollars in thousands)  

Revenue:

           

Products

   $ 64,709       $ 44,524       $ 20,185         45.3

Maintenance and support

     27,037         19,054         7,983         41.9   

Professional services

     20,657         14,095         6,562         46.6   
  

 

 

    

 

 

    

 

 

    

Total revenue

   $ 112,403       $ 77,673       $ 34,730         44.7
  

 

 

    

 

 

    

 

 

    

Total revenue increased by $34.7 million in the nine months ended September 30, 2016 compared to the same period in 2015 primarily due to an increase of $23.6 million in revenue recognized from our deferred revenue balance. The remaining increase was the result of increased purchases of additional products and services in the amount of $7.2 million by our existing customers and $3.9 million in sales to new customers that were acquired in the nine months ended September 30, 2016. The increase in total revenue in the nine months ended September 30, 2016 was comprised of $29.1 million generated from sales in North America and $5.6 million generated from sales from the rest of the world. We added 741 net new customers during the nine months ended September 30, 2016, bringing our total customer count to 5,873 as of September 30, 2016, as compared to adding 690 net new customers, resulting in a total customer count of 4,423 for the same period in 2015. Products revenue and maintenance and support revenue increased primarily due to the same contributors that drove our increase in total revenue. Professional services revenue increased primarily due to increased demand for our assessment services and deployment and training services.

Cost of Revenue

 

     Nine Months Ended
September 30,
    Change  
     2016     2015     $      %  
     (dollars in thousands)  

Cost of revenue:

         

Products

   $ 8,700      $ 4,389      $ 4,311         98.2

Maintenance and support

     5,240        4,127        1,113         27.0   

Professional services

     14,103        11,766        2,337         19.9   
  

 

 

   

 

 

   

 

 

    

Total cost of revenue

   $ 28,043      $ 20,282      $ 7,761         38.3
  

 

 

   

 

 

   

 

 

    

Gross margin %:

         

Products

     86.6     90.1     

Maintenance and support

     80.6        78.3        

Professional services

     31.7        16.5        
  

 

 

   

 

 

      

Total gross margin %

     75.1     73.9     
  

 

 

   

 

 

      

Total cost of revenue increased by $7.8 million in the nine months ended September 30, 2016 compared to the same period in 2015, primarily due to a $3.7 million increase in personnel costs related to our increase in headcount from 129 as of September 30, 2015 to 160 as of September 30, 2016 in order to support our growing customer base. Our increase in total cost of revenue also included a $2.2 million increase in cloud computing costs, a $0.9 million increase in allocated overhead, a $0.6 million increase in amortization of intangible assets largely due to the Logentries acquisition and a $0.1 million increase in travel and entertainment expense. The increase in cost of revenue in the nine months ended September 30, 2016 also included a write-off of obsolete appliance inventory in the amount of $0.3 million.

Total gross margin percentage increased for the nine months ended September 30, 2016 compared to the same period in 2015, due primarily to an increase in our professional services gross margin, which resulted from scale efficiencies driven by higher demand for our assessment services and deployment and training services. Products gross margin decreased for the nine months ended September 30, 2016 compared to the same period in 2015 largely due to the increase in cloud computing costs, which are directly related to our cloud-based subscriptions, and the write-off of obsolete appliance inventory.

 

23


Table of Contents

Operating Expenses

Research and Development Expense

 

     Nine Months Ended
September 30,
    Change  
     2016     2015     $      %  
     (dollars in thousands)  

Research and development

   $ 36,890      $ 24,490      $ 12,400         50.6

% of revenue

     32.8     31.5     

Research and development expense increased by $12.4 million in the nine months ended September 30, 2016 compared to the same period in 2015 primarily due to a $10.4 million increase in personnel costs as a result of our increase in headcount of our research and development teams from 166 as of September 30, 2015 to 240 as of September 30, 2016 to support our product innovation. Included in the increase in personnel cost was a $3.7 million increase in stock-based compensation expense and $3.6 million of additional costs attributable to the NTO and Logentries acquisitions, partially offset by a $0.5 million in government grant proceeds received in Northern Ireland. Our increase in research and development expense also included a $2.3 million increase in allocated overhead and a $0.2 million increase in travel and entertainment expense, offset by a $0.5 million reduction related to a charge taken in 2015 for the write-off of capitalized product development costs.

Sales and Marketing Expense

 

     Nine Months Ended
September 30,
    Change  
     2016     2015     $      %  
     (dollars in thousands)  

Sales and marketing

   $ 65,732      $ 43,952      $ 21,780         49.6

% of revenue

     58.5     56.6     

Sales and marketing expense increased by $21.8 million in the nine months ended September 30, 2016 compared to the same period in 2015 primarily due to a $15.1 million increase in personnel costs as a result of our increase in headcount from 267 as of September 30, 2015 to 350 as of September 30, 2016, intended to drive additional sales of our products and services. Included in the increase in personnel cost was a $4.7 million increase in stock-based compensation expense and $2.6 million of additional costs attributable to the Logentries acquisition. Our increase in sales and marketing expense also included a $2.4 million increase in allocated overhead, a $1.9 million increase in partner referral fees, a $1.3 million increase in advertising and marketing programs, a $1.0 million increase in travel and entertainment expense, and a $0.1 million increase in amortization of intangible assets.

General and Administrative Expense 

 

     Nine Months Ended
September 30,
    Change  
     2016     2015     $      %  
     (dollars in thousands)  

General and administrative

   $ 20,842      $ 14,638      $ 6,204         42.4

% of revenue

     18.5     18.9     

General and administrative expense increased by $6.2 million in the nine months ended September 30, 2016 compared to the same period in 2015 primarily due to a $3.9 million increase in personnel costs as a result of our increase in headcount from 87 as of September 30, 2015 to 118 as of September 30, 2016 in order to support our overall company growth as well as operations as a public company. Included in the increase in personnel costs was a $1.8 million increase in stock-based compensation expense. Our increase in general and administrative expense also included a $0.7 million increase related to global structuring of our intellectual property and international entities, $0.4 million related to a settlement and licensing agreement with a third party, a $0.8 million increase in allocated overhead, and a $0.5 million increase in amortization of intangible assets largely due to the Logentries acquisition.

 

24


Table of Contents

Interest Income (Expense), Net

 

     Nine Months Ended
September 30,
    Change  
     2016     2015     $      %  
     (dollars in thousands)  

Interest income (expense), net

   $ 55      $ (2,489   $ 2,544         NM   

% of revenue

     —       (3.2 )%      

Interest income (expense), net increased by $2.5 million in the nine months ended September 30, 2016 compared to the same period in 2015 primarily due to the repayment in full and termination of our term loan in July 2015, which significantly reduced our interest expense.

Other Income (Expense), Net

 

     Nine Months Ended
September 30,
    Change  
     2016     2015     $      %  
     (dollars in thousands)  

Other income (expense), net

   $ 184      $ (191   $ 375         NM   

% of revenue

     0.1     (0.2 )%      

Other income (expense), net increase by $0.4 million in the nine months ended September 30, 2016 compared to the same period in 2015 primarily due to realized and unrealized foreign currency gains, specifically in the Euro and British Pound.

Provision for Income Taxes

 

     Nine Months Ended
September 30,
    Change  
     2016     2015     $      %  
     (dollars in thousands)  

Provision for income taxes

   $ 361      $ 382      $ (21      (5.5 )% 

% of revenue

     0.3     0.5     

Provision for income taxes decreased nominally in the nine months ended September 30, 2016 compared to the same period in 2015 primarily due to increased foreign taxes resulting from growth of our operations overseas offset by research and development tax credit refund claims in applicable foreign jurisdictions.

 

25


Table of Contents

Liquidity and Capital Resources

Our principal sources of liquidity are cash and cash equivalents and our accounts receivable. In connection with our initial public offering, or IPO, and concurrent private placement in July 2015, we received aggregate net proceeds to us of $112.3 million, after deducting underwriting discounts and commissions related to our IPO of $8.3 million and offering expenses of $3.1 million. Prior to our IPO, we funded our operations primarily through issuances of common and redeemable convertible preferred stock and debt, including net proceeds of $93.4 million from the sale of shares of common and preferred stock. As of September 30, 2016, we had $87.7 million in cash and cash equivalents and an accumulated deficit of $379.6 million. Since our inception, we have generated significant losses and expect to continue to generate losses for the foreseeable future.

We believe that our existing cash balance together with cash generated from our operations will be sufficient to meet our working capital expenditure requirements for at least the next 12 months. Our future capital requirements will depend on many factors, including our growth rate, the timing and extent of spending to support research and development efforts, the expansion of sales and marketing activities, particularly internationally, the introduction of new and enhanced products and professional service offerings and the cost of any future acquisitions of technology or businesses. In the event that additional financing is required from outside sources, we may be unable to raise the funds on acceptable terms, if at all. If we are unable to raise additional capital on terms satisfactory to us when we require it, our business, operating results and financial condition could be adversely affected.

The following table shows a summary of our cash flows for the nine months ended September 30, 2016 and 2015:

 

     Nine Months Ended September 30,  
     2016      2015  
     (in thousands)  

Cash and cash equivalents at beginning of period

   $ 86,553       $ 36,823   

Net cash provided by (used in) operating activities

     2,061         (1,980

Net cash used in investing activities

     (3,307      (6,183

Net cash provided by financing activities

     2,348         95,464   

Effects of exchange rates on cash

     60         (140
  

 

 

    

 

 

 

Cash and cash equivalents at end of period

   $ 87,715       $ 123,984   
  

 

 

    

 

 

 

Uses of Funds

Our historical uses of cash have primarily consisted of cash used for operating activities such as expansion of our sales and marketing operations, research and development activities and other working capital needs, as well as cash used for business acquisitions.

Operating Activities

Operating activities provided $2.1 million of cash in the nine months ended September 30, 2016. Cash provided by operating activities reflected our net loss of $39.2 million, offset by a decrease in our net operating assets and liabilities of $22.1 million and non-cash charges of $19.2 million related to depreciation and amortization, stock-based compensation expense, provision for doubtful accounts and non-cash interest charges. The decrease in our net operating assets and liabilities was primarily due to a $19.0 million increase in deferred revenue, a $5.1 million decrease in accounts receivable, a $0.5 million increase in accounts payable and a $0.2 million increase in other liabilities, which each had a positive impact on operating cash flow. These factors were offset by a $1.6 million decrease in accrued expenses, which was largely the result of annual bonus and increased commission payments and a $1.1 million increase in prepaid expenses and other assets, which each had a negative impact on operating cash flow.

Operating activities used $2.0 million of cash in the nine months ended September 30, 2015. Cash used in operating activities reflected our net loss of $28.8 million, partially offset by a decrease in our net operating assets and liabilities of $17.8 million and non-cash charges of $9.0 million related to depreciation and amortization, stock-based compensation expense, provision for doubtful accounts and impairment charges. The decrease in our net operating assets and liabilities was primarily due to a $25.1 million increase in deferred revenue from sales of our products and services and a $1.6 million increase in accrued expenses, partially offset by a $6.7 million increase in accounts receivable, a $1.6 million decrease in accounts payable and a $0.5 million increase in prepaid expenses and other assets and a $0.1 million decrease in other liabilities.

Investing Activities

Investing activities used $3.3 million of cash in the nine months ended September 30, 2016, as a result of capital expenditures to purchase equipment and leasehold improvements.

 

26


Table of Contents

Investing activities used $6.2 million of cash in the nine months ended September 30, 2015, as a result of $3.3 million for net cash used in the acquisition of NTO and $2.9 million for capital expenditures to purchase property and equipment, largely related to leasehold improvements associated with office space expansions.

Financing Activities

Financing activities provided $2.3 million of cash in the nine months ended September 30, 2016, which consisted primarily of $3.7 million in proceeds from the issuance of common shares purchased by employees under the Rapid7, Inc. 2015 Employee Stock Purchase Plan, or ESPP, and $2.5 million in proceeds from the exercise of stock options, partially offset by $3.8 million in withholding taxes paid for the net share settlement of equity awards and $0.1 million of payments on capital lease obligations.

Financing activities provided $95.5 million of cash in the nine months ended September 30, 2015, which consisted primarily of net proceeds from our IPO and concurrent private placement of $112.9 million. Cash provided by financing activities also included proceeds from stock option exercises of $1.3 million, partially offset by the repayment of our term loan and related termination fee of $18.5 million, as well as payments on capital lease obligations of $0.2 million.

Contractual Obligations and Commitments

As of September 30, 2016, there were no material changes in our contractual obligations and commitments from those disclosed in our Annual Report on Form 10-K for the year ended December 31, 2015 filed with the SEC on March 10, 2016.

Off-Balance Sheet Arrangements

We do not have any relationships with unconsolidated entities or financial partnerships, including entities sometimes referred to as structured finance or special purpose entities that were established for the purpose of facilitating off-balance sheet arrangements or other contractually narrow or limited purposes. We do not engage in off-balance sheet financing arrangements.

Recent Accounting Pronouncements

See Note 1 to the unaudited consolidated financial statements in Part I, Item 1 of this Quarterly Report on Form 10-Q for a discussion of recent accounting pronouncements.

Critical Accounting Policies and Estimates

Our consolidated financial statements are prepared in accordance with generally accepted accounting principles in the United States, or GAAP. The preparation of our consolidated financial statements requires us to make estimates, assumptions and judgments that affect the reported amounts of assets, liabilities, revenue, costs and expenses. We base our estimates and assumptions on historical experience and other factors that we believe to be reasonable under the circumstances. We evaluate our estimates and assumptions on an ongoing basis. Our actual results may differ from these estimates. There have been no material changes in our critical accounting policies from those disclosed in our Annual Report on Form 10-K for the year ended December 31, 2015 filed with the SEC on March 10, 2016.

 

Item 3. Quantitative and Qualitative Disclosures About Market Risk.

Market risk represents the risk of loss that may impact our financial position due to adverse changes in financial market prices and rates. Our market risk exposure is primarily the result of fluctuations in interest rates and foreign exchange rates as well as to a lesser extent, inflation. In addition, we do not engage in trading activities involving non-exchange traded contracts. Therefore, we believe that we are not materially exposed to any financing, liquidity, market or credit risk that could arise if we had engaged in these relationships.

Foreign Currency Exchange Risk

Our results of operations and cash flows are subject to fluctuations due to changes in foreign currency exchange rates. Substantially all of our customers enter into contracts that are denominated in U.S. dollars. Our expenses are generally denominated in the currencies of the countries where our operations are located, which is primarily in the United States and to a lesser extent in the United Kingdom, other Euro-zone countries within mainland Europe, Hong Kong, Canada, Singapore and Australia. Our results of operations and cash flows are, therefore, subject to fluctuations due to changes in foreign currency exchange rates and may be adversely affected in the future due to changes in foreign currency exchange rates. The effect of a hypothetical 10% adverse change in foreign currency exchange rates on monetary assets and liabilities at September 30, 2016 would not be material to our financial condition or results of operations. To date, we have not engaged in any hedging strategies. As our international operations grow, we will continue to reassess our approach to manage our risk relating to fluctuations in foreign currency rates.

 

27


Table of Contents

Interest Rate Risk

We are exposed to interest rate risk in the ordinary course of our business. As of September 30, 2016, we had cash and cash equivalents of $87.7 million, consisting of bank deposits and money market funds. Such interest-earning instruments carry a degree of interest rate risk. To date, fluctuations in interest income have not been significant. A hypothetical 10% change in interest rates during any of the periods presented would not have had a material impact on our financial statements.

Inflation Risk

We do not believe that inflation had a material effect on our business, financial condition or results of operations in the last three years. If our costs were to become subject to significant inflationary pressures, we may not be able to fully offset such higher costs through price increases. Our inability or failure to do so could harm our business, financial condition and results of operations.

 

Item 4. Controls and Procedures.

Evaluation of Disclosure Controls and Procedures

We maintain “disclosure controls and procedures,” as defined in Rule 13a-15(e) and 15d-15(e) under the Securities Exchange Act of 1934, as amended, or the Exchange Act, that are designed to ensure that information required to be disclosed by a company in the reports that it files or submits under the Exchange Act is recorded, processed, summarized and reported, within the time periods specified in the SEC’s rules and forms. Disclosure controls and procedures include, without limitation, controls and procedures designed to ensure that information required to be disclosed by a company in the reports that it files or submits under the Exchange Act is accumulated and communicated to our management, including our principal executive and principal financial officers, as appropriate to allow timely decisions regarding required disclosure.

Our management, with the participation of our Chief Executive Officer and our Chief Financial Officer, evaluated the effectiveness of our disclosure controls and procedures as of September 30, 2016. Based on the evaluation of our disclosure controls and procedures as of September 30, 2016, our Chief Executive Officer and Chief Financial Officer concluded that, as of such date, our disclosure controls and procedures were effective at the reasonable assurance level.

Changes in Internal Control over Financial Reporting

There was no change in our internal control over financial reporting identified in connection with the evaluation required by Rule 13a-15(d) and 15d-15(d) of the Exchange Act that occurred during the period covered by this Quarterly Report on Form 10-Q that has materially affected, or is reasonably likely to materially affect, our internal control over financial reporting.

Inherent Limitations on Effectiveness of Controls

Our management, including our Chief Executive Officer and Chief Financial Officer, believes that our disclosure controls and procedures and internal control over financial reporting are designed to provide reasonable assurance of achieving their objectives and are effective at the reasonable assurance level. However, our management does not expect that our disclosure controls and procedures or our internal control over financial reporting will prevent all errors and all fraud. A control system, no matter how well conceived and operated, can provide only reasonable, not absolute, assurance that the objectives of the control system are met. Further, the design of a control system must reflect the fact that there are resource constraints, and the benefits of controls must be considered relative to their costs. Because of the inherent limitations in all control systems, no evaluation of controls can provide absolute assurance that all control issues and instances of fraud, if any, have been detected. These inherent limitations include the realities that judgments in decision making can be faulty, and that breakdowns can occur because of a simple error or mistake. Additionally, controls can be circumvented by the individual acts of some persons, by collusion of two or more people or by management override of the controls. The design of any system of controls also is based in part upon certain assumptions about the likelihood of future events, and there can be no assurance that any design will succeed in achieving its stated goals under all potential future conditions; over time, controls may become inadequate because of changes in conditions, or the degree of compliance with policies or procedures may deteriorate. Because of the inherent limitations in a cost-effective control system, misstatements due to error or fraud may occur and not be detected.

 

28


Table of Contents

PART II—OTHER INFORMATION

 

Item 1. Legal Proceedings.

From time to time, we are and may be a party to litigation and subject to claims incident to the ordinary course of business. Although the results of litigation and claims cannot be predicted with certainty, we currently believe that the final outcome of these ordinary course matters will not have a material adverse effect on our business. Regardless of the outcome, litigation can have an adverse impact on us because of defense and settlement costs, diversion of management resources and other factors.

 

Item 1A. Risk Factors.

Our operations and financial results are subject to various risks and uncertainties including those described below. You should consider carefully the risks and uncertainties described below, in addition to other information contained in this Quarterly Report on Form 10-Q as well as our other public filings with the Securities and Exchange Commission, or the SEC, including our Annual Report on Form 10-K for the year ended December 31, 2015, filed with the SEC on March 10, 2016. The risks and uncertainties described below are not the only ones we face. Additional risks and uncertainties that we are unaware of, or that we currently believe are not material, may also become important factors that adversely affect our business. If any of the following risks or others not specified below materialize, our business, financial condition and results of operations could be materially adversely affected. In that event, the trading price of our common stock could decline. 

Risks Related to Our Business and Industry

We are a rapidly growing company, which makes it difficult to evaluate our future prospects and may increase the risk that we will not be successful.

We are a rapidly growing company. Our ability to forecast our future operating results is subject to a number of uncertainties, including our ability to plan for and model future growth. We have encountered and will continue to encounter risks and uncertainties frequently experienced by growing companies in rapidly evolving industries. If our assumptions regarding these uncertainties, which we use to plan our business, are incorrect or change in reaction to changes in our markets, or if we do not address these risks successfully, our operating and financial results could differ materially from our expectations, our business could suffer and the trading price of our common stock may decline.

If we are unable to sustain our revenue growth rate, we may not achieve or maintain profitability in the future.

From the year ended December 31, 2011 to the year ended December 31, 2015, our revenue grew from $31.0 million to $110.5 million, which represents a compounded annual growth rate of approximately 37%. Although we have experienced rapid growth historically and currently have high renewal rates, we may not continue to grow as rapidly in the future and our renewal rates may decline. Any success that we may experience in the future will depend, in large part, on our ability to, among other things:

 

    maintain and expand our customer base;

 

    increase revenues from existing customers through increased or broader use of our products and professional services within their organizations;

 

    improve the performance and capabilities of our products through research and development;

 

    continue to develop our cloud-based solutions;

 

    maintain the rate at which customers purchase our content subscriptions and maintenance and support;

 

    continue to successfully expand our business domestically and internationally; and

 

    successfully compete with other companies.

If we are unable to maintain consistent revenue or revenue growth, our stock price could be volatile, and it may be difficult to achieve and maintain profitability. You should not rely on our revenue for any prior quarterly or annual periods as any indication of our future revenue or revenue growth.

We have not been profitable historically and may not achieve or maintain profitability in the future.

We have posted a net loss in each year since inception, including net losses of $39.2 million and $28.8 million in the nine months ended September 30, 2016 and 2015, respectively. As of September 30, 2016, we had an accumulated deficit of $379.6 million. While we have experienced significant revenue growth in recent periods, we are not certain whether or when we will obtain a high enough volume of sales of our products and professional services to sustain or increase our growth or achieve or maintain profitability in the future. We also expect our costs to increase in future periods, which could negatively affect our future operating results if our revenue does not increase. In particular, we expect to continue to expend substantial financial and other resources on:

 

29


Table of Contents
    research and development related to our offerings, including investments in our research and development team;

 

    sales and marketing, including a significant expansion of our sales organization, both domestically and internationally;

 

    continued international expansion of our business;

 

    expansion of our professional services organization; and

 

    general administration expenses, including legal and accounting expenses related to our growth and continued expenses with respect to being a public company.

These investments may not result in increased revenue or growth in our business. If we are unable to increase our revenue at a rate sufficient to offset the expected increase in our costs, our business, financial position and results of operations will be harmed, and we may not be able to achieve or maintain profitability over the long term. Additionally, we may encounter unforeseen operating expenses, difficulties, complications, delays and other unknown factors that may result in losses in future periods. If our revenue growth does not meet our expectations in future periods, our financial performance may be harmed, and we may not achieve or maintain profitability in the future.

If our products or professional services fail to detect vulnerabilities or incorrectly detect vulnerabilities, or if our products contain undetected errors or defects, our brand and reputation could be harmed, which could have an adverse effect on our business and results of operations.

If our products or professional services fail to detect vulnerabilities in our customers’ cyber security infrastructure, or if our products or professional services fail to identify and respond to new and increasingly complex methods of cyber attacks, our business and reputation may suffer. There is no guarantee that our products or professional services will detect all vulnerabilities, especially in light of the rapidly changing security landscape to which we must respond. Additionally, our products may falsely detect vulnerabilities or threats that do not actually exist. For example, our Metasploit offering relies on information provided by an active community of security researchers who contribute new exploits, attacks and vulnerabilities. If the information from these third parties is inaccurate, the potential for false indications of security vulnerabilities increases. These false positives, while typical in the industry, may impair the perceived reliability of our offerings and may therefore adversely impact market acceptance of our products and professional services and could result in negative publicity, loss of customers and sales and increased costs to remedy any problem.

Our products may also contain undetected errors or defects when first introduced or as new versions are released. We have experienced these errors or defects in the past in connection with new products and product upgrades and we expect that these errors or defects will be found from time to time in the future in new or enhanced products after commercial release. Defects may cause our products to be vulnerable to attacks, cause them to fail to detect vulnerabilities, or temporarily interrupt customers’ networking traffic. Any errors, defects, disruptions in service or other performance problems with our products may damage our customers’ business and could hurt our reputation. If our products or professional services fail to detect vulnerabilities for any reason, we may incur significant costs, the attention of our key personnel could be diverted, our customers may delay or withhold payment to us or elect not to renew or other significant customer relations problems may arise. We may also be subject to liability claims for damages related to errors or defects in our products. A material liability claim or other occurrence that harms our reputation or decreases market acceptance of our products may harm our business and operating results.

An actual or perceived security breach or theft of the sensitive data of one of our customers, regardless of whether the breach is attributable to the failure of our products or professional services, could adversely affect the market’s perception of our offerings and subject us to legal claims.

We face intense competition in our market.

The market for cyber security solutions is highly fragmented, intensely competitive and constantly evolving. We compete with an array of established and emerging security software and services vendors. With the introduction of new technologies and market entrants, we expect the competitive environment to remain intense going forward. Our competitors include: vulnerability management and assessment vendors, including Qualys and Tenable Network Security; diversified security software and services vendors, including IBM and HP Enterprise; legacy compliance and monitoring solutions such as SIEM, including those provided by LogRhythm, Alienvault and Sumo Logic; security services specialists, including Mandiant (a subsidiary of FireEye); and providers of point solutions that compete with some of the features present in our solutions.

Some of our actual and potential competitors have advantages over us, such as longer operating histories, significantly greater financial, technical, marketing or other resources, stronger brand and business user recognition, larger intellectual property portfolios and broader global distribution and presence. In addition, our industry is evolving rapidly and is becoming increasingly competitive. Larger and more established companies may focus on cyber security and could directly compete with us. Smaller companies could also launch new products and services that we do not offer and that could gain market acceptance quickly.

 

30


Table of Contents

Our competitors may be able to respond more quickly and effectively than we can to new or changing opportunities, technologies, standards or customer requirements. With the introduction of new technologies, the evolution of our offerings and new market entrants, we expect competition to intensify in the future. In addition, some of our larger competitors have substantially broader product offerings and can bundle competing products and services with other software offerings. As a result, customers may choose a bundled product offering from our competitors, even if individual products have more limited functionality than our solutions. These competitors may also offer their products at a lower price as part of this larger sale, which could increase pricing pressure on our offerings and cause the average sales price for our offerings to decline. These larger competitors are also often in a better position to withstand any significant reduction in capital spending, and will therefore not be as susceptible to economic downturns.

Furthermore, our current and potential competitors may establish cooperative relationships among themselves or with third parties that may further enhance their resources and product and services offerings in the markets we address. In addition, current or potential competitors may be acquired by third parties with greater available resources. As a result of such relationships and acquisitions, our current or potential competitors might be able to adapt more quickly to new technologies and customer needs, devote greater resources to the promotion or sale of their products and services, initiate or withstand substantial price competition, take advantage of other opportunities more readily or develop and expand their product and service offerings more quickly than we do. For all of these reasons, we may not be able to compete successfully against our current or future competitors.

The market for our products and professional services is new and unproven and may not grow.

We believe our future success will depend in large part on the growth, if any, in the market for cyber security data and analytics. This market is nascent, and as such, it is difficult to predict important market trends, including the potential growth, if any. To date, the majority of enterprise spend on cyber security has been on threat protection products, such as network, endpoint and web security that are designed to stop threats from penetrating corporate networks. Organizations that use these security products may believe that their existing security solutions sufficiently protect access to their sensitive business data. Therefore, they may continue allocating their cyber security budgets to these products and may not adopt our products and professional services in addition to, or in lieu of, such traditional products. Further, sophisticated cyber attackers are skilled at adapting to new technologies and developing new methods of gaining access to organizations’ sensitive business data, and changes in the nature of advanced cyber threats could result in a shift in IT budgets away from products and professional services such as ours. In addition, while recent high visibility attacks on prominent enterprises and governments have increased market awareness of the problem of cyber attacks, if cyber attacks were to decline, or enterprises or governments perceived that the general level of cyber attacks have declined, our ability to attract new customers and expand our sale to existing customers could be materially and adversely affected. If products and professional services such as ours are not viewed by organizations as necessary, or if customers do not recognize the benefit of our offerings as a critical layer of an effective cyber security strategy, our revenue may not grow as quickly as expected, or may decline, and the trading price of our stock could suffer. It is therefore difficult to predict how large the market will be for our solutions.

In addition, it is difficult to predict customer adoption and renewal rates, customer demand for our products and professional services, the size and growth rate of the market for cyber security data analytics, the entry of competitive products or the success of existing competitive products. Any expansion in our market depends on a number of factors, including the cost, performance and perceived value associated with our offerings and those of our competitors. If these offerings do not achieve widespread adoption or there is a reduction in demand for solutions in our market caused by a lack of customer acceptance, technological challenges, competing technologies and products, decreases in corporate spending, weakening economic conditions, or otherwise, it could result in reduced customer orders, early terminations, reduced renewal rates or decreased revenue, any of which would adversely affect our business operations and financial results. You should consider our business and prospects in light of the risks and difficulties we face in this new and unproven market.

Forecasts of our market and market growth may prove to be inaccurate, and even if the markets in which we compete achieve the forecasted growth, there can be no assurance that our business will grow at similar rates, or at all.

Growth forecasts included in this Quarterly Report on Form 10-Q relating to our market opportunity and the expected growth in the market for information and data security analytics are subject to significant uncertainty and are based on assumptions and estimates which may prove to be inaccurate. Even if these markets meet our size estimates and experience the forecasted growth, we may not grow our business at similar rates, or at all. Our growth is subject to many factors, including our success in implementing our business strategy, which is subject to many risks and uncertainties. Accordingly, the forecasts of market growth included in this Quarterly Report on Form 10-Q should not be taken as indicative of our future growth.

 

31


Table of Contents

Organizations may be reluctant to purchase cyber security data analytics offerings that are cloud-based due to the actual or perceived vulnerability of cloud solutions.

Some organizations have been reluctant to use cloud solutions for cyber security, such as InsightIDR, InsightUBA (formerly known as UserInsight) and Logentries, because they have concerns regarding the risks associated with the reliability or security of the technology delivery model associated with this solution. If we or other cloud service providers experience security incidents, breaches of customer data, disruptions in service delivery or other problems, the market for cloud solutions as a whole may be negatively impacted.

If we do not continue to innovate and offer products and professional services that address the dynamic threat landscape, we may not remain competitive, and our revenue and operating results could suffer.

The cyber security market is characterized by rapid technological advances, changes in customer requirements, frequent new product introductions and enhancements and evolving industry standards. Our success also depends on continued innovation to provide features that make our products and professional services responsive to the dynamic threat landscape. While we continue to invest significant resources in research and development in order to ensure that our products continue to address the cyber security risks that our customers face, the introduction of products and services embodying new technologies could render our existing products or services obsolete or less attractive to customers. In addition, developing new products and product enhancements is expensive and time consuming, and there is no assurance that such activities will result in significant cost savings, revenue or other expected benefits. If we spend significant time and effort on research and development and are unable to generate an adequate return on our investment, our business and results of operations may be materially and adversely affected. Further, we may not be able to successfully anticipate or adapt to changing technology or customer requirements or the dynamic threat landscape on a timely basis, or at all.

To date, we have derived a substantial majority of our revenue from customers using our threat exposure management offerings. If we are unable to renew or increase sales of our threat exposure management offerings, or if we are unable to increase sales of our other offerings, our business and operating results could be adversely affected.

Although we have recently introduced new products and professional services, we derive and expect to continue to derive a substantial majority of our revenue from customers using certain of our threat exposure management offerings, Nexpose and Metasploit. Greater than one-half of our revenue was attributable to Nexpose in each of our last three fiscal years. As a result, our operating results could suffer due to:

 

    any decline in demand for our threat exposure management offerings;

 

    failure of our threat exposure management offerings to detect vulnerabilities in our customers’ IT environments;

 

    the introduction of products and technologies that serve as a replacement or substitute for, or represent an improvement over, our threat exposure management offerings;

 

    technological innovations or new standards that our threat exposure management offerings do not address;

 

    sensitivity to current or future prices offered by us or competing solutions; and

 

    our inability to release enhanced versions of our threat exposure management offerings on a timely basis in response to the dynamic threat landscape.

Our inability to renew or increase sales of our threat exposure management offerings, including content subscriptions and maintenance and support, or a decline in prices of our threat exposure management offerings would harm our business and operating results more seriously than if we derived significant revenues from a variety of offerings. For example, our sales and marketing of our Analytic Response, InsightUBA and InsightIDR products for user behavior analytics and incident detection and response, respectively, are relatively new, and it is uncertain whether these products will gain market acceptance. We are also investing heavily in the expansion of our security advisory services offerings, which we believe will help drive demand for our other products in addition to being a stand-alone service. Any factor adversely affecting sales of our products or professional services, including release cycles, market acceptance, competition, performance and reliability, reputation and economic and market conditions, could adversely affect our business and operating results.

If Metasploit were to be used by attackers to exploit vulnerabilities in the cyber security infrastructures of third parties, our reputation and business could be harmed.

Although Metasploit is a penetration testing tool that is intended to allow organizations to test the effectiveness of their cyber security programs, Metasploit has in the past and may in the future be used to exploit vulnerabilities in the cyber security infrastructures of third parties. While we have incorporated certain features into Metasploit to deter misuse, there is no guarantee that these controls will not be circumvented or that Metasploit will only be used defensively or for research purposes, and any actual or perceived security breach, malicious intrusion or theft of sensitive data in which Metasploit is believed to have been used could adversely affect perception of, and demand for, our offerings. Further, the identification of new exploits and vulnerabilities by the Metasploit community may enhance the knowledge base of cyber attackers or enable them to undertake new forms of attacks. If any of the foregoing were to occur, we could suffer negative publicity and loss of customers and sales, as well as possible legal claims.

 

32


Table of Contents

A component of our growth strategy is dependent on our continued international expansion, which adds complexity to our operations.

We market and sell our products and professional services throughout the world and have personnel in many parts of the world. For the nine months ended September 30, 2016 and 2015, international operations generated 14% and 13% of our revenue, respectively. Our growth strategy is dependent, in part, on our continued international expansion. We expect to conduct a significant amount of our business with organizations that are located outside the United States, particularly in Europe and Asia. We cannot assure you that our expansion efforts into international markets will be successful in creating further demand for our products and professional services outside of the United States or in effectively selling our products and professional services in the international markets that we enter. Our current international operations and future initiatives will involve a variety of risks, including:

 

    increased management, infrastructure and legal costs associated with having international operations;

 

    reliance on channel partners;

 

    trade and foreign exchange restrictions;

 

    economic or political instability or uncertainty in foreign markets and around the world, such as related to the United Kingdom’s referendum in June 2016 in which voters approved an exit from the European Union, commonly referred to as “Brexit”;

 

    foreign currency exchange fluctuations;

 

    greater difficulty in enforcing contracts, accounts receivable collection and longer collection periods;

 

    changes in regulatory requirements, including, but not limited to data privacy, data protection and data security regulations;

 

    difficulties and costs of staffing and managing foreign operations;

 

    the uncertainty and limitation of protection for intellectual property rights in some countries;

 

    costs of compliance with foreign laws and regulations and the risks and costs of non-compliance with such laws and regulations;

 

    costs of compliance with U.S. laws and regulations for foreign operations, including the Foreign Corrupt Practices Act, import and export control laws, tariffs, trade barriers, economic sanctions and other regulatory or contractual limitations on our ability to sell or provide our solutions in certain foreign markets, and the risks and costs of non-compliance;

 

    heightened risks of unfair or corrupt business practices in certain geographies and of improper or fraudulent sales arrangements that may impact financial results and result in restatements of, and irregularities in, financial statements;

 

    the potential for political unrest, acts of terrorism, hostilities or war;

 

    management communication and integration problems resulting from cultural differences and geographic dispersion;

 

    costs associated with language localization of our products; and

 

    costs of compliance with multiple and possibly overlapping tax structures.

Our business, including the sales of our products and professional services by us and our channel partners, may be subject to foreign governmental regulations, which vary substantially from country to country and change from time to time. Our failure, or the failure by our channel partners, to comply with these regulations could adversely affect our business. Further, in many foreign countries it is common for others to engage in business practices that are prohibited by our internal policies and procedures or U.S. regulations applicable to us. Although we have implemented policies and procedures designed to comply with these laws and policies, there can be no assurance that our employees, contractors, channel partners and agents have complied, or will comply, with these laws and policies. Violations of laws or key control policies by our employees, contractors, channel partners or agents could result in delays in revenue recognition, financial reporting misstatements, fines, penalties or the prohibition of the importation or exportation of our products and could have a material adverse effect on our business and results of operations. If we are unable to successfully manage the challenges of international expansion and operations, our business and operating results could be adversely affected.

We are also monitoring developments related to Brexit, which could have significant implications for our business. Brexit could lead to economic and legal uncertainty, including significant volatility in global stock markets and currency exchange rates, and differing laws and regulations as the United Kingdom determines which European Union laws to replace or replicate. Any of these effects of Brexit, among others, could adversely affect our operations in the United Kingdom and our financial results.

 

33


Table of Contents

As a cyber security provider, we are a target of cyber attacks that could adversely impact our reputation and operating results.

We sell cyber security and data analytics products. As a result, we have been and will be a target of cyber attacks designed to impede the performance of our products, penetrate our network security or the security of our cloud platform or our internal systems, or that of our customers, misappropriate proprietary information and/or cause interruptions to our services. For example, because Metasploit serves as an introduction to hacking for many individuals, a successful cyber attack on us may be perceived as a victory for the cyber attacker, thereby increasing the likelihood that we may be a target of cyber attacks, even absent financial motives. Further, if our systems are breached, attackers could learn critical information about how our products operate to help protect our customers’ IT infrastructures from cyber risk, thereby making our customers more vulnerable to cyber attacks. In addition, if actual or perceived breaches of our network security occur, they could adversely affect the market perception of our products, negatively affecting our reputation, and may expose us to the loss of our proprietary information or information belonging to our customers, investigations or litigation and possible liability, including injunctive relief and monetary damages. Such security breaches could also divert the efforts of our technical and management personnel. In addition, such security breaches could impair our ability to operate our business and provide products to our customers. If this happens, our reputation could be harmed, our revenue could decline and our business could suffer.

We are dependent on the continued services and performance of our senior management and other key employees, as well as on our ability to successfully hire, train, manage and retain qualified personnel, especially those in sales and marketing and research and development.

Our future performance depends on the continued services and contributions of our senior management, particularly Corey Thomas, our President and Chief Executive Officer, and other key employees to execute on our business plan and to identify and pursue new opportunities and product innovations. We maintain key man insurance on Mr. Thomas, but do not do so for any of our other executive officers or key employees. From time to time, there may be changes in our senior management team resulting from the termination or departure of our executive officers and key employees. Our senior management and key employees are generally employed on an at-will basis, which means that they could terminate their employment with us at any time. The loss of the services of our senior management, particularly Mr. Thomas, or other key employees for any reason could significantly delay or prevent our development or the achievement of our strategic objectives and harm our business, financial condition and results of operations.

Our ability to successfully pursue our growth strategy will also depend on our ability to attract, motivate and retain our personnel, especially those in sales and marketing and research and development. We face intense competition for these employees from numerous technology, software and other companies, especially in certain geographic areas in which we operate, and we cannot ensure that we will be able to attract, motivate and/or retain additional qualified employees in the future. If we are unable to attract new employees and retain our current employees, we may not be able to adequately develop and maintain new products or professional services or market our existing products or professional services at the same levels as our competitors and we may, therefore, lose customers and market share. Our failure to attract and retain personnel, especially those in sales and marketing and research and development positions for which we have historically had a high turnover rate, could have an adverse effect on our ability to execute our business objectives and, as a result, our ability to compete could decrease, our operating results could suffer and our revenue could decrease. Even if we are able to identify and recruit a sufficient number of new hires, these new hires will require significant training before they achieve full productivity and they may not become productive as quickly as we would like or at all.

Our business and operations are experiencing rapid growth, and if we do not appropriately manage our future growth, or are unable to scale our systems and processes, our operating results may be negatively affected.

We are a rapidly growing company. To manage future growth effectively, and as we continue to transition to the requirements of being a public company, we will need to continue to improve and expand our internal information technology systems, financial infrastructure, and operating and administrative systems and controls, which we may not be able to do efficiently, in a timely manner or at all. Any future growth would add complexity to our organization and require effective coordination across our organization. Failure to manage any future growth effectively could result in increased costs, harm our results of operations and lead to investors losing confidence in our internal systems and processes.

Our quarterly operating results may vary from period to period, which could result in our failure to meet expectations with respect to operating results and cause the trading price of our stock to decline.

Our operating results have historically varied from period to period, and we expect that they will continue to do so as a result of a number of factors, many of which are outside of our control, including:

 

    the level of demand for our products and professional services;

 

    customer renewal rates;

 

34


Table of Contents
    the extent to which customers purchase additional products, including content subscriptions and maintenance and support related to our Nexpose, Metasploit and AppSpider products, or professional services;

 

    the level of perceived threats to organizations’ cyber security;

 

    network outages, security breaches, technical difficulties or interruptions with our products;

 

    changes in the growth rate of the markets in which we compete;

 

    the announcement or adoption of new regulations and policy mandates or changes to existing regulations and policy mandates;

 

    the timing and success of new product or professional service introductions by us or our competitors or any other changes in the competitive landscape of our industry, including consolidation among our competitors;

 

    the introduction or adoption of new technologies that compete with our offerings;

 

    the mix of our products and professional services sold during a period;

 

    decisions by potential customers to purchase cyber security products or services from other vendors;

 

    the amount and timing of operating costs and capital expenditures related to the operations and expansion of our business;

 

    the timing of sales commissions relative to the recognition of revenue and the timing of revenue recognition generally;

 

    price competition;

 

    our ability to successfully manage any future acquisitions of businesses, including without limitation the timing of expenses and potential future charges for impairment of goodwill from acquired companies;

 

    our ability to increase, retain and incentivize the channel partners that market and sell our products and professional services;

 

    our continued international expansion and associated exposure to changes in foreign currency exchange rates, including any fluctuations caused by uncertainties relating to Brexit;

 

    the amount and timing of operating expenses related to the maintenance and expansion of our business, operations and infrastructure;

 

    unforeseen litigation and intellectual property infringement;

 

    the announcement or adoption of new regulations and policy mandates or changes to existing regulations and policy mandates;

 

    the strength of regional, national and global economies;

 

    the impact of natural disasters or manmade problems such as terrorism; and

 

    future accounting pronouncements or changes in our accounting policies.

Each factor above or discussed elsewhere in this Quarterly Report on Form 10-Q or the cumulative effect of some of these factors may result in fluctuations in our operating results. This variability and unpredictability could result in our failure to meet expectations with respect to operating results, or those of securities analysts or investors, for a particular period. If we fail to meet or exceed expectations for our operating results for these or any other reasons, the market price of our stock could fall and we could face costly lawsuits, including securities class action suits.

We recognize substantially all of our revenue ratably over the term of our agreements with customers and, as a result, downturns or upturns in sales may not be immediately reflected in our operating results.

We recognize substantially all of our revenue ratably over the terms of our agreements with customers, which generally occurs over a one to three-year period. As a result, a substantial portion of the revenue that we report in each period will be derived from the recognition of deferred revenue relating to agreements entered into during previous periods. Consequently, a decline in new sales or renewals in any one period may not be immediately reflected in our revenue results for that period. This decline, however, will negatively affect our revenue in future periods. Accordingly, the effect of significant downturns in sales and market acceptance of our products and potential changes in our rate of renewals may not be fully reflected in our results of operations until future periods. Our model also makes it difficult for us to rapidly increase our revenue through additional sales in any period, as revenue from new customers generally will be recognized over the term of the applicable agreement.

We also intend to increase our investment in research and development, sales and marketing, and general and administrative functions and other areas to grow our business. We are likely to recognize the costs associated with these increased investments earlier than some of the anticipated benefits and the return on these investments may be lower, or may develop more slowly, than we expect, which could adversely affect our operating results.

 

35


Table of Contents

We may be unable to rapidly and efficiently adjust our cost structure in response to significant revenue declines, which could adversely affect our operating results.

Our brand, reputation and ability to attract, retain and serve our customers are dependent in part upon the reliable performance of our products and network infrastructure.

Our brand, reputation and ability to attract, retain and serve our customers are dependent in part upon the reliable performance of our products and network infrastructure. We have experienced, and may in the future experience, disruptions, outages and other performance problems due to a variety of factors, including infrastructure changes, human or software errors, capacity constraints and fraud or security attacks. In some instances, we may not be able to identify the cause or causes of these performance problems within an acceptable period of time.

We utilize third-party data centers located in Boston, Massachusetts, in addition to operating and maintaining certain elements of our own network infrastructure. We also utilize Amazon Web Services for our InsightIDR, InsightUBA and Logentries infrastructure. Some elements of this complex system are operated by third parties that we do not control and that could require significant time to replace. We expect this dependence on third parties to continue. More specifically, certain of our products, in particular our Nexpose managed service, InsightIDR, InsightUBA and Logentries products, are hosted on Amazon Web Services, which provides us with computing and storage capacity. Interruptions in our systems or the third-party systems on which we rely, whether due to system failures, computer viruses, physical or electronic break-ins, or other factors, could affect the security or availability of our products, network infrastructure and website.

Prolonged delays or unforeseen difficulties in connection with adding capacity or upgrading our network architecture when required may cause our service quality to suffer. Problems with the reliability or security of our systems could harm our reputation. Damage to our reputation and the cost of remedying these problems could negatively affect our business, financial condition, and operating results.

Additionally, our existing data center facilities and third-party hosting providers have no obligations to renew their agreements with us on commercially reasonable terms or at all, and certain of the agreements governing these relationships may be terminated by either party at any time. If we are unable to maintain or renew our agreements with these providers on commercially reasonable terms or if in the future we add additional data center facilities or third-party hosting providers, we may experience costs or downtime as we transition our operations.

Any disruptions or other performance problems with our products could harm our reputation and business and may damage our customers’ businesses. Interruptions in our service delivery might reduce our revenue, cause us to issue credits to customers, subject us to potential liability and cause customers to not renew their purchases or our products.

If we fail to manage our operations infrastructure, our customers may experience service outages and/or delays.

Our future growth is dependent upon our ability to continue to meet the expanding needs of our customers and to attract new customers. As existing customers gain more experience with our products, they may broaden their reliance on our products, which will require that we expand our operations infrastructure. We also seek to maintain excess capacity in our operations infrastructure to facilitate the rapid provision of new customer deployments. In addition, we need to properly manage our technological operations infrastructure in order to support changes in hardware and software parameters and the evolution of our products, all of which require significant lead time. If we do not accurately predict our infrastructure requirements, our existing customers may experience service outages that may subject us to financial penalties, financial liabilities and customer losses. If our operations infrastructure fails to keep pace with increased sales, customers may experience delays as we seek to obtain additional capacity, which could adversely affect our reputation and our revenue.

If our products fail to help our customers achieve and maintain compliance with regulations and/or industry standards, our revenue and operating results could be harmed.

We generate a portion of our revenue from our threat exposure management offerings that help organizations achieve and maintain compliance with regulations and industry standards both domestically and internationally. For example, many of our customers subscribe to our threat exposure management offerings to help them comply with the security standards developed and maintained by the Payment Card Industry Security Standards Council, or the PCI Council, which apply to companies that process, transmit or store cardholder data. In addition, our threat exposure management offerings are used by customers in the health care industry to help them comply with numerous federal and state laws and regulations related to patient privacy. In particular, the Health Insurance Portability

 

36


Table of Contents

and Accountability Act of 1996, or HIPAA, and the 2009 Health Information Technology for Economic and Clinical Health Act include privacy standards that protect individual privacy by limiting the uses and disclosures of individually identifiable health information and implementing data security standards. The foregoing and other state, federal and international legal and regulatory regimes may affect our customers’ requirements for, and demand for, our products and professional services. Governments and industry organizations, such as the PCI Council, may also adopt new laws, regulations or requirements, or make changes to existing laws or regulations, that could impact the demand for, or value of, our products. If we are unable to adapt our products to changing legal and regulatory standards or other requirements in a timely manner, or if our products fail to assist with, or expedite, our customers’ cyber security defense and compliance efforts, our customers may lose confidence in our products and could switch to products offered by our competitors, or threaten or bring legal actions against us. In addition, if laws, regulations or standards related to data security, vulnerability management and other IT security and compliance requirements are relaxed or the penalties for non-compliance are changed in a manner that makes them less onerous, our customers may view government and industry regulatory compliance as less critical to their businesses, and our customers may be less willing to purchase our products. In any of these cases, our revenue and operating results could be harmed.

In addition, government and other customers may require our products to comply with certain privacy, security or other certifications and standards. If our products are late in achieving or fail to achieve or maintain compliance with these certifications and standards, or our competitors achieve compliance with these certifications and standards, we may be disqualified from selling our products to such customers, or may otherwise be at a competitive disadvantage, either of which would harm our business, results of operations, and financial condition.

If our customers are unable to implement our products successfully, customer perceptions of our offerings may be impaired or our reputation and brand may suffer.

Our products are deployed in a wide variety of IT environments, including large-scale, complex infrastructures. Some of our customers have experienced difficulties implementing our products in the past and may experience implementation difficulties in the future. If our customers are unable to implement our products successfully, customer perceptions of our offerings may be impaired or our reputation and brand may suffer.

In addition, in order for our products to achieve their functional potential, our products must effectively integrate into our customers’ IT infrastructures, which have different specifications, utilize varied protocol standards, deploy products from multiple different vendors and contain multiple layers of products that have been added over time. Our customers’ IT infrastructures are also dynamic, with a myriad of devices and endpoints entering and exiting the customers’ IT systems on a regular basis, and our products must be able to effectively adapt to and track these changes.

Any failure by our customers to appropriately implement our products or any failure of our products to effectively integrate and operate within our customers’ IT infrastructures could result in customer dissatisfaction, impact the perceived reliability of our products, result in negative press coverage, negatively affect our reputation and harm our financial results.

The continued utility of Metasploit depends in part on the continued contributions from security researchers.

Our Metasploit product relies on information provided by an active community of security researchers who contribute new exploits, attacks and vulnerabilities. We expect that the continued contributions from these third parties will both enhance the robustness of Metasploit and also support our sales and marketing efforts. However, to the extent that the information provided by these third parties is inaccurate or malicious, the potential for false indications of security vulnerabilities and susceptibility to attack increases, which could adversely impact market acceptance of our products and professional services and could result in negative publicity, loss of customers and sales and increased costs to remedy any problem. Further, to the extent that our community of third parties is reduced in size or participants become less active, we may lose valuable insight into the dynamic threat landscape and our ability to quickly respond to new exploits, attacks and vulnerabilities may be reduced.

Recent and future acquisitions could disrupt our business and harm our financial condition and operating results.

In order to remain competitive, we have in the past and may in the future seek to acquire additional businesses, products or technologies. The environment for acquisitions in our industry is very competitive and acquisition candidate purchase prices will likely exceed what we would prefer to pay. We also may not find suitable acquisition candidates, and acquisitions we complete may be unsuccessful.

Achieving the anticipated benefits of future acquisitions will depend in part upon whether we can integrate acquired operations, products and technology in a timely and cost-effective manner. For example, in October 2015, we acquired RevelOps, Inc. (d/b/a Logentries). The Logentries acquisition is intended to provide us with machine data search, forensics, and compliance capabilities that complement and build upon our current offerings. The integration process of a new business or technology, such as Logentries,

 

37


Table of Contents

requires, among other things, coordination of administrative, sales and marketing, accounting and finance functions, and expansion of information and management systems. Integration of Logentries or any future acquisition may prove to be difficult due to the necessity of coordinating geographically separate organizations and integrating personnel with disparate business backgrounds and accustomed to different corporate cultures. The acquisition and integration processes are complex, expensive and time consuming, and may cause an interruption of, or loss of momentum in, product development and sales activities and operations of both companies. Further, we may be unable to retain key personnel of an acquired company following the acquisition, including certain employees which we acquired in connection with our acquisition of Logentries. If we are unable to effectively execute or integrate acquisitions, our business, financial condition and operating results could be adversely affected.

In addition, we may only be able to conduct limited due diligence on an acquired company’s operations. Following an acquisition, we may be subject to unforeseen liabilities arising from an acquired company’s past or present operations and these liabilities may be greater than the warranty and indemnity limitations that we negotiate. Any unforeseen liability that is greater than these warranty and indemnity limitations could have a negative impact on our financial condition.

We rely on third-party channel partners to generate a substantial amount of our revenue.

Our success is dependent in part upon establishing and maintaining relationships with a variety of channel partners that we utilize to extend our geographic reach and market penetration. We anticipate that we will continue to rely on these partners in order to help facilitate sales of our offerings as part of larger purchases in the United States and to grow our business internationally. For 2015 and 2014, we derived approximately 39% and 41%, respectively, of our revenue from sales of products and professional services through channel partners, and the percentage of revenue derived from channel partners may increase in future periods. Our agreements with our channel partners are non-exclusive and do not prohibit them from working with our competitors or offering competing solutions, and some of our channel partners may have more established relationships with our competitors. If our channel partners choose to place greater emphasis on products of their own or those offered by our competitors or do not effectively market and sell our products and professional services, our ability to grow our business and sell our products and professional services, particularly in key international markets, may be adversely affected. In addition, our failure to recruit additional channel partners, or any reduction or delay in their sales of our products and professional services or conflicts between channel sales and our direct sales and marketing activities may harm our results of operations. Finally, even if we are successful, our relationships with channel partners may not result in greater customer usage of our products and professional services or increased revenue.

Failure to maintain high-quality customer support could have a material adverse effect on our business.

Once our products are deployed within our customers’ networks, our customers depend on our technical and other customer support services to resolve any issues relating to the implementation and maintenance of our products. If we do not effectively assist our customers in deploying our products, help our customers quickly resolve post-deployment issues or provide effective ongoing support, our ability to renew or sell additional products or professional services to existing customers would be adversely affected and our reputation with potential customers could be damaged. Further, to the extent that we are unsuccessful in hiring, training and retaining adequate technical and customer success personnel, our ability to provide adequate and timely support to our customers will be negatively impacted, and our customers’ satisfaction with our offerings will be adversely affected.

We rely on third-party software to operate certain functions of our business.

We rely on software vendors to operate certain critical functions of our business, including financial management and human resource management. If these services become unavailable due to extended outages or interruptions or because they are no longer available on commercially reasonable terms or prices, our expenses could increase, our ability to manage our finances could be interrupted and our processes for managing sales of our solutions and supporting our customers could be impaired until equivalent services, if available, are identified, obtained and integrated, all of which could harm our business.

We use third-party software and data that may be difficult to replace or that may cause errors or failures of our solutions, which could lead to lost customers or harm to our reputation and our operating results.

We license third-party software and security and compliance data from various third parties that are used in our solutions in order to deliver our offerings. In the future, this software or data may not be available to us on commercially reasonable terms, or at all. Any loss of the right to use any of this software or data could result in delays in the provisioning of our offerings until equivalent technology or data is either developed by us, or, if available, is identified, obtained and integrated, which could harm our business. In addition, any errors or defects in or failures of this third-party software could result in errors or defects in our products or cause our products to fail, which could harm our business and be costly to correct. Many of these providers attempt to impose limitations on their liability for such errors, defects or failures, and if enforceable, we may have additional liability to our customers or third-party providers that could harm our reputation and increase our operating costs.

 

38


Table of Contents

We will need to maintain our relationships with third-party software and data providers, and to obtain software and data from such providers that do not contain errors or defects. Any failure to do so could adversely impact our ability to deliver effective solutions to our customers and could harm our operating results.

Our products contain third-party open source software components, and our failure to comply with the terms of the underlying open source software licenses could restrict our ability to sell our products.

Our products contain software licensed to us by third parties under so-called “open source” licenses, including the GNU General Public License, or GPL, the GNU Lesser General Public License, or LGPL, the BSD License, the Apache License and others. From time to time, there have been claims against companies that distribute or use open source software in their products and services, asserting that such open source software infringes the claimants’ intellectual property rights. We could be subject to suits by parties claiming that what we believe to be licensed open source software infringes their intellectual property rights. Use and distribution of open source software may entail greater risks than use of third-party commercial software, as open source licensors generally do not provide warranties or other contractual protections regarding infringement claims or the quality of the code. In addition, certain open source licenses require that source code for software programs that are subject to the license be made available to the public and that any modifications or derivative works to such open source software continue to be licensed under the same terms.

Although we monitor our use of open source software in an effort both to comply with the terms of the applicable open source licenses and to avoid subjecting our products to conditions we do not intend, the terms of many open source licenses have not been interpreted by U.S. courts, and there is a risk that these licenses could be construed in a way that could impose unanticipated conditions or restrictions on our ability to commercialize our products. The terms of certain open source licenses require us to release the source code of our applications and to make our applications available under those open source licenses if we combine or distribute our applications with open source software in a certain manner. In the event that portions of our applications are determined to be subject to an open source license, we could be required to publicly release the affected portions of our source code, re-engineer all, or a portion of, those applications or otherwise be limited in the licensing of our applications. Disclosing our proprietary source code could allow our competitors to create similar products with lower development effort and time and ultimately, could result in a loss of sales for us. Disclosing the source code of our proprietary software could also make it easier for cyber attackers and other third parties to discover vulnerabilities in or to defeat the protections of our products, which could result in our products failing to provide our customers with the security they expect. Any of these events could have a material adverse effect on our business, operating results and financial condition.

Our technology alliance partnerships expose us to a range of business risks and uncertainties that could have a material adverse impact on our business and financial results.

We have entered, and intend to continue to enter, into technology alliance partnerships with third parties to support our future growth plans, including with certain of our actual or potential competitors. For example, through these technology alliance partnerships, we integrate with certain third-party application program interfaces, or APIs, which enhance our data collection capabilities in our customers’ IT environments. If these third parties no longer allow us to integrate with their APIs, or if we determine not to maintain these integrations, the functionality of our products may be reduced and our products may not be as marketable to certain potential customers. Technology alliance partnerships require significant coordination between the parties involved, particularly if a partner requires that we integrate its products with our products. Further, we have invested and will continue to invest significant time, money and resources to establish and maintain relationships with our technology alliance partners, but we have no assurance that any particular relationship will continue for any specific period of time, result in new offerings that we can effectively commercialize or result in enhancements to our existing offerings. In addition, while we believe that entering into technology alliance partnerships with certain of our actual or potential competitors is currently beneficial to our competitive position in the market, such partnerships may also give our competitors insight into our offerings that they may not otherwise have, thereby allowing them to compete more effectively against us.

Our sales cycle may be unpredictable.

The timing of sales of our offerings is difficult to forecast because of the length and unpredictability of our sales cycle, particularly with large enterprises and with respect to certain of our products, such as InsightUBA and InsightIDR. We sell our products primarily to IT departments that are managing a growing set of user and compliance demands, which has increased the complexity of customer requirements to be met and confirmed during the sales cycle and prolonged our sales cycle. Further, the length of time that potential customers devote to their testing and evaluation, contract negotiation and budgeting processes varies significantly, depending on the size of the organization and nature of the product or professional service under consideration. For example, the length of the sales cycle for our threat exposure management offerings typically ranges from one to six months, while sales of our InsightUBA product can exceed twelve months because input from an organization’s senior management is often required before a sale of these products are consummated and because InsightUBA has only been broadly commercially available since 2014. In addition, we might devote substantial time and effort to a particular unsuccessful sales effort, and as a result, we could lose other sales opportunities or incur expenses that are not offset by an increase in revenue, which could harm our business.

 

39


Table of Contents

A portion of our revenue is generated by sales to government entities, which are subject to a number of challenges and risks.

Selling to government entities can be highly competitive, expensive and time consuming, and often requires significant upfront time and expense without any assurance that we will win a sale. Government demand and payment for our products and professional services may also be impacted by public sector budgetary cycles and funding authorizations, with funding reductions or delays adversely affecting public sector demand for our offerings. Government entities also have heightened sensitivity surrounding the purchase of cyber security solutions due to the critical importance of their IT infrastructures, the nature of the information contained within those infrastructures and the fact that they are highly-visible targets for cyber attacks. Accordingly, increasing sales of our products and professional services to government entities may be more challenging than selling to commercial organizations. Further, in the course of providing our products and professional services to government entities, our employees and those of our channel partners may be exposed to sensitive government information. Any failure by us or our channel partners to safeguard and maintain the confidentiality of such information could subject us to liability and reputational harm, which could materially and adversely affect our results of operations and financial performance.

We are exposed to fluctuations in currency exchange rates, which could negatively affect our financial condition and results of operations.

Our reporting currency is the U.S. dollar and we generate a majority of our revenue in U.S. dollars. However, for the nine months ended September 30, 2016, we incurred approximately 13% of our expenses outside of the United States in foreign currencies, primarily the pound sterling (GBP) and Euro, principally with respect to salaries and related personnel expenses associated with our sales and research and development operations. Additionally, for the nine months ended September 30, 2016, approximately 5% of our revenue was generated in foreign currencies. Accordingly, changes in exchange rates may have an adverse effect on our business, operating results and financial condition. The exchange rate between the U.S. dollar and foreign currencies has fluctuated substantially in recent years and may continue to fluctuate substantially in the future. The results of our operations may be adversely affected by foreign exchange fluctuations. To date, we have not engaged in any hedging strategies, and any such strategies, such as forward contracts, options and foreign exchange swaps related to transaction exposures that we may implement to mitigate this risk may not eliminate our exposure to foreign exchange fluctuations.

Changes in financial accounting standards may cause an adverse impact our reported results of operations.

A change in accounting standards or practices, particular with respect to revenue recognition, could harm our operating results and may even affect our reporting of transactions completed before the change is effective. New accounting pronouncements and varying interpretations of accounting pronouncements have occurred and may occur in the future. Changes to existing rules or the questioning of current practices may harm our operating results or the way we conduct our business.

Our business is subject to the risks of earthquakes, fire, power outages, floods and other catastrophic events, and to interruption by manmade problems such as terrorism.

A significant natural disaster, such as an earthquake, fire or a flood, or a significant power outage could have a material adverse impact on our business, operating results and financial condition. In addition, natural disasters could affect our channel partners’ ability to perform services for us on a timely basis. In the event we or our channel partners are hindered by any of the events discussed above, our ability to provide our products or professional services to customers could be delayed.

In addition, our facilities and those of our third-party data centers and hosting providers are vulnerable to damage or interruption from human error, intentional bad acts, pandemics, earthquakes, hurricanes, floods, fires, war, terrorist attacks, power losses, hardware failures, systems failures, telecommunications failures and similar events. The occurrence of a natural disaster, power failure or an act of terrorism, vandalism or other misconduct, a decision by a third party to close a facility on which we rely without adequate notice, or other unanticipated problems could result in lengthy interruptions in provision or delivery of our products, potentially leaving our customers vulnerable to cyber attacks. The occurrence of any of the foregoing events could damage our systems and hardware or could cause them to fail completely, and our insurance may not cover such events or may be insufficient to compensate us for the potentially significant losses, including the potential harm to the future growth of our business, that may result from interruptions in our service as a result of system failures.

 

40


Table of Contents

All of the aforementioned risks may be exacerbated if our disaster recovery plans or the disaster recovery plans established for our third-party data centers and hosting providers prove to be inadequate. To the extent that any of the above results in delayed or reduced customer sales, our business, financial condition and results of operations could be adversely affected.

We may require additional capital to support business growth, and this capital might not be available on acceptable terms, if at all.

We intend to continue to make investments to support our business growth and may require additional funds to respond to business challenges, including the need to develop new features or enhance our products, improve our operating infrastructure or acquire complementary businesses and technologies. Accordingly, we may need to engage in equity or debt financings to secure additional funds. If we raise additional funds through future issuances of equity or convertible debt securities, our existing stockholders could suffer significant dilution, and any new equity securities we issue could have rights, preferences and privileges superior to those of holders of our common stock. Any debt financing that we may secure in the future could involve restrictive covenants relating to our capital raising activities and other financial and operational matters, which may make it more difficult for us to obtain additional capital and to pursue business opportunities, including potential acquisitions. We may not be able to obtain additional financing on terms favorable to us, if at all. If we are unable to obtain adequate financing or financing on terms satisfactory to us when we require it, our ability to continue to support our business growth and to respond to business challenges could be significantly impaired, and our business may be adversely affected.

Risks Related to Government Regulation, Data Collection, Intellectual Property and Litigation

Failure to comply with governmental laws and regulations could harm our business.

Our business is subject to regulation by various federal, state, local and foreign governments. In certain jurisdictions, these regulatory requirements may be more stringent than those in the United States. Noncompliance with applicable regulations or requirements could subject us to investigations, sanctions, mandatory product recalls, enforcement actions, disgorgement of profits, fines, damages, civil and criminal penalties, injunctions or other collateral consequences. If any governmental sanctions are imposed, or if we do not prevail in any possible civil or criminal litigation, our business, results of operations, and financial condition could be materially adversely affected. In addition, responding to any action will likely result in a significant diversion of management’s attention and resources and an increase in professional fees. Enforcement actions and sanctions could harm our business, reputation, results of operations and financial condition.

We are subject to governmental export and import controls that could impair our ability to compete in international markets and/or subject us to liability if we are not in compliance with applicable laws.

Like other U.S.-based IT security products, our products are subject to U.S. export control and import laws and regulations, including the U.S. Export Administration Regulations and various economic and trade sanctions regulations administered by the U.S. Treasury Department’s Office of Foreign Assets Control. Exports of these products must be made in compliance with these laws and regulations. If we were to fail to comply with these laws and regulations, we and certain of our employees could be subject to substantial civil and criminal penalties, including fines for our company and responsible employees or managers, and, in extreme cases, incarceration of responsible employees and managers and the possible loss of export privileges. Complying with export control laws and regulations, including obtaining the necessary licenses or authorizations, for a particular sale may be time-consuming, is not guaranteed and may result in the delay or loss of sales opportunities. Changes in export or import laws and regulations, shifts in the enforcement or scope of existing laws and regulations, or changes in the countries, governments, persons, products or services targeted by such laws and regulations, could also result in decreased use of our products by, or in our decreased ability to export or sell our products to, existing or potential customers. A decreased use of our products or limitation on our ability to export or sell our products could adversely affect our business, financial condition and results of operations.

We also incorporate encryption technology into our products. These encryption products may be exported outside of the United States only with the required export authorizations, including by a license, a license exception or other appropriate government authorizations, including the filing of a product classification request. We previously deployed certain of our Metasploit products prior to obtaining the appropriate export authorizations. As such, we did not fully comply with applicable encryption controls in the U.S. Export Administration Regulations. Further, U.S. export control laws and economic sanctions prohibit the shipment of certain products and services to U.S. embargoed or sanctioned countries, governments or persons. Although we take precautions to prevent our products from being provided to those subject to U.S. sanctions, such measures may be circumvented. We are aware of previous exports in the form of downloads of certain of our Metasploit products by persons and organizations that appear to be located in countries that are the subject of U.S. embargoes, and by certain other persons and organizations without the requisite export authorizations. In September 2014, we initiated and filed a voluntary self-disclosure with the U.S. Department of Commerce’s Bureau of Industry and Security, or BIS, concerning our previous failure to obtain required authorizations for certain exports, as well as historical exports of free and trial software to embargoed countries. In March and August 2015, we filed supplements to the voluntary self-disclosure to BIS containing additional information regarding unauthorized exports. Also in March 2015, we filed a voluntary self-disclosure with the U.S. Department of Treasury’s Office of Foreign Assets Control, or OFAC, concerning exports of free and

 

41


Table of Contents

trial versions of our Metasploit products to embargoed countries, specifically Cuba, Iran, Sudan and Syria. As these transactions involved free downloads of our software, we did not derive any revenue from such transactions. On May 22, 2015, OFAC determined not to pursue a civil monetary penalty against us and issued us a Cautionary Letter to resolve our voluntary self-disclosure regarding the free downloads in embargoed countries. The voluntary self-disclosure submitted to BIS currently remains under review, and we are cooperating with BIS. It is possible that the matters discussed in the BIS voluntary self-disclosure could result in monetary penalties or other penalties being assessed against us.

In addition, various countries regulate the import and domestic use of certain encryption technology, including through import permitting and licensing requirements, and have enacted laws that could limit our ability to distribute our products or could limit our customers’ ability to implement our products in those countries.

Encryption products and the underlying technology may also be subject to export control restrictions. Governmental regulation of encryption technology and regulation of imports or exports of encryption products, or our failure to obtain required import or export approval for our products, when applicable, could harm our international sales and adversely affect our revenue. Compliance with applicable laws and regulations regarding the export and import of our products, including with respect to new products or changes in existing products, may create delays in the introduction of our products in international markets, prevent our customers with international operations from deploying our products globally or, in some cases, could prevent the export or import of our products to certain countries, governments, entities or persons altogether.

Finally, there are currently multinational efforts underway as part of the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, or the Wassenaar Arrangement, to impose additional restrictions on certain cyber security products. These controls are not currently in effect in the United States and may undergo substantial modification before becoming effective. To implement the controls under the Wassenaar Arrangement in the United States, BIS would have to amend the EAR. Such amendments could include changes that impose new licensing, approval and other requirements on our commercial Metasploit products and thereby put us at a disadvantage in competing for international sales. We are closely monitoring the potential implications of the Wassenaar Arrangement on the commercial versions of Metasploit, and are actively working with BIS and other U.S. government stakeholders in connection with the implementation of the controls under the Wassenaar Arrangement.

Because our products collect and store user and related information, domestic and international privacy and cyber security concerns, and other laws and regulations, could result in additional costs and liabilities to us or inhibit sales of our products.

We, and our customers, are subject to a number of domestic and international laws and regulations that apply to online services and the internet generally. These laws, rules and regulations address a range of issues including data privacy and cyber security, and restrictions or technological requirements regarding the collection, use, storage, protection, retention or transfer of data. The regulatory framework for online services, data privacy and cyber security issues worldwide can vary substantially from jurisdiction to jurisdiction, is rapidly evolving and is likely to remain uncertain for the foreseeable future. Many federal, state and foreign government bodies and agencies have adopted or are considering adopting laws, rules and regulations regarding the collection, use, storage and disclosure of information, web browsing and geolocation data collection, data analytics, cyber security and breach notification procedures. Interpretation of these laws, rules and regulations and their application to our products and professional services in the U.S. and foreign jurisdictions is ongoing and cannot be fully determined at this time.

In the United States, these include rules and regulations promulgated under the authority of the Federal Trade Commission, the Electronic Communications Privacy Act, Computer Fraud and Abuse Act, HIPAA, the Gramm Leach Bliley Act and state breach notification laws, as well as regulator enforcement positions and expectations reflected in federal and state regulatory actions, settlements, consent decrees and guidance documents. Internationally, virtually every jurisdiction in which we operate has established its own data security and privacy legal frameworks with which we, or our customers, must comply, including the Data Protection Directive 95/46/EC (“Directive”) established in the European Union (“EU”) and local EU Member State legislation implementing the Directive, such as the Data Protection Act in the UK. Further, many federal, state and foreign government bodies and agencies have introduced, and are currently considering, additional laws and regulations. If passed, we will likely incur additional expenses and costs associated with complying with such laws.

In addition, to facilitate the transfer of both customer and personnel data from the European Union to the United States, we signed up to the EU-U.S. Safe Harbor Framework, which required U.S.-based companies to provide assurance that they are adhering to relevant European standards for data protection. On October 6, 2015, the Court of Justice of the European Union, or CJEU, invalidated the EU-U.S. Safe Harbor Framework. In light of CJEU’s decision, we are reviewing our current operations to ensure that our EU-U.S. data transfers comply with EU data protection laws. The available legal basis for such transfers will depend on a number of factors, including, for example, the type of data and the European Economic Area country from which the data is being transferred, and may require that we obtain express consent from the customer or employee whose data is being transferred or include in our agreements with the applicable customer or European Economic Area employing entity the standard contractual clauses that have been approved by the EU Commission or adopt one of the other alternative mechanisms available in order to effect such transfers in compliance with

 

42


Table of Contents

the EU laws. These actions may involve substantial time and expense; for example, if we enter into the standard contractual clauses with a customer, in some EU countries, including Belgium and Spain, executed clauses need to be lodged with or notified to the country’s data protection authority prior to the transfer of any data, and in other countries, including Austria, France, Ireland, Romania and Slovenia, the clauses need to be approved by the country’s data protection authority prior to use. The Article 29 Working Party, a body comprising representatives from data protection authorities (“DPAs”) of all the EU countries that works to harmonize the application of data protection rules throughout the EU, indicated after the CJEU’s ruling on October 6, 2015 that it would allow a grace period until the end of January 2016 to implement alternatives. Following the expiration of the grace period, certain DPAs, such as the Hamburg authority in Germany, have commenced enforcement action against companies which have not put in place an alternative to the EU-U.S. Safe Harbor Framework. Equally, certain German regulators have expressed concerns in respect of the standard contractual clauses and the Irish DPA has commenced proceedings in the Irish High Court to see a reference to the CJEU as to whether the standard contractual clauses can be used as a basis for data transfers to the U.S. The hearing before the Irish High Court is due to commence on February 7, 2017 and is expected to last for approximately three weeks. On February 2, 2016, the EU Commission announced that it had reached agreement with the United States regarding a replacement regime for EU-U.S. transfers referred to as the “Privacy Shield.” On February 29, 2016, the EU Commission released a draft adequacy decision to establish the EU-U.S. Privacy Shield, the program that will replace the Safe Harbor framework that was invalidated by the October 6 decision of the CJEU. On April 13, 2016, the Article 29 Working Party, which advises the EU Commission on data protection matters, published its opinion on the EU Commission’s draft adequacy decision of the Privacy Shield. The Article 29 Working Party raised a number of concerns. The Article 29 Working Party did not, however, reject the proposal, but instead requested that the EU Commission clarify the drafting of the proposal and resolve the outstanding concerns about adequately protecting personal data. On July 12, 2016, the EU Commission formally approved the text and adopted the draft adequacy decision. The U.S. Department of Commerce has accepted applications for self-certification under the new Privacy Shield framework from August 1, 2016. We are reviewing all of the transfer options currently available and working to secure an alternative legal means to support our data transfers. However, as we have not yet put in place an alternative framework, the EU data protection authorities could impose a number of different sanctions on us until we do, including fines and, ultimately, a prohibition on transfers.

In addition to government regulation, privacy advocates and industry groups may propose new and different self-regulatory standards that either legally or contractually apply to us. Because the interpretation and application of privacy and data protection laws are still uncertain, it is possible that these laws may be interpreted and applied in a manner that is inconsistent with our existing practices or the features of our products. We may also be subject to claims of liability or responsibility for the actions of third parties with whom we interact or upon whom we rely in relation to various services, including but not limited to vendors and business partners. If so, in addition to the possibility of fines, lawsuits and other claims, we could be required to fundamentally change our business activities and practices or modify our products, which could have an adverse effect on our business. Any inability to adequately address privacy concerns, even if unfounded, or comply with applicable privacy or data protection laws, regulations and policies, could result in additional cost and liability to us, damage our reputation, inhibit sales and adversely affect our business.

The costs of compliance with, and other burdens imposed by, the laws, rules, regulations and policies that are applicable to the businesses of our customers may limit the use and adoption of, and reduce the overall demand for, our software. Privacy or cyber security concerns, whether valid or not valid, may inhibit market adoption of our products particularly in certain industries and foreign countries.

Further, there are active legislative discussions regarding the implementation of laws or regulations that could restrict the manner in which security research is conducted and that could restrict or possibly bar the conduct of penetration testing and the use of exploits, which are an essential component of our Metasploit product and our business strategy more generally. Our failure to comply with existing laws, rules or regulations, changes to existing laws or their interpretation, or the imposition of new laws, rules or regulations, could have a material and adverse impact on our business, results of operations, and financial condition.

Failure to protect our proprietary technology and intellectual property rights could substantially harm our business and operating results.

Our future success and competitive position depend in part on our ability to protect our intellectual property and proprietary technologies. To safeguard these rights, we rely on a combination of patent, trademark, copyright and trade secret laws and contractual protections in the United States and other jurisdictions, all of which provide only limited protection and may not now or in the future provide us with a competitive advantage.

As of September 30, 2016, we had 10 issued patents and 16 patent applications pending in the United States relating to our products. We cannot assure you that any patents will issue from any patent applications, that patents that issue from such applications will give us the protection that we seek or that any such patents will not be challenged, invalidated, or circumvented. Any patents that may issue in the future from our pending or future patent applications may not provide sufficiently broad protection and may not be enforceable in actions against alleged infringers. We have registered the “Rapid7,” “Nexpose” and “Metasploit” names and logos in the United States and certain other countries. We have registrations and/or pending applications for additional marks in the United States and

 

43


Table of Contents

other countries; however, we cannot assure you that any future trademark registrations will be issued for pending or future applications or that any registered trademarks will be enforceable or provide adequate protection of our proprietary rights. We also license software from third parties for integration into our products, including open source software and other software available on commercially reasonable terms. We cannot assure you that such third parties will maintain such software or continue to make it available.

In order to protect our unpatented proprietary technologies and processes, we rely on trade secret laws and confidentiality agreements with our employees, consultants, channel partners, vendors and others. Despite our efforts to protect our proprietary technology and trade secrets, unauthorized parties may attempt to misappropriate, reverse engineer or otherwise obtain and use them. In addition, others may independently discover our trade secrets, in which case we would not be able to assert trade secret rights, or develop similar technologies and processes. Further, the contractual provisions that we enter into may not prevent unauthorized use or disclosure of our proprietary technology or intellectual property rights and may not provide an adequate remedy in the event of unauthorized use or disclosure of our proprietary technology or intellectual property rights. Moreover, policing unauthorized use of our technologies, trade secrets and intellectual property is difficult, expensive and time-consuming, particularly in foreign countries where the laws may not be as protective of intellectual property rights as those in the United States and where mechanisms for enforcement of intellectual property rights may be weak. We may be unable to determine the extent of any unauthorized use or infringement of our solutions, technologies or intellectual property rights.

From time to time, legal action by us may be necessary to enforce our patents and other intellectual property rights, to protect our trade secrets, to determine the validity and scope of the intellectual property rights of others or to defend against claims of infringement or invalidity. Such litigation could result in substantial costs and diversion of resources and could negatively affect our business, operating results and financial condition.

Assertions by third parties of infringement or other violations by us of their intellectual property rights, whether or not correct, could result in significant costs and harm our business and operating results.

Patent and other intellectual property disputes are common in our industry. We are currently involved in a lawsuit brought by a non-practicing entity alleging that we have infringed upon a now-expired patent held by such entity and we may, from time to time, be involved in other such disputes in the ordinary course of our business. Some companies, including some of our competitors, own large numbers of patents, copyrights and trademarks, which they may use to assert claims against us. Third parties have in the past and may in the future assert claims of infringement, misappropriation or other violations of intellectual property rights against us. They may also assert such claims against our customers or channel partners, whom we typically indemnify against claims that our solutions infringe, misappropriate or otherwise violate the intellectual property rights of third parties. As the numbers of products and competitors in our market increase and overlaps occur, claims of infringement, misappropriation and other violations of intellectual property rights may increase. Any claim of infringement, misappropriation or other violation of intellectual property rights by a third party, even those without merit, could cause us to incur substantial costs defending against the claim and could distract our management from our business.

The patent portfolios of our most significant competitors are larger than ours. This disparity may increase the risk that they may sue us for patent infringement and may limit our ability to counterclaim for patent infringement or settle through patent cross-licenses. In addition, future assertions of patent rights by third parties, and any resulting litigation, may involve patent holding companies or other adverse patent owners who have no relevant product revenues and against whom our own patents may therefore provide little or no deterrence or protection. There can be no assurance that we will not be found to infringe or otherwise violate any third-party intellectual property rights or to have done so in the past.

An adverse outcome of a dispute may require us to:

 

    pay substantial damages, including treble damages, if we are found to have willfully infringed a third party’s patents or copyrights;

 

    cease making, licensing or using solutions that are alleged to infringe or misappropriate the intellectual property of others;

 

    expend additional development resources to attempt to redesign our solutions or otherwise develop non-infringing technology, which may not be successful;

 

    enter into potentially unfavorable royalty or license agreements in order to obtain the right to use necessary technologies or intellectual property rights; and

 

    indemnify our partners and other third parties.

In addition, royalty or licensing agreements, if required or desirable, may be unavailable on terms acceptable to us, or at all, and may require significant royalty payments and other expenditures. Some licenses may also be non-exclusive, and therefore, our competitors may have access to the same technology licensed to us. Any of the foregoing events could seriously harm our business, financial condition and results of operations.

 

44


Table of Contents

Our operating results may be harmed if we are required to collect sales and use or other related taxes for our products and professional services in jurisdictions where we have not historically done so.

Taxing jurisdictions, including state, local and foreign taxing authorities, have differing rules and regulations governing sales and use or other taxes, and these rules and regulations are subject to varying interpretations that may change over time. In particular, significant judgment is required in evaluating our tax positions and our worldwide provision for taxes. While we believe that we are in material compliance with our obligations under applicable taxing regimes, one or more states, localities or countries may seek to impose additional sales or other tax collection obligations on us, including for past sales. It is possible that we could face sales tax audits and that such audits could result in tax-related liabilities for which we have not accrued. A successful assertion that we should be collecting additional sales or other taxes on our offerings in jurisdictions where we have not historically done so and do not accrue for sales taxes could result in substantial tax liabilities for past sales, discourage customers from purchasing our offerings or otherwise harm our business and operating results.

In addition, our tax obligations and effective tax rates could be adversely affected by changes in the relevant tax, accounting and other laws, regulations, principles and interpretations, including those relating to income tax nexus, by recognizing tax losses or lower than anticipated earnings in jurisdictions where we have lower statutory rates and higher than anticipated earnings in jurisdictions where we have higher statutory rates, by changes in foreign currency exchange rates, or by changes in the valuation of our deferred tax assets and liabilities. Although we believe our tax estimates are reasonable, the final determination of any tax audits or litigation could be materially different from our historical tax provisions and accruals, which could have a material adverse effect on our operating results or cash flows in the period or periods for which a determination is made.

Our intercompany relationships are subject to complex transfer pricing regulations, which may be challenged by taxing authorities.

We generally conduct our international operations through wholly-owned subsidiaries and report our taxable income in various jurisdictions worldwide based upon our business operations in those jurisdictions. Our intercompany relationships are and will continue to be subject to complex transfer pricing regulations administered by taxing authorities in various jurisdictions. The relevant taxing authorities may disagree with our determinations as to the income and expenses attributable to specific jurisdictions. If such a disagreement were to occur, and our position were not sustained, we could be required to pay additional taxes, interest and penalties, which could result in one-time tax charges, higher effective tax rates, reduced cash flows and lower overall profitability of our operations.

Our ability to use net operating losses to offset future taxable income may be subject to certain limitations.

As of December 31, 2015, we had federal and state net operating loss carryforwards, or NOLs, of $99.5 million and $71.2 million, respectively, available to offset future taxable income, which expire in various years beginning in 2023 if not utilized. A lack of future taxable income would adversely affect our ability to utilize these NOLs before they expire. Under the provisions of the Internal Revenue Code of 1986, as amended, or the Internal Revenue Code, substantial changes in our ownership may limit the amount of pre-change NOLs that can be utilized annually in the future to offset taxable income. Section 382 of the Internal Revenue Code imposes limitations on a company’s ability to use NOLs if a company experiences a more-than-50-percent ownership change over a three-year testing period. Based upon our analysis as of December 31, 2015, we determined that although a small limitation on our historical NOLs exists, we do not expect this limitation to impair our ability to use our NOLs prior to expiration. However, if changes in our ownership occur in the future, our ability to use our NOLs may be further limited. For these reasons, we may not be able to utilize a material portion of the NOLs, even if we achieve profitability. If we are limited in our ability to use our NOLs in future years in which we have taxable income, we will pay more taxes than if we were able to fully utilize our NOLs. This could adversely affect our operating results and the market price of our common stock.

The enactment of legislation implementing changes in the U.S. taxation of international business activities or the adoption of other tax reform policies could materially impact our financial position and results of operations.

Recent changes to U.S. tax laws, including limitations on the ability of taxpayers to claim and utilize foreign tax credits and the deferral of certain tax deductions until earnings outside of the United States are repatriated to the United States, as well as changes to U.S. tax laws that may be enacted in the future, could impact the tax treatment of our foreign earnings. Due to expansion of our international business activities, any changes in the U.S. taxation of such activities may increase our worldwide effective tax rate and adversely affect our financial condition and operating results.

 

45


Table of Contents

Risk Related to our Common Stock

The market price of our common stock has been and is likely to continue to be volatile.

The market price of our common stock may be highly volatile and may fluctuate substantially as a result of a variety of factors, some of which are related in complex ways. Since shares of our common stock were sold in our initial public offering, or IPO, in July 2015 at a price of $16.00 per share, our stock price has ranged from an intraday low of $9.05 to an intraday high of $27.45 through October 31, 2016. Factors that may affect the market price of our common stock include:

 

    actual or anticipated fluctuations in our financial condition and operating results;

 

    variance in our financial performance from expectations of securities analysts;

 

    changes in the prices of our products and professional services;

 

    changes in our projected operating and financial results;

 

    changes in laws or regulations applicable to our products or professional services;

 

    announcements by us or our competitors of significant business developments, acquisitions or new offerings;

 

    our involvement in any litigation;

 

    our sale of our common stock or other securities in the future;

 

    changes in senior management or key personnel;

 

    trading volume of our common stock;

 

    changes in the anticipated future size and growth rate of our market; and

 

    general economic, regulatory and market conditions.

Recently, the stock markets have experienced extreme price and volume fluctuations that have affected and continue to affect the market prices of equity securities of many companies. These fluctuations have often been unrelated or disproportionate to the operating performance of those companies. Broad market and industry fluctuations, as well as general economic, political, regulatory and market conditions, may negatively impact the market price of our common stock. In the past, companies that have experienced volatility in the market price of their securities have been subject to securities class action litigation. We may be the target of this type of litigation in the future, which could result in substantial costs and divert our management’s attention.

An active public trading market for our common stock may not be sustained.

Prior to the completion of our IPO in July 2015, no public market for our common stock existed. Although our common stock is listed on The NASDAQ Global Market, we cannot assure you that an active public trading market for our common stock will continue to develop or be sustained. If an active market for our common stock does not continue to develop or is not sustained, it may be difficult for investors in our common stock to sell shares without depressing the market price for the shares or to sell the shares at all. An inactive market may also impair our ability to raise capital to continue to fund operations by selling shares and may impair our ability to acquire other companies or technologies by using our shares as consideration.

If securities or industry analysts do not publish research or reports about our business, or publish negative reports about our business, our stock price and trading volume could decline.

The trading market for our common stock will depend, in part, on the research and reports that securities or industry analysts publish about us or our business. We do not have any control over these analysts. If our financial performance fails to meet analyst estimates or one or more of the analysts who cover us downgrade our shares or change their opinion of our shares, our share price would likely decline. If one or more of these analysts cease coverage of our company or fail to regularly publish reports on us, we could lose visibility in the financial markets, which could cause our share price or trading volume to decline.

We do not intend to pay dividends for the foreseeable future and, as a result, your ability to achieve a return on your investment will depend on appreciation in the price of our common stock.

We have never declared or paid any cash dividends on our common stock and do not intend to pay any cash dividends in the foreseeable future. We anticipate that we will retain all of our future earnings for use in the development of our business and for general corporate purposes. Any determination to pay dividends in the future will be at the discretion of our board of directors. Accordingly, investors must rely on sales of their common stock after price appreciation, which may never occur, as the only way to realize any future gains on their investments.

 

46


Table of Contents

Concentration of ownership among our existing directors, executive officers and holders of 10% or more of our outstanding common stock may prevent minority investors from influencing significant corporate decisions.

As of October 31, 2016, our directors, executive officers and holders of more than 10% of our common stock, some of whom are represented on our board of directors, together with their affiliates, beneficially owned 52% of the voting power of our outstanding capital stock. As a result, these stockholders will be able to determine the outcome of matters submitted to our stockholders for approval. This concentration of ownership by itself may have the effect of delaying, deferring or preventing a change in control of the company, impeding a merger, consolidation, takeover or other business combination involving us, or discouraging a potential acquirer from making a tender offer or otherwise attempting to obtain control, which in turn, could materially and adversely affect the market price of our common stock.

We may invest or spend the proceeds of our IPO in ways with which you may not agree or in ways which may not yield a return.

We anticipate that the remaining net proceeds from our IPO will be used for working capital and other general corporate purposes. We may also use a portion of the remaining net proceeds to acquire complementary businesses, products or technologies. Our management will have considerable discretion in the application of the net proceeds, and you will not have the opportunity to assess whether the proceeds are being used effectively. The net proceeds may be invested with a view towards long-term benefits for our stockholders and this may not increase our operating results or market value. The failure by our management to apply these funds effectively may adversely affect the return on your investment.

Future sales of our common stock in the public market could cause our share price to decline.

As of October 31, 2016, 42,495,607 shares of our common stock were issued and outstanding. Sales of a substantial number of shares of our common stock in the public market, or the perception that these sales might occur, could depress the market price of our common stock and could impair our ability to raise capital through the sale of additional equity securities. The majority of these shares were acquired prior to our IPO and were subject to lock-up agreements prohibiting holders of these shares from selling any of their shares for a period of 180 days following our IPO. These lock-up agreements have expired and, as a result, a substantial number of our shares are now generally freely tradable, subject, in the case of sales by our affiliates, to the volume limitations and other provisions of Rule 144 under the Securities Act. If holders of these shares sell, or indicate an intent to sell, substantial amounts of our common stock in the public market, the trading price of our common stock could decline significantly.

Additionally, certain holders of our common stock have the right, subject to various conditions and limitations, to request we include their shares of our common stock in registration statements we may file relating to our securities. If the offer and sale of these shares are registered, they will be freely tradable without restriction under the Securities Act. Shares of common stock sold under such registration statements can be freely sold in the public market. In the event such registration rights are exercised and a large number of shares of common stock are sold in the public market, such sales could reduce the trading price of our common stock.

We have filed registration statements on Form S-8 under the Securities Act to register the total number of shares of our common stock that may be issued under our equity incentive plans. In addition, in the future, we may issue common stock or other securities if we need to raise additional capital. The number of new shares of our common stock issued in connection with raising additional capital could constitute a material portion of our then-outstanding shares of our common stock.

We are an “emerging growth company” and we cannot be certain if the reduced disclosure requirements applicable to emerging growth companies will make our common stock less attractive to investors.

We are an “emerging growth company,” as defined in the JOBS Act. For as long as we qualify as an emerging growth company, we intend to take advantage of certain exemptions from various reporting requirements that are applicable to other public companies that are not “emerging growth companies” including, but not limited to, the auditor attestation requirements of Section 404 of the Sarbanes-Oxley Act, reduced disclosure obligations regarding executive compensation in our periodic reports and proxy statements, and exemptions from the requirements of holding a nonbinding advisory vote on executive compensation and stockholder approval of any golden parachute payments not previously approved. We cannot predict if investors will find our common stock less attractive because we will rely on these exemptions and provide reduced disclosure. If some investors find our common stock less attractive as a result, there may be a less active trading market for our common stock and our stock price may be more volatile.

We have and will continue to incur increased costs as a result of being a public company.

As a newly public company, and particularly after we are no longer an “emerging growth company,” we have incurred and we will continue to incur significant legal, accounting and other expenses that we did not incur as a private company. The Sarbanes-Oxley Act, the Dodd-Frank Wall Street Reform and Consumer Protection Act, the listing requirements of the NASDAQ Stock Market and other applicable securities rules and regulations impose various requirements on public companies. We expect that compliance with these requirements will continue to increase certain of our expenses and make some activities more time-consuming than they have been in the past when we were a private company. Such additional costs going forward could negatively affect our financial results.

 

47


Table of Contents

We are obligated to develop and maintain proper and effective internal controls over financial reporting and any failure to maintain the adequacy of these internal controls may adversely affect investor confidence in our company and, as a result, the value of our common stock.

We are required, pursuant to Section 404 of the Sarbanes-Oxley Act, or Section 404, to furnish a report by management on, among other things, the effectiveness of our internal control over financial reporting for the first fiscal year beginning after the effective date of our IPO. This assessment will need to include disclosure of any material weaknesses identified by our management in our internal control over financial reporting. Our independent registered public accounting firm will not be required to attest to the effectiveness of our internal control over financial reporting until our first annual report required to be filed with the SEC following the date we no longer qualify as an “emerging growth company,” as defined in the JOBS Act. We will be required to disclose significant changes made in our internal control procedures on a quarterly basis.

We have commenced the costly and challenging process of compiling the system and processing documentation necessary to perform the evaluation needed to comply with Section 404, and we may not be able to complete our evaluation, testing and any required remediation in a timely fashion. Our compliance with Section 404 will require that we incur substantial accounting expense and expend significant management efforts. We currently do not have an internal audit group, and we will need to hire additional accounting and financial staff with appropriate public company experience and technical accounting knowledge and compile the system and process documentation necessary to perform the evaluation needed to comply with Section 404.

During the evaluation and testing process of our internal controls, if we identify one or more material weaknesses in our internal control over financial reporting, we will be unable to assert that our internal control over financial reporting is effective. We cannot assure you that there will not be material weaknesses or significant deficiencies in our internal control over financial reporting in the future. Any failure to maintain internal control over financial reporting could severely inhibit our ability to accurately report our financial condition or results of operations. If we are unable to conclude that our internal control over financial reporting is effective, or if our independent registered public accounting firm determines we have a material weakness or significant deficiency in our internal control over financial reporting, we could lose investor confidence in the accuracy and completeness of our financial reports, the market price of our common stock could decline, and we could be subject to sanctions or investigations by the NASDAQ Stock Market, the SEC or other regulatory authorities. Failure to remedy any material weakness in our internal control over financial reporting, or to implement or maintain other effective control systems required of public companies, could also restrict our future access to the capital markets.

Anti-takeover provisions in our charter documents and under Delaware law could make an acquisition of us more difficult, limit attempts by our stockholders to replace or remove our current management and limit the market price of our common stock.

Provisions in our amended and restated certificate of incorporation and amended and restated bylaws may have the effect of delaying or preventing a change in control or changes in our management. Among other things, our amended and restated certificate of incorporation and amended and restated bylaws include provisions that:

 

    authorize our board of directors to issue preferred stock without further stockholder action and with voting liquidation, dividend and other rights superior to our common stock;

 

    require that any action to be taken by our stockholders be effected at a duly called annual or special meeting and not by written consent, and limit the ability of our stockholders to call special meetings;

 

    establish an advance notice procedure for stockholder proposals to be brought before an annual meeting, including proposed nominations of persons for director nominees;

 

    establish that our board of directors is divided into three classes, with directors in each class serving three-year staggered terms;

 

    require the approval of holders of two-thirds of the shares entitled to vote at an election of directors to adopt, amend or repeal our amended and restated bylaws or amend or repeal the provisions of our amended and restated certificate of incorporation regarding the election and removal of directors and the ability of stockholders to take action by written consent or call a special meeting;

 

    prohibit cumulative voting in the election of directors; and

 

    provide that vacancies on our board of directors may be filled only by a majority of directors then in office, even though less than a quorum.

These provisions may frustrate or prevent any attempts by our stockholders to replace or remove our current management by making it more difficult for stockholders to replace members of our board of directors, who are responsible for appointing the members of our

 

48


Table of Contents

management. In addition, because we are incorporated in Delaware, we are governed by the provisions of Section 203 of the Delaware General Corporation Law, which generally prohibits a Delaware corporation from engaging in any of a broad range of business combinations with any “interested” stockholder for a period of three years following the date on which the stockholder became an “interested” stockholder. Any of the foregoing provisions could limit could limit the opportunity for our stockholders to receive a premium for their shares of our common stock, and could also affect the price that some investors are willing to pay for our common stock.

Our amended and restated certificate of incorporation designates the Court of Chancery of the State of Delaware as the exclusive forum for certain litigation that may be initiated by our stockholders, which could limit our stockholders’ ability to obtain a favorable judicial forum for disputes with us.

Pursuant to our amended and restated certificate of incorporation, unless we consent in writing to the selection of an alternative forum, the Court of Chancery of the State of Delaware is the sole and exclusive forum for (1) any derivative action or proceeding brought on our behalf, (2) any action asserting a claim of breach of a fiduciary duty owed by any of our directors, officers or other employees to us or our stockholders, (3) any action asserting a claim arising pursuant to any provision of the Delaware General Corporation Law, our amended and restated certificate of incorporation or our amended and restated bylaws or (4) any action asserting a claim governed by the internal affairs doctrine. Our amended and restated certificate of incorporation further provides that any person or entity purchasing or otherwise acquiring any interest in shares of our common stock is deemed to have notice of and consented to the foregoing provision. The forum selection clause in our amended and restated certificate of incorporation may limit our stockholders’ ability to obtain a favorable judicial forum for disputes with us.

 

Item 2. Unregistered Sales of Equity Securities and Use of Proceeds.

(a) Recent Sales of Unregistered Equity Securities

None.

(b) Use of Proceeds from Initial Public Offering of Common Stock

Our initial public offering of common stock was effected through the filing of a Registration Statement on Form S-1 (File No. 333-204874), which was declared or became effective on July 16, 2015. There has been no material change in the use of proceeds from our initial public offering as described in our final prospectus filed with the SEC pursuant to Rule 424(b) and other periodic reports previously filed with the SEC.

 

Item 3. Defaults Upon Senior Securities.

Not applicable.

 

Item 4. Mine Safety Disclosures.

Not applicable.

 

Item 5. Other Information.

None.

 

Item 6. Exhibits.

 

Exhibit

Number

 

Description

    3.1(1)   Amended and Restated Certificate of Incorporation of Rapid7, Inc.
    3.2(2)   Amended and Restated Bylaws of Rapid7, Inc.
  10.1(3)+   Transition and Release Agreement, dated as of August 5, 2016, by and between Rapid7, Inc. and Steven Gatoff
  31.1   Certification of Principal Executive Officer Pursuant to Rules 13a-14(a) and 15d-14(a) under the Securities Exchange Act of 1934, as Adopted Pursuant to Section 302 of the Sarbanes-Oxley Act of 2002.
  31.2   Certification of Principal Financial Officer Pursuant to Rules 13a-14(a) and 15d-14(a) under the Securities Exchange Act of 1934, as Adopted Pursuant to Section 302 of the Sarbanes-Oxley Act of 2002.

 

49


Table of Contents

Exhibit

Number

  

Description

  32.1*    Certification of Principal Executive Officer Pursuant to 18 U.S.C. Section 1350, as Adopted Pursuant to Section 906 of the Sarbanes-Oxley Act of 2002.
  32.2*    Certification of Principal Financial Officer Pursuant to 18 U.S.C. Section 1350, as Adopted Pursuant to Section 906 of the Sarbanes-Oxley Act of 2002.
101.INS    XBRL Instance Document
101.SCH    XBRL Taxonomy Extension Schema Document
101.CAL    XBRL Taxonomy Extension Calculation Linkbase Document
101.DEF    XBRL Taxonomy Extension Definition Linkbase Document
101.LAB    XBRL Taxonomy Extension Label Linkbase Document
101.PRE    XBRL Taxonomy Extension Presentation Linkbase Document

 

(1)  Previously filed as Exhibit 3.1 to the Registrant’s Current Report on Form 8-K (File No. 001-37496), filed with the Securities and Exchange Commission on July 22, 2015, and incorporated herein by reference.
(2)  Previously filed as Exhibit 3.2 to the Registrant’s Current Report on Form 8-K (File No. 001-37496), filed with the Securities and Exchange Commission on July 22, 2015, and incorporated herein by reference.
(3)  Previously filed as Exhibit 10.1 to the Registrant’s Current Report on Form 8-K (File No. 001-37496), filed with the Securities and Exchange Commission on August 8, 2016, and incorporated herein by reference.
* This certification is deemed not filed for purposes of Section 18 of the Securities Exchange Act of 1934, as amended, or otherwise subject to the liability of that section, nor shall it be deemed incorporated by reference into any filing under the Securities Act of 1933, as amended, or the Securities Exchange Act of 1934, as amended.
+ Indicates management contract or compensatory plan.

 

50


Table of Contents

SIGNATURES

Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned thereunto duly authorized.

 

    RAPID7, INC.
Date: November 10, 2016     By:  

/s/ Corey E. Thomas

      Name:  Corey E. Thomas
     

Title:    President and Chief Executive Officer

      (Principal Executive Officer)
Date: November 10, 2016     By:  

/s/ Steven Gatoff

      Name:  Steven Gatoff
     

Title:    Chief Financial Officer

      (Principal Financial Officer)

 

51


Table of Contents

Exhibit Index

 

Exhibit

Number

 

Description

    3.1(1)   Amended and Restated Certificate of Incorporation of Rapid7, Inc.
    3.2(2)   Amended and Restated Bylaws of Rapid7, Inc.
  10.1(3)+   Transition and Release Agreement, dated as of August 5, 2016, by and between Rapid7, Inc. and Steven Gatoff
  31.1   Certification of Principal Executive Officer Pursuant to Rules 13a-14(a) and 15d-14(a) under the Securities Exchange Act of 1934, as Adopted Pursuant to Section 302 of the Sarbanes-Oxley Act of 2002.
  31.2   Certification of Principal Financial Officer Pursuant to Rules 13a-14(a) and 15d-14(a) under the Securities Exchange Act of 1934, as Adopted Pursuant to Section 302 of the Sarbanes-Oxley Act of 2002.
  32.1*   Certification of Principal Executive Officer Pursuant to 18 U.S.C. Section 1350, as Adopted Pursuant to Section 906 of the Sarbanes-Oxley Act of 2002.
  32.2*   Certification of Principal Financial Officer Pursuant to 18 U.S.C. Section 1350, as Adopted Pursuant to Section 906 of the Sarbanes-Oxley Act of 2002.
101.INS   XBRL Instance Document
101.SCH   XBRL Taxonomy Extension Schema Document
101.CAL   XBRL Taxonomy Extension Calculation Linkbase Document
101.DEF   XBRL Taxonomy Extension Definition Linkbase Document
101.LAB   XBRL Taxonomy Extension Label Linkbase Document
101.PRE   XBRL Taxonomy Extension Presentation Linkbase Document

 

(1)  Previously filed as Exhibit 3.1 to the Registrant’s Current Report on Form 8-K (File No. 001-37496), filed with the Securities and Exchange Commission on July 22, 2015, and incorporated herein by reference.
(2)  Previously filed as Exhibit 3.2 to the Registrant’s Current Report on Form 8-K (File No. 001-37496), filed with the Securities and Exchange Commission on July 22, 2015, and incorporated herein by reference.
(3)  Previously filed as Exhibit 10.1 to the Registrant’s Current Report on Form 8-K (File No. 001-37496), filed with the Securities and Exchange Commission on August 8, 2016, and incorporated herein by reference.
* This certification is deemed not filed for purposes of Section 18 of the Securities Exchange Act of 1934, as amended, or otherwise subject to the liability of that section, nor shall it be deemed incorporated by reference into any filing under the Securities Act of 1933, as amended, or the Securities Exchange Act of 1934, as amended.
+ Indicates management contract or compensatory plan.

 

52

EX-31.1

Exhibit 31.1

CERTIFICATION OF PRINCIPAL EXECUTIVE OFFICER

PURSUANT TO SECTION 302 OF THE SARBANES-OXLEY ACT OF 2002

I, Corey E. Thomas, certify that:

 

1. I have reviewed this Quarterly Report on Form 10-Q of Rapid7, Inc.;

 

2. Based on my knowledge, this report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this report;

 

3. Based on my knowledge, the financial statements, and other financial information included in this report, fairly present in all material respects the financial condition, results of operations and cash flows of the registrant as of, and for, the periods presented in this report;

 

4. The registrant’s other certifying officer and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-15(e) and 15d-15(e)) for the registrant and have:

 

  (a) Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under our supervision, to ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which this report is being prepared;

 

  (b) Evaluated the effectiveness of the registrant’s disclosure controls and procedures and presented in this report our conclusions about the effectiveness of the disclosure controls and procedures, as of the end of the period covered by this report based on such evaluation; and

 

  (c) Disclosed in this report any change in the registrant’s internal control over financial reporting that occurred during the registrant’s most recent fiscal quarter (the registrant’s fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the registrant’s internal control over financial reporting; and

 

5. The registrant’s other certifying officer and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the registrant’s auditors and the audit committee of the registrant’s board of directors (or persons performing the equivalent functions):

 

  (a) All significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably likely to adversely affect the registrant’s ability to record, process, summarize and report financial information; and

 

  (b) Any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant’s internal control over financial reporting.

 

Date: November 10, 2016     By:  

/s/ Corey E. Thomas

      Name:  Corey E. Thomas
      Title:    President and Chief Executive Officer
EX-31.2

Exhibit 31.2

CERTIFICATION OF PRINCIPAL FINANCIAL OFFICER

PURSUANT TO SECTION 302 OF THE SARBANES-OXLEY ACT OF 2002

I, Steven Gatoff, certify that:

 

1. I have reviewed this Quarterly Report on Form 10-Q of Rapid7, Inc.;

 

2. Based on my knowledge, this report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this report;

 

3. Based on my knowledge, the financial statements, and other financial information included in this report, fairly present in all material respects the financial condition, results of operations and cash flows of the registrant as of, and for, the periods presented in this report;

 

4. The registrant’s other certifying officer and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-15(e) and 15d-15(e)) for the registrant and have:

 

  (a) Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under our supervision, to ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which this report is being prepared;

 

  (b) Evaluated the effectiveness of the registrant’s disclosure controls and procedures and presented in this report our conclusions about the effectiveness of the disclosure controls and procedures, as of the end of the period covered by this report based on such evaluation; and

 

  (c) Disclosed in this report any change in the registrant’s internal control over financial reporting that occurred during the registrant’s most recent fiscal quarter (the registrant’s fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the registrant’s internal control over financial reporting; and

 

5. The registrant’s other certifying officer and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the registrant’s auditors and the audit committee of the registrant’s board of directors (or persons performing the equivalent functions):

 

  (a) All significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably likely to adversely affect the registrant’s ability to record, process, summarize and report financial information; and

 

  (b) Any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant’s internal control over financial reporting.

 

Date: November 10, 2016     By:  

/s/ Steven Gatoff

      Name:  Steven Gatoff
      Title:    Chief Financial Officer
EX-32.1

Exhibit 32.1

CERTIFICATION PURSUANT TO

18 U.S.C. SECTION 1350, AS ADOPTED PURSUANT TO

SECTION 906 OF THE SARBANES-OXLEY ACT OF 2002

I, Corey E. Thomas, Chief Executive Officer of Rapid7, Inc., do hereby certify, pursuant to 18 U.S.C. Section 1350, as adopted pursuant to Section 906 of the Sarbanes-Oxley Act of 2002, that to the best of my knowledge, the Quarterly Report on Form 10-Q of Rapid7, Inc. for the quarter ended September 30, 2016 (the “Report”):

 

  (1) fully complies with the requirements of section 13(a) or 15(d) of the Securities Exchange Act of 1934; and

 

  (2) the information contained in the Report fairly presents, in all material respects, the financial condition and result of operations of Rapid7, Inc. for the period presented herein.

 

Date: November 10, 2016     By:  

/s/ Corey E. Thomas

      Name:  Corey E. Thomas
      Title:    President and Chief Executive Officer
EX-32.2

Exhibit 32.2

CERTIFICATION PURSUANT TO

18 U.S.C. SECTION 1350, AS ADOPTED PURSUANT TO

SECTION 906 OF THE SARBANES-OXLEY ACT OF 2002

I, Steven Gatoff, Chief Financial Officer of Rapid7, Inc., do hereby certify, pursuant to 18 U.S.C. Section 1350, as adopted pursuant to Section 906 of the Sarbanes-Oxley Act of 2002, that to the best of my knowledge, the Quarterly Report on Form 10-Q of Rapid7, Inc. for the quarter ended September 30, 2016 (the “Report”):

 

  (1) fully complies with the requirements of section 13(a) or 15(d) of the Securities Exchange Act of 1934; and

 

  (2) the information contained in the Report fairly presents, in all material respects, the financial condition and result of operations of Rapid7, Inc. for the period presented herein.

 

Date: November 10, 2016     By:  

/s/ Steven Gatoff

      Name:  Steven Gatoff
      Title:    Chief Financial Officer