2019FY0001560327FALSE--12-31111111120.02404600015603272019-01-012019-12-31iso4217:USD00015603272019-06-28xbrli:shares00015603272020-02-2100015603272019-12-3100015603272018-12-31iso4217:USDxbrli:shares0001560327us-gaap:ProductMember2019-01-012019-12-310001560327us-gaap:ProductMember2018-01-012018-12-310001560327us-gaap:ProductMember2017-01-012017-12-310001560327us-gaap:MaintenanceMember2019-01-012019-12-310001560327us-gaap:MaintenanceMember2018-01-012018-12-310001560327us-gaap:MaintenanceMember2017-01-012017-12-310001560327rp:ProfessionalServicesMember2019-01-012019-12-310001560327rp:ProfessionalServicesMember2018-01-012018-12-310001560327rp:ProfessionalServicesMember2017-01-012017-12-3100015603272018-01-012018-12-3100015603272017-01-012017-12-310001560327us-gaap:CommonStockMember2016-12-310001560327us-gaap:TreasuryStockMember2016-12-310001560327us-gaap:AdditionalPaidInCapitalMember2016-12-310001560327us-gaap:AccumulatedOtherComprehensiveIncomeMember2016-12-310001560327us-gaap:RetainedEarningsMember2016-12-3100015603272016-12-310001560327us-gaap:AdditionalPaidInCapitalMember2017-01-012017-12-310001560327us-gaap:AdditionalPaidInCapitalMember2017-01-010001560327us-gaap:RetainedEarningsMember2017-01-0100015603272017-01-010001560327us-gaap:CommonStockMember2017-01-012017-12-310001560327us-gaap:TreasuryStockMember2017-01-012017-12-310001560327us-gaap:AccumulatedOtherComprehensiveIncomeMember2017-01-012017-12-310001560327us-gaap:RetainedEarningsMember2017-01-012017-12-310001560327us-gaap:CommonStockMember2017-12-310001560327us-gaap:TreasuryStockMember2017-12-310001560327us-gaap:AdditionalPaidInCapitalMember2017-12-310001560327us-gaap:AccumulatedOtherComprehensiveIncomeMember2017-12-310001560327us-gaap:RetainedEarningsMember2017-12-3100015603272017-12-310001560327us-gaap:AdditionalPaidInCapitalMember2018-01-012018-12-310001560327us-gaap:RetainedEarningsMember2018-01-0100015603272018-01-010001560327us-gaap:CommonStockMember2018-01-012018-12-310001560327us-gaap:AccumulatedOtherComprehensiveIncomeMember2018-01-012018-12-310001560327us-gaap:RetainedEarningsMember2018-01-012018-12-310001560327us-gaap:CommonStockMember2018-12-310001560327us-gaap:TreasuryStockMember2018-12-310001560327us-gaap:AdditionalPaidInCapitalMember2018-12-310001560327us-gaap:AccumulatedOtherComprehensiveIncomeMember2018-12-310001560327us-gaap:RetainedEarningsMember2018-12-310001560327us-gaap:AdditionalPaidInCapitalMember2019-01-012019-12-310001560327us-gaap:CommonStockMember2019-01-012019-12-310001560327us-gaap:AccumulatedOtherComprehensiveIncomeMember2019-01-012019-12-310001560327us-gaap:RetainedEarningsMember2019-01-012019-12-310001560327us-gaap:CommonStockMember2019-12-310001560327us-gaap:TreasuryStockMember2019-12-310001560327us-gaap:AdditionalPaidInCapitalMember2019-12-310001560327us-gaap:AccumulatedOtherComprehensiveIncomeMember2019-12-310001560327us-gaap:RetainedEarningsMember2019-12-310001560327us-gaap:AccountingStandardsUpdate201409Member2018-01-010001560327us-gaap:AccountingStandardsUpdate201409Member2018-01-012018-12-310001560327rp:TermAndPerpetualLicenseMemberus-gaap:DifferenceBetweenRevenueGuidanceInEffectBeforeAndAfterTopic606Member2019-01-012019-12-310001560327us-gaap:MoneyMarketFundsMember2019-12-310001560327us-gaap:MoneyMarketFundsMember2018-12-310001560327rp:NewCustomerUpSellOrCrossSellMember2019-12-310001560327rp:ProfessionalServicesArrangementsMember2019-12-310001560327us-gaap:ComputerEquipmentMember2019-01-012019-12-310001560327us-gaap:FurnitureAndFixturesMembersrt:MinimumMember2019-01-012019-12-310001560327us-gaap:FurnitureAndFixturesMembersrt:MaximumMember2019-01-012019-12-310001560327us-gaap:NonoperatingIncomeExpenseMember2019-01-012019-12-310001560327us-gaap:NonoperatingIncomeExpenseMember2018-01-012018-12-310001560327us-gaap:NonoperatingIncomeExpenseMember2017-01-012017-12-310001560327us-gaap:SellingAndMarketingExpenseMember2019-01-012019-12-310001560327us-gaap:SellingAndMarketingExpenseMember2018-01-012018-12-310001560327us-gaap:SellingAndMarketingExpenseMember2017-01-012017-12-310001560327us-gaap:AccountingStandardsUpdate201602Member2019-01-010001560327rp:SubscriptionRevenueMember2019-01-012019-12-310001560327rp:SubscriptionRevenueMember2018-01-012018-12-310001560327rp:TermAndPerpetualLicenseMember2019-01-012019-12-310001560327rp:TermAndPerpetualLicenseMember2018-01-012018-12-310001560327rp:MaintenanceandSupportMember2019-01-012019-12-310001560327rp:MaintenanceandSupportMember2018-01-012018-12-310001560327rp:TimingOfTransferOfGoodOrServiceOtherMember2019-01-012019-12-310001560327rp:TimingOfTransferOfGoodOrServiceOtherMember2018-01-012018-12-310001560327country:US2019-01-012019-12-310001560327country:US2018-01-012018-12-310001560327us-gaap:NonUsMember2019-01-012019-12-310001560327us-gaap:NonUsMember2018-01-012018-12-310001560327rp:SubscriptionRevenueMember2020-01-012019-12-3100015603272021-01-01rp:SubscriptionRevenueMember2019-12-310001560327rp:SubscriptionRevenueMember2022-01-012019-12-310001560327rp:TermAndPerpetualLicenseMember2020-01-012019-12-3100015603272021-01-01rp:TermAndPerpetualLicenseMember2019-12-310001560327rp:TermAndPerpetualLicenseMember2022-01-012019-12-310001560327rp:MaintenanceandSupportMember2020-01-012019-12-3100015603272021-01-01rp:MaintenanceandSupportMember2019-12-3100015603272022-01-01rp:MaintenanceandSupportMember2019-12-310001560327rp:ProfessionalServicesMember2020-01-012019-12-310001560327rp:NetFortTechnologiesLimitedMember2019-04-012019-04-010001560327rp:NetFortTechnologiesLimitedMember2019-04-010001560327us-gaap:DevelopedTechnologyRightsMemberrp:NetFortTechnologiesLimitedMember2019-04-012019-04-01rp:reporting_unit0001560327us-gaap:RestrictedStockUnitsRSUMemberrp:NetFortTechnologiesLimitedMember2019-04-012019-04-010001560327rp:TCell.ioInc.Member2018-10-152018-10-150001560327rp:TCell.ioInc.Member2018-10-15xbrli:pure0001560327rp:KomandInc.Member2017-07-120001560327rp:KomandInc.Member2017-07-122017-07-120001560327us-gaap:MoneyMarketFundsMemberus-gaap:FairValueInputsLevel1Memberus-gaap:FairValueMeasurementsRecurringMember2019-12-310001560327us-gaap:FairValueInputsLevel2Memberus-gaap:MoneyMarketFundsMemberus-gaap:FairValueMeasurementsRecurringMember2019-12-310001560327us-gaap:MoneyMarketFundsMemberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:FairValueInputsLevel3Member2019-12-310001560327us-gaap:MoneyMarketFundsMemberus-gaap:FairValueMeasurementsRecurringMember2019-12-310001560327us-gaap:CorporateDebtSecuritiesMemberus-gaap:FairValueInputsLevel1Memberus-gaap:FairValueMeasurementsRecurringMember2019-12-310001560327us-gaap:FairValueInputsLevel2Memberus-gaap:CorporateDebtSecuritiesMemberus-gaap:FairValueMeasurementsRecurringMember2019-12-310001560327us-gaap:CorporateDebtSecuritiesMemberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:FairValueInputsLevel3Member2019-12-310001560327us-gaap:CorporateDebtSecuritiesMemberus-gaap:FairValueMeasurementsRecurringMember2019-12-310001560327us-gaap:FairValueInputsLevel1Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:USGovernmentAgenciesDebtSecuritiesMember2019-12-310001560327us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:USGovernmentAgenciesDebtSecuritiesMember2019-12-310001560327us-gaap:FairValueMeasurementsRecurringMemberus-gaap:USGovernmentAgenciesDebtSecuritiesMemberus-gaap:FairValueInputsLevel3Member2019-12-310001560327us-gaap:FairValueMeasurementsRecurringMemberus-gaap:USGovernmentAgenciesDebtSecuritiesMember2019-12-310001560327us-gaap:FairValueInputsLevel1Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:CommercialPaperMember2019-12-310001560327us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:CommercialPaperMember2019-12-310001560327us-gaap:FairValueMeasurementsRecurringMemberus-gaap:CommercialPaperMemberus-gaap:FairValueInputsLevel3Member2019-12-310001560327us-gaap:FairValueMeasurementsRecurringMemberus-gaap:CommercialPaperMember2019-12-310001560327us-gaap:USTreasurySecuritiesMemberus-gaap:FairValueInputsLevel1Memberus-gaap:FairValueMeasurementsRecurringMember2019-12-310001560327us-gaap:USTreasurySecuritiesMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2019-12-310001560327us-gaap:USTreasurySecuritiesMemberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:FairValueInputsLevel3Member2019-12-310001560327us-gaap:USTreasurySecuritiesMemberus-gaap:FairValueMeasurementsRecurringMember2019-12-310001560327us-gaap:FairValueInputsLevel1Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:AssetBackedSecuritiesMember2019-12-310001560327us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:AssetBackedSecuritiesMember2019-12-310001560327us-gaap:FairValueMeasurementsRecurringMemberus-gaap:AssetBackedSecuritiesMemberus-gaap:FairValueInputsLevel3Member2019-12-310001560327us-gaap:FairValueMeasurementsRecurringMemberus-gaap:AssetBackedSecuritiesMember2019-12-310001560327us-gaap:FairValueInputsLevel1Memberus-gaap:FairValueMeasurementsRecurringMember2019-12-310001560327us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2019-12-310001560327us-gaap:FairValueMeasurementsRecurringMemberus-gaap:FairValueInputsLevel3Member2019-12-310001560327us-gaap:FairValueMeasurementsRecurringMember2019-12-310001560327us-gaap:MoneyMarketFundsMemberus-gaap:FairValueInputsLevel1Memberus-gaap:FairValueMeasurementsRecurringMember2018-12-310001560327us-gaap:FairValueInputsLevel2Memberus-gaap:MoneyMarketFundsMemberus-gaap:FairValueMeasurementsRecurringMember2018-12-310001560327us-gaap:MoneyMarketFundsMemberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:FairValueInputsLevel3Member2018-12-310001560327us-gaap:MoneyMarketFundsMemberus-gaap:FairValueMeasurementsRecurringMember2018-12-310001560327us-gaap:FairValueInputsLevel1Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:USGovernmentAgenciesDebtSecuritiesMember2018-12-310001560327us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:USGovernmentAgenciesDebtSecuritiesMember2018-12-310001560327us-gaap:FairValueMeasurementsRecurringMemberus-gaap:USGovernmentAgenciesDebtSecuritiesMemberus-gaap:FairValueInputsLevel3Member2018-12-310001560327us-gaap:FairValueMeasurementsRecurringMemberus-gaap:USGovernmentAgenciesDebtSecuritiesMember2018-12-310001560327us-gaap:FairValueInputsLevel1Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:CommercialPaperMember2018-12-310001560327us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:CommercialPaperMember2018-12-310001560327us-gaap:FairValueMeasurementsRecurringMemberus-gaap:CommercialPaperMemberus-gaap:FairValueInputsLevel3Member2018-12-310001560327us-gaap:FairValueMeasurementsRecurringMemberus-gaap:CommercialPaperMember2018-12-310001560327us-gaap:CorporateDebtSecuritiesMemberus-gaap:FairValueInputsLevel1Memberus-gaap:FairValueMeasurementsRecurringMember2018-12-310001560327us-gaap:FairValueInputsLevel2Memberus-gaap:CorporateDebtSecuritiesMemberus-gaap:FairValueMeasurementsRecurringMember2018-12-310001560327us-gaap:CorporateDebtSecuritiesMemberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:FairValueInputsLevel3Member2018-12-310001560327us-gaap:CorporateDebtSecuritiesMemberus-gaap:FairValueMeasurementsRecurringMember2018-12-310001560327us-gaap:USTreasurySecuritiesMemberus-gaap:FairValueInputsLevel1Memberus-gaap:FairValueMeasurementsRecurringMember2018-12-310001560327us-gaap:USTreasurySecuritiesMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2018-12-310001560327us-gaap:USTreasurySecuritiesMemberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:FairValueInputsLevel3Member2018-12-310001560327us-gaap:USTreasurySecuritiesMemberus-gaap:FairValueMeasurementsRecurringMember2018-12-310001560327us-gaap:FairValueInputsLevel1Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:AssetBackedSecuritiesMember2018-12-310001560327us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:AssetBackedSecuritiesMember2018-12-310001560327us-gaap:FairValueMeasurementsRecurringMemberus-gaap:AssetBackedSecuritiesMemberus-gaap:FairValueInputsLevel3Member2018-12-310001560327us-gaap:FairValueMeasurementsRecurringMemberus-gaap:AssetBackedSecuritiesMember2018-12-310001560327us-gaap:FairValueInputsLevel1Memberus-gaap:FairValueMeasurementsRecurringMember2018-12-310001560327us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2018-12-310001560327us-gaap:FairValueMeasurementsRecurringMemberus-gaap:FairValueInputsLevel3Member2018-12-310001560327us-gaap:FairValueMeasurementsRecurringMember2018-12-310001560327us-gaap:ConvertibleDebtMemberrp:TheNotesDue2023Member2019-12-310001560327us-gaap:USGovernmentAgenciesDebtSecuritiesMember2019-12-310001560327us-gaap:CorporateDebtSecuritiesMember2019-12-310001560327us-gaap:CommercialPaperMember2019-12-310001560327us-gaap:USTreasurySecuritiesMember2019-12-310001560327us-gaap:AssetBackedSecuritiesMember2019-12-310001560327us-gaap:USGovernmentAgenciesDebtSecuritiesMember2018-12-310001560327us-gaap:CommercialPaperMember2018-12-310001560327us-gaap:CorporateDebtSecuritiesMember2018-12-310001560327us-gaap:USTreasurySecuritiesMember2018-12-310001560327us-gaap:AssetBackedSecuritiesMember2018-12-310001560327srt:MinimumMember2019-01-012019-12-310001560327srt:MinimumMember2018-01-012018-12-310001560327srt:MaximumMember2018-01-012018-12-310001560327srt:MaximumMember2019-01-012019-12-310001560327us-gaap:AvailableforsaleSecuritiesMemberus-gaap:USGovernmentAgenciesDebtSecuritiesMember2018-12-310001560327rp:ContractAcquisitionAndFulfillmentCostsMember2018-12-310001560327rp:ContractAcquisitionAndFulfillmentCostsMember2017-12-310001560327rp:ContractAcquisitionAndFulfillmentCostsMember2019-01-012019-12-310001560327rp:ContractAcquisitionAndFulfillmentCostsMember2018-01-012018-12-310001560327rp:ContractAcquisitionAndFulfillmentCostsMember2019-12-310001560327us-gaap:ComputerEquipmentMember2019-12-310001560327us-gaap:ComputerEquipmentMember2018-12-310001560327us-gaap:FurnitureAndFixturesMember2019-12-310001560327us-gaap:FurnitureAndFixturesMember2018-12-310001560327us-gaap:LeaseholdImprovementsMember2019-12-310001560327us-gaap:LeaseholdImprovementsMember2018-12-310001560327us-gaap:LeaseholdImprovementsMember2019-01-012019-12-310001560327us-gaap:FurnitureAndFixturesMember2019-01-012019-12-310001560327rp:TCell.ioInc.Member2018-01-012018-12-310001560327rp:NetFortTechnologiesLimitedMember2019-01-012019-12-310001560327rp:DevelopedTechnologyMember2019-01-012019-12-310001560327rp:DevelopedTechnologyMember2019-12-310001560327rp:DevelopedTechnologyMember2018-12-310001560327us-gaap:CustomerRelationshipsMember2019-01-012019-12-310001560327us-gaap:CustomerRelationshipsMember2019-12-310001560327us-gaap:CustomerRelationshipsMember2018-12-310001560327us-gaap:TradeNamesMember2019-01-012019-12-310001560327us-gaap:TradeNamesMember2019-12-310001560327us-gaap:TradeNamesMember2018-12-310001560327us-gaap:NoncompeteAgreementsMember2019-01-012019-12-310001560327us-gaap:NoncompeteAgreementsMember2019-12-310001560327us-gaap:NoncompeteAgreementsMember2018-12-310001560327us-gaap:ComputerSoftwareIntangibleAssetMember2019-12-310001560327us-gaap:ComputerSoftwareIntangibleAssetMember2018-12-310001560327us-gaap:ConvertibleDebtMemberrp:TheNotesDue2023Member2018-08-310001560327rp:TheNotesOverallotmentOptionMemberus-gaap:ConvertibleDebtMember2018-08-310001560327us-gaap:ConvertibleDebtMemberrp:TheNotesMember2018-08-310001560327us-gaap:ConvertibleDebtMemberrp:TheNotesMember2018-08-012018-08-31rp:day0001560327us-gaap:ConvertibleDebtMemberrp:TheNotesMemberrp:DebtCovenantOneMember2018-08-012018-08-310001560327us-gaap:ConvertibleDebtMemberrp:TheNotesMemberrp:DebtCovenantTwoMember2018-08-012018-08-310001560327rp:DebtCovenantThreeMemberus-gaap:ConvertibleDebtMemberrp:TheNotesMember2019-10-012019-12-310001560327rp:DebtCovenantThreeMemberus-gaap:ConvertibleDebtMemberrp:TheNotesMember2018-08-012018-08-310001560327us-gaap:ConvertibleDebtMemberrp:TheNotesMember2019-12-310001560327us-gaap:ConvertibleDebtMemberrp:TheNotesMember2018-12-310001560327us-gaap:ConvertibleDebtMemberrp:TheNotesMember2019-01-012019-12-310001560327us-gaap:ConvertibleDebtMemberrp:TheNotesMember2018-01-012018-12-310001560327us-gaap:CallOptionMember2018-08-012018-08-310001560327us-gaap:CallOptionMember2019-01-012019-12-3100015603272018-08-012018-08-310001560327srt:MaximumMember2019-12-31utr:sqft0001560327rp:HeadquartersMember2017-11-300001560327rp:HeadquartersMember2019-05-010001560327rp:HeadquarterExpansionMember2019-07-310001560327rp:BelfastNorthernIrelandPropertyMember2019-10-3100015603272018-01-302018-01-300001560327us-gaap:ParentMember2018-01-302018-01-300001560327rp:ExistingStockholdersMember2018-01-302018-01-300001560327us-gaap:IPOMember2018-01-300001560327us-gaap:IPOMember2018-01-302018-01-300001560327rp:TwoThousandAndFifteenPlanMember2015-07-310001560327rp:TwoThousandAndFifteenPlanMember2015-07-012015-07-310001560327rp:TwoThousandAndFifteenPlanMember2015-10-082015-10-080001560327rp:TwoThousandAndFifteenPlanMember2019-02-012019-02-280001560327rp:TwoThousandAndFifteenPlanMember2018-03-012018-03-310001560327rp:TwoThousandAndFifteenPlanMember2017-03-012017-03-310001560327rp:TwoThousandAndFifteenPlanMember2019-12-310001560327rp:CostOfRevenueMember2019-01-012019-12-310001560327rp:CostOfRevenueMember2018-01-012018-12-310001560327rp:CostOfRevenueMember2017-01-012017-12-310001560327us-gaap:ResearchAndDevelopmentExpenseMember2019-01-012019-12-310001560327us-gaap:ResearchAndDevelopmentExpenseMember2018-01-012018-12-310001560327us-gaap:ResearchAndDevelopmentExpenseMember2017-01-012017-12-310001560327us-gaap:GeneralAndAdministrativeExpenseMember2019-01-012019-12-310001560327us-gaap:GeneralAndAdministrativeExpenseMember2018-01-012018-12-310001560327us-gaap:GeneralAndAdministrativeExpenseMember2017-01-012017-12-310001560327us-gaap:RestrictedStockMember2016-12-310001560327us-gaap:RestrictedStockUnitsRSUMember2016-12-310001560327us-gaap:RestrictedStockMember2017-01-012017-12-310001560327us-gaap:RestrictedStockUnitsRSUMember2017-01-012017-12-310001560327us-gaap:RestrictedStockMember2017-12-310001560327us-gaap:RestrictedStockUnitsRSUMember2017-12-310001560327us-gaap:RestrictedStockMember2018-01-012018-12-310001560327us-gaap:RestrictedStockUnitsRSUMember2018-01-012018-12-310001560327us-gaap:RestrictedStockMember2018-12-310001560327us-gaap:RestrictedStockUnitsRSUMember2018-12-310001560327us-gaap:RestrictedStockMember2019-01-012019-12-310001560327us-gaap:RestrictedStockUnitsRSUMember2019-01-012019-12-310001560327us-gaap:RestrictedStockMember2019-12-310001560327us-gaap:RestrictedStockUnitsRSUMember2019-12-310001560327rp:RestrictedStockAndRestrictedStockUnitsMember2019-12-310001560327rp:RestrictedStockAndRestrictedStockUnitsMember2019-01-012019-12-310001560327us-gaap:EmployeeStockOptionMember2019-12-310001560327us-gaap:EmployeeStockOptionMember2019-01-012019-12-310001560327us-gaap:EmployeeStockOptionMember2018-01-012018-12-310001560327us-gaap:EmployeeStockOptionMember2017-01-012017-12-310001560327us-gaap:EmployeeStockOptionMembersrt:MinimumMember2017-01-012017-12-310001560327us-gaap:EmployeeStockOptionMembersrt:MaximumMember2017-01-012017-12-310001560327us-gaap:EmployeeStockOptionMembersrt:MinimumMember2018-01-012018-12-310001560327us-gaap:EmployeeStockOptionMembersrt:MaximumMember2018-01-012018-12-310001560327rp:EmployeeStockPurchasePlanMember2015-07-170001560327rp:EmployeeStockPurchasePlanMember2019-02-012019-02-280001560327rp:EmployeeStockPurchasePlanMember2018-03-012018-03-310001560327rp:EmployeeStockPurchasePlanMember2017-03-012017-03-310001560327rp:EmployeeStockPurchasePlanMember2019-12-310001560327rp:EmployeeStockPurchasePlanMembersrt:MaximumMember2019-01-012019-12-310001560327rp:EmployeeStockPurchasePlanMembersrt:MinimumMember2019-01-012019-12-310001560327rp:EmployeeStockPurchasePlanMembersrt:MinimumMember2018-01-012018-12-310001560327rp:EmployeeStockPurchasePlanMembersrt:MaximumMember2018-01-012018-12-310001560327rp:EmployeeStockPurchasePlanMembersrt:MinimumMember2017-01-012017-12-310001560327rp:EmployeeStockPurchasePlanMembersrt:MaximumMember2017-01-012017-12-310001560327rp:EmployeeStockPurchasePlanMember2019-01-012019-12-310001560327rp:EmployeeStockPurchasePlanMember2018-01-012018-12-310001560327rp:EmployeeStockPurchasePlanMember2017-01-012017-12-310001560327rp:EmployeeStockPurchasePlanMember2017-03-152017-03-150001560327rp:EmployeeStockPurchasePlanMember2016-03-160001560327rp:EmployeeStockPurchasePlanMember2017-03-150001560327rp:EmployeeStockPurchasePlanMember2017-09-152017-09-150001560327rp:EmployeeStockPurchasePlanMember2017-03-160001560327rp:EmployeeStockPurchasePlanMember2018-03-152018-03-150001560327rp:EmployeeStockPurchasePlanMember2017-09-180001560327rp:EmployeeStockPurchasePlanMember2018-09-142018-09-140001560327rp:EmployeeStockPurchasePlanMember2018-03-160001560327rp:EmployeeStockPurchasePlanMember2019-03-152019-03-150001560327rp:EmployeeStockPurchasePlanMember2018-09-170001560327rp:EmployeeStockPurchasePlanMember2019-09-132019-09-130001560327rp:EmployeeStockPurchasePlanMember2019-09-130001560327rp:DeferredTaxAssetsOperatingLossCarryforwardsMember2019-01-012019-12-310001560327us-gaap:DomesticCountryMember2019-12-310001560327us-gaap:StateAndLocalJurisdictionMember2019-12-310001560327us-gaap:ForeignCountryMember2019-12-310001560327us-gaap:ConvertibleDebtSecuritiesMember2019-01-012019-12-310001560327rp:TheNotesMember2019-01-012019-12-310001560327rp:UnvestedRestrictedStockMember2019-01-012019-12-310001560327rp:UnvestedRestrictedStockMember2018-01-012018-12-310001560327rp:UnvestedRestrictedStockMember2017-01-012017-12-310001560327rp:UnvestedRestrictedStockUnitsMember2019-01-012019-12-310001560327rp:UnvestedRestrictedStockUnitsMember2018-01-012018-12-310001560327rp:UnvestedRestrictedStockUnitsMember2017-01-012017-12-310001560327rp:EmployeeStockPurchasePlanMember2019-01-012019-12-310001560327rp:EmployeeStockPurchasePlanMember2018-01-012018-12-310001560327rp:EmployeeStockPurchasePlanMember2017-01-012017-12-310001560327rp:ConvertibleDebtSecuritiesSharesUnderlyingConversionSpreadMember2019-01-012019-12-310001560327rp:ConvertibleDebtSecuritiesSharesUnderlyingConversionSpreadMember2018-01-012018-12-310001560327rp:ConvertibleDebtSecuritiesSharesUnderlyingConversionSpreadMember2017-01-012017-12-310001560327us-gaap:SubsequentEventMembersrt:ScenarioForecastMember2021-01-012021-12-310001560327us-gaap:SubsequentEventMembersrt:ScenarioForecastMember2022-01-012022-12-310001560327us-gaap:SubsequentEventMembersrt:ScenarioForecastMember2023-01-012023-12-310001560327us-gaap:SubsequentEventMembersrt:ScenarioForecastMember2021-01-012023-12-310001560327us-gaap:LetterOfCreditMember2019-12-31rp:patent00015603272018-10-012018-10-31rp:Segment0001560327country:US2017-01-012017-12-310001560327rp:OtherCountryMember2019-01-012019-12-310001560327rp:OtherCountryMember2018-01-012018-12-310001560327rp:OtherCountryMember2017-01-012017-12-310001560327country:US2019-12-310001560327country:US2018-12-310001560327rp:OtherCountryMember2019-12-310001560327rp:OtherCountryMember2018-12-31
Table of Contents

UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
____________________________________________________
FORM 10-K
____________________________________________________
(Mark One)
ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
For the fiscal year ended December 31, 2019
OR

TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
FOR THE TRANSITION PERIOD FROM                      TO

Commission File Number 001-37496
____________________________________________________
RAPID7, INC.
(Exact name of registrant as specified in its charter)
____________________________________________________
Delaware35-2423994
(State or other jurisdiction of
incorporation or organization)
(I.R.S. Employer
Identification No.)
120 Causeway Street
Boston, MA
02114
(Address of principal executive offices)(Zip Code)
Registrant’s telephone number, including area code: (617247-1717
____________________________________________________
Securities registered pursuant to Section 12(b) of the Act:
Title of each classTrading Symbol(s)Name of each exchange on which registered
Common Stock, par value $0.01 per shareRPDThe Nasdaq Global Market
Securities registered pursuant to Section 12(g) of the Act: None
Indicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act. Yes  No 
Indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or 15(d) of the Act. Yes  No 
Indicate by check mark whether the registrant: (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days. Yes  No 
Indicate by check mark whether the registrant has submitted electronically every Interactive Data File required to be submitted pursuant to Rule 405 of Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit and post such files). Yes  No 
Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, or a smaller reporting company. See the definition of “large accelerated filer”, “accelerated filer”, and “smaller reporting company” in Rule 12b-2 of the Exchange Act. (Check one):
Large Accelerated Filer  Accelerated Filer 
Non-accelerated Filer
  
  Small Reporting Company 
Emerging Growth Company
If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act.
Indicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Exchange Act). Yes  No 
As of June 28, 2019, the aggregate market value of the registrant’s voting common stock held by non-affiliates of the registrant, based on a closing price of $57.84 per share of the registrant’s common stock as reported on The Nasdaq Global Market on June 28, 2019, was approximately $2,782,078,550. For purposes of this computation, all officers, directors and 10% beneficial owners of the registrant are deemed to be affiliates. Such determination should not be deemed to be an admission that such officers, directors or 10% beneficial owners are, in fact, affiliates of the registrant. The number of shares of registrant’s common stock outstanding as of February 21, 2020 was 50,209,617.
DOCUMENTS INCORPORATED BY REFERENCE
Portions of the registrant’s definitive Proxy Statement for its 2020 Annual Meeting of Stockholders to be filed with the Securities and Exchange Commission pursuant to Regulation 14A not later than 120 days after the end of the fiscal year covered by this Annual Report on Form 10-K are incorporated by reference in Part III, Items 10-14 of this Annual Report on Form 10-K.



Table of Contents
Table of Contents
Page
PART I
Item 1.
Item 1A.
Item 1B.
Item 2.
Item 3.
Item 4.
PART II
Item 5.
Item 6.
Item 7.
Item 7A.
Item 8.
Item 9.
Item 9A.
Item 9B.
PART III
Item 10.
Item 11.
Item 12.
Item 13.
Item 14.
PART IV
Item 15.
Item 16.


i

Table of Contents
PART I
Special Note Regarding Forward-Looking Statements
This Annual Report on Form 10-K, including the sections entitled “Business,” “Risk Factors,” and “Management’s Discussion and Analysis of Financial Condition and Results of Operations,” contains forward-looking statements that involve risks and uncertainties, as well as assumptions that, if they never materialize or prove incorrect, could cause our results to differ materially from those expressed or implied by such forward-looking statements. Statements that are not purely historical are forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended. Forward-looking statements are often identified by the use of words such as, but not limited to, “anticipate,” “believe,” “can,” “continue,” “could,” “estimate,” “expect,” “intend,” “may,” “plan,” “project,” “seek,” “should,” “target,” “will,” “would” and similar expressions or variations intended to identify forward-looking statements. These forward-looking statements include, but are not limited to, statements concerning the following:
• our ability to continue to add new customers, maintain existing customers and sell new products and professional services to new and existing customers;
• the effects of increased competition as well as innovations by new and existing competitors in our market;
• our ability to adapt to technological change and effectively enhance, innovate and scale our solutions;
• our ability to effectively manage or sustain our growth and to attain and sustain profitability;
• our ability to diversify our sources of revenue;
• potential acquisitions and integration of complementary business and technologies;
• our expected use of proceeds;
• our ability to maintain, or strengthen awareness of, our brand;
• perceived or actual security, integrity, reliability, quality or compatibility problems with our solutions, including related to security breaches in our customers; systems, unscheduled downtime or outages;
• statements regarding future revenue, hiring plans, expenses, capital expenditures, capital requirements and stock performance;
• our ability to meet publicly announced guidance or other expectations about our business, key metrics and future operating results;
• our ability to maintain an adequate annualized recurring revenue growth;
• our ability to attract and retain qualified employees and key personnel and further expand our overall headcount;
• our ability to grow, both domestically and internationally;
• our ability to stay abreast of new or modified laws and regulations that currently apply or become applicable to our business both in the United States and internationally including laws and regulations related to export compliance;
• our ability to maintain, protect and enhance our intellectual property;
• costs associated with defending intellectual property infringement and other claims; and
• the future trading prices of our common stock and the impact of securities analysts’ reports on these prices.
These statements represent the beliefs and assumptions of our management based on information currently available to us. Such forward-looking statements are subject to risks, uncertainties and other important factors that could cause actual results and the timing of certain events to differ materially from future results expressed or implied by such forward-looking statements. Factors that could cause or contribute to such differences include, but are not limited to, those identified below, and those discussed in the section titled “Risk Factors” included under Part I, Item 1A. Furthermore, such forward-looking statements speak only as of the date of this report. Except as required by law, we undertake no obligation to update any forward-looking statements to reflect events or circumstances that occur after the date of this report.
As used in this report, the terms “Rapid7,” the “company,” “we,” us," and our" mean Rapid7, Inc. and its subsidiaries unless the context indicates otherwise.


1

Table of Contents
Item 1. Business
Overview
Rapid7 is a leading cyber security solutions provider, on a mission to make successful security tools and practices accessible to all. Rapid7 Insight Platform technology, expert services, and thought-leading research enables over 9,000 customers to improve their security programs so that they can safely advance and innovate.
In the nearly 20 years that Rapid7 has been in business, security companies and trends have come and gone, while broader technology innovation continues to advance rapidly. Every company is now a technology company, and rampant innovation inevitably creates security risk. The migration of businesses to the cloud and ubiquitous connected devices present security teams with an increasingly complex, ever-changing, and unpredictable attack surface.
We believe as cybersecurity challenges continue to rise exponentially, two key factors can prevent organizations from effectively managing their growing security exposure. First, the tools to manage complex security problems are often complicated to use. Second, there is a scarcity of cybersecurity professionals who are qualified to successfully manage these sophisticated tools. These two factors compound the difficulties that resource-constrained organizations face when attempting to minimize their security exposure, meet security compliance regulations and provide visibility to their leadership. The expanding divide between risk created through innovation and risk managed by security teams is called the Security Achievement Gap.
We believe Rapid7 is uniquely positioned to improve how customer security challenges are addressed. Our solutions simplify the complex, allowing teams to more effectively reduce vulnerabilities, monitor malicious behavior, investigate and shut down attacks, and automate routine tasks. All of our solutions and services are built with and supported by the expertise of our dedicated team of security researchers and consultants, who bring knowledge of attacker behavior and emerging vulnerabilities directly to customers. We also continue to invest in further simplifying our technology to improve usability, lowering the barrier to managing security for teams and organizations who lack resources.
While our security technology is the foundation of our mission to make successful security accessible to all, technology alone will not solve today’s cybersecurity challenges. Our ongoing commitment to researching and partnering with the technology community helps to curb new security risks born through innovation. We are also investing in under-served, at risk communities, like non-profits and hospitals, to better understand their needs and make security technology and services accessible. By continuously improving our technology, stemming the creation of risk in the community, and making security more usable and accessible, Rapid7 aims to close the Security Achievement Gap.
As of December 31, 2019, we had more than 9,000 customers that rely on Rapid7 technology, services, and research to improve security outcomes and securely advance their organizations. We have experienced strong revenue growth with revenue increasing from $110.5 million in 2015 to $326.9 million in 2019, representing a 44% compound annual growth rate.
In 2019, 2018 and 2017 recurring revenue, defined as revenue from term software licenses, content subscriptions, managed services, cloud-based subscriptions and maintenance and support, was 87%, 81% and 70%, respectively, of total revenue. We incurred net losses of $53.8 million, $55.5 million and $45.5 million in 2019, 2018 and 2017, respectively, as we continued to invest for long-term growth.
Our Solutions
We offer products across the four main pillars of on our Insight Platform:
Vulnerability Risk Management: Our industry-leading Vulnerability Risk Management (VRM) solutions provide clarity into risk across traditional and modern IT environments, and the capabilities and data to influence remediation teams and track progress. With built-in risk prioritization, IT-integrated remediation projects, tracking of goals and service level agreements, and pre-built automation workflows, our solutions are designed to not just enumerate risk, but also accelerate risk mitigation.
Incident Detection and Response: Our Incident Detection and Response (IDR) solutions are designed to enable organizations to rapidly detect and respond to cyber security incidents and breaches across physical, virtual and cloud assets. Equipped with user behavior analytics (UBA), attacker behavior analytics (ABA), end-point detection and response (EDR) and deception technology, our Security Information and Event Management (SIEM) is designed to provide comprehensive network visibility and accelerate threat investigation and response.
2

Table of Contents
Application Security: Our Application Security offerings provide dynamic application security testing and run-time application security monitoring and protection solutions that are designed to continuously analyze web applications for security vulnerabilities throughout a customer’s software development life cycle.
Security Orchestration and Automation Response: Our Security Orchestration and Automation Response (SOAR) solutions allow security teams to connect disparate solutions within their cyber security, IT and development operations and build automated workflows, without requiring code, to eliminate repetitive, manual and labor-intensive tasks, resulting in measurable time and cost savings.
Finally, to complement our products, we offer a range of managed services based on our software solutions and professional services, including incident response services, security advisory services, and deployment and training.
Insight Platform
Our cloud-native Insight Platform is at the core of our product offerings. The platform was built using our extensive experience in collecting and analyzing data to enable our customers to create and manage analytics-driven cyber security risk management programs. By utilizing our powerful, proprietary analytics to assess and understand the context and relationships around users, IT assets and cyber threats within a customer’s environment, our solutions make it easier for teams to manage vulnerabilities, monitor for malicious behavior, investigate and shutdown attacks, and automate operations.
Our Insight Platform provides a high level of scalability. We leverage on-premise deployment models and cloud technologies to achieve a scalable delivery model with a high degree of redundancy, fault tolerance, and cost-effectiveness.
We also designed our Insight Platform to provide a secure environment for our customers data. We deploy a variety of technologies and practices that are designed to help ensure that the data collected from a customer’s environment remains proprietary, secure and operational.
Insight Platform's Features:
Visibility: The Insight Platform allows security professionals to collect data once across their IT environment, enabling Security, IT, and development operations (DevOps) teams to collaborate effectively as they analyze shared data.
Unified Data Collection: We designed the Insight Platform to allow customers to collect their data once and leverage that same data across multiple solutions, providing shared visibility across teams and reducing time to value for additional solutions. Our robust data collection architecture supports gathering a wide swath of operational data from endpoints to the cloud, including key data about assets and user-specific behavior, into a unified, searchable dataset.
Agentless and Agent-Based Architecture: We developed our platform with flexible processing technologies that employ both agentless data collection and our own internally-developed endpoint agent technology, which enables rapid and seamless integration of our products into our customers’ modern IT environments and provides security and IT professionals with instant visibility into their dynamic and rapidly-expanding IT ecosystem. Our lightweight endpoint agents are designed to automatically collect data from all endpoints, even those from remote workers and sensitive assets that cannot be actively scanned, or that rarely join the corporate network.
Endpoint Detection and Visibility: With a universal lightweight agent and endpoint scanning, the Insight Platform provides real-time detection and the ability to proactively remediate IT environments, before a potential attack happens.
Cloud and Virtual Infrastructure Assessment: Modern networks and infrastructures are constantly changing. The Insight Platform integrates with cloud services and virtual infrastructure to help ensure that technology is configured securely and that security professionals know when new devices are brought online.
Attack Surface Monitoring with Project Sonar: As organizations grow and infrastructure becomes more complex, maintaining visibility into attack surface becomes more challenging. Our platform directly integrates with Project Sonar, a Rapid7 research project that regularly scans the public internet, to gain insights into global exposure to common vulnerabilities. This capability also enables security professionals to identify previously unknown, externally facing assets connected to the internet.
Analytics: Increasing IT environment complexity coupled with a severe lack of cyber security professionals is overwhelming security and IT teams, who are struggling to deal with false positives and maintain adequate levels of cyber security. Our Insight Platform addresses these challenges with the following features:
3

Table of Contents
User and Attacker Behavior Analytics: Our Insight Platform incorporates extensive user behavior analytics (UBA) and attacker behavior analytics (ABA) to provide rapid context around users, attackers and assets involved in an incident, enabling organizations to more quickly respond to, contain and mitigate breaches. Our platform incorporates comprehensive UBA to create a behavior profile for each user and correlates every event with a user, asset or application to detect compromised credentials, lateral movement and other malicious behavior.
Risk Prioritization and Management: With built-in risk assessment and risk prioritization, IT-integrated remediation projects, and pre-built automation workflows, the Insight platform provides a granular view of what is relevant and critical today, to help ensure risks can be prioritized and mitigated more effectively.
Threat Detection: Our Insight Platform includes integrated threat feeds, informed by public data as well as proprietary threat intelligence and adversary research, and continuously gathers and combines them with a customer’s IT environment, to show threats that are most relevant to them.
Centralized Log Management: Our cloud-based platform correlates millions of daily events in any IT environment directly to the users and assets behind them to highlight risk across the environment and help prioritize where to search and automate compliance without the requirement of extensive hardware.
Deception Technology: Monitoring solutions that only analyze log files leave traces of the attacker unfound. Through our deep understanding of attacker behavior, our Insight Platform provides not only UBA and endpoint detection, but also easy-to-deploy intruder traps. These include honeypots, honey users, honey credentials, and honey files, all crafted to identify malicious behavior earlier in the attack chain.
Industry Experts: With a highly specialized team of penetration testing, incident response, threat hunting and security operation center experts, we believe we are uniquely positioned to stay ahead of emerging threats and help detect threats quickly across a customer’s entire IT ecosystem.
Automation: Our Insight Platform unites technology stack and allows security operations teams to connect disparate solutions within their cyber security, IT and development operations.
Built-in Workflows: Security tools have not historically been built to work well together, and without deep programming knowledge, building automation between tools was nearly impossible. With our Insight Platform, security professionals can streamline their operations with connect-and-go workflows, without requiring any code, resulting in significant time and cost savings. Examples of these workflows include assisted patching and automated containment.
Highly Customizable: The Insight Platform not only has a wide range of pre-built workflows and integrations, it is also highly extensible. With approximately 300 plugins to connect security tools and easily customizable connect-and-go workflows, the Insight Platform frees up security teams to tackle other challenges, while still leveraging human decision points when it is most critical.
Insight Platform Product Offerings
We offer our Insight Platform solutions as software-as-a-service products, on a subscription basis. Our Insight Platform products are available globally and reduce the need for customers to manage large, complex, data infrastructure. We offer the following cloud products across the four main pillars of Security Operations (SecOps):
InsightVM: Utilizing the power of our Insight Platform, InsightVM is designed to provide a fully available, scalable, and efficient way to collect vulnerability data, prioritize risk and automate remediation.
InsightVM is designed to provide prioritized guidance based on customized threat models; dynamic live dashboards that are easily customizable and queried; lightweight agents for continuous visibility; integration with cloud services, virtual infrastructure and container repositories such as dockers; in-product integration with solutions such as ServiceNow, IBM Bigfix, Microsoft SCCM and Jira ticketing systems; and remediation workflow for assigning and tracking remediation progress within the product. Embedded workflows also allow Security and IT teams to automatically deploy compensating controls for vulnerabilities that cannot be patched.
InsightVM is offered through a cloud-based subscription or as a managed service. The managed service is known as Managed Vulnerability Risk Management, which provides our resource constrained customers with a fully outsourced option for leveraging our innovation, expertise and technology.
4

Table of Contents
InsightIDR: InsightIDR, our Incident Detection and Response (IDR) solution, is designed to enable organizations to rapidly detect and respond to cyber security incidents and breaches across physical, virtual and cloud assets.
InsightIDR unifies SIEM, UBA, and endpoint detection to detect stealthy attacks across today’s complex networks. It analyzes the billions of events that occur daily in organizations to reduce them to the important behaviors and deliver high-fidelity and prioritized alerts. In addition to identifying stealthy attacks often missed by other solutions, InsightIDR focuses the security team on issues that warrant investigation and reduces the time to investigate with its user correlation, powerful search and endpoint interrogation capabilities.
InsightIDR is designed to provide a cost-effective response to the need for SIEM. With our Metasploit community, research and incident response services, we are continually studying and identifying the latest attacker methods. We have found ways to increase accuracy, speed processes, and achieve greater confidence, even as attacker methods change. These include built-in deception capabilities such as honeypots and automated threat intelligence feeds that quickly alert our customers to new attacker behaviors seen in the wild by our own threat hunters.
Unlike most SIEMs, InsightIDR also provides the capability to seamlessly act on many threats automatically, thus further reducing the time from detection to response. InsightIDR includes out-of-the-box automation workflows to improve analyst productivity such as automated containment to mitigate an attack. Additionally, with the Insight Agent, users can kill malicious processes or quarantine infected endpoints from the network. They can also use InsightIDR to take containment actions across Active Directory, Access Management, EDR, and firewall tools.
InsightIDR is offered through a cloud-based subscription or as a managed service. The managed service is known as Managed Detection and Response, a fully outsourced service that combines our team of expert analysts with InsightIDR. When attacks are found, customers are promptly informed of all known details and our team moves to incident response, providing security teams with detailed, easy-to-follow remediation steps tailored to the environment.
InsightAppSec: InsightAppSec provides comprehensive dynamic application security testing that continuously analyzes web applications for security vulnerabilities.
The key features include: a universal translator to enable IT security professionals to analyze complex applications; customized attack simulation capabilities that allow automatic testing of workflows such as shopping carts; scanning automation; attack replay, which allows replay of vulnerabilities in real time in order to verify that vulnerabilities are exploitable and that successful remediation has occurred; continuous site monitoring, which detects changes in application ecosystems and triggers a re-scan according to configurable settings; and integration with ticketing systems.
InsightAppSec enables integration with protection technologies to automatically generate web application firewalls (WAFs), which are custom rules that help to protect vulnerable applications while the vulnerabilities are being remediated. InsightAppSec supports most leading WAFs, including F5, Sourcefire and Imperva.
InsightAppSec is offered on a cloud-based subscription basis or as a managed service. The managed service is known as Managed Application Security and provides a fully outsourced option for application scanning and security testing.
InsightConnect: InsightConnect is our SOAR solution that is used by security professionals to connect their many disparate solutions and automate workflows to increase the speed with which they can identify risk and respond to incidents. With a growing library of approximately 300 plugins to connect tools and easily customizable connect-and-go workflows, it allows our customers to automate manual and tedious tasks, while still leveraging their expertise when it is most critical, thereby saving time and improving efficiency. InsightConnect is offered on a cloud-based subscription basis.
Other Products
Nexpose: Nexpose is an on-premise version of our Vulnerability Risk Management solution, that enables customers to assess and remediate their overall exposure to cyber risk across their increasingly complex IT environments. Nexpose is offered through term-based software licenses.
AppSpider: AppSpider is the on-premise version of our Application Security Testing solution that provides comprehensive dynamic application security testing that continuously analyzes web applications for security vulnerabilities. AppSpider is offered through term-based software licenses.
Metasploit: Metasploit is an industry-leading penetration testing software solution, developed on an open source framework. Metasploit can be used to safely simulate attacks on an organization’s network in order to uncover vulnerabilities before they are exploited by cyber attackers and assess the effectiveness of an organization’s existing defenses, security controls and mitigation efforts. The Metasploit open source framework is freely available and geared toward developers and security
5

Table of Contents
researchers. We also offer Metasploit Pro, the commercial penetration testing software based on the Metasploit framework, through term-based software licenses.
InsightOps: InsightOps simplifies IT infrastructure monitoring and troubleshooting by centralizing data from across a customer’s network into one secure location. With scalable and cost-effective architecture and the ability to bring together asset visibility and log management, InsightOps enables organizations to store and search structured, semi-structured and unstructured data in real time, enabling DevOps and IT professionals to centralize, search and monitor their log data in order to investigate anomalies, troubleshoot issues and conduct root cause analysis.
Professional Services
Our professional services offerings enhance our ability to serve as a trusted advisor in assisting organizations to think proactively about their security programs and implement strategic, analytics-driven security strategies. We believe that our role as trusted advisor helps drive better security outcomes for our customers, as well as loyalty and further usage of our products. Our professional services offerings include, but are not limited to, Penetration Testing, Cyber Security Maturity Assessments, Security & Incident Response Program Development Services, IoT & Internet Embedded Device testing as well as Threat Modeling, TableTop Exercises and Incident Response services. In addition, we offer deployment and training services related to our platform, to further help customers operationalize and customize their platform experience.
For example, our Cyber Security Maturity Assessments provide our customers with a view of their current security posture, an objective review of their existing plans, and a guide to their strategic planning. By accessing our security talent, we help organizations develop an approach and road map to further mature and strengthen their program efforts - often simplifying the otherwise complex.
Our Growth Strategy
Our goal is to make advanced security accessible to resource constrained enterprises of all sizes. The main drivers of our growth strategy are:
Continued investments in product development: We intend to continue to invest heavily in our product development to enhance our Insight Platform and deliver additional features, which will allow us to further penetrate and grow our addressable markets.
Grow our customer base: We believe we have a strong opportunity to address the security needs of resource constrained organizations of any size. We will continue to increase investments in our sales and marketing efforts and foster the growth of our channel relationships to enable acquisition of these customers.
Upsell and cross-sell to our existing customer base: We see significant opportunity to deepen our relationship with our existing customers. With a strong focus on customer experience, satisfaction, and the value proposition of our Insight Platform, we intend to expand customers' usage of products they own (upsell) and help them adopt additional products (cross-sell).
Further strengthen our customer renewal rate: We intend to continue to drive customer satisfaction and renewals by offering professional services, support, and strong investments in customer success functions. Our customer success teams provide expertise to help our customers improve their security outcomes, leading to higher customer satisfaction.
Expand our partner ecosystem: We continue to expand our strategic partnerships with our channel partners and system integrators. Technology alliances with partners such as ServiceNow, Microsoft, AWS and Palo Alto Networks enable our customers to succeed with our technology and platform in their ecosystem and deliver more value from their security operations program.
International expansion: We continue to make investments to expand our international presence. These include investments in infrastructure, sales and marketing, and strategic partnerships.
Strategic M&A: We have and may continue to make acquisitions that enhance the value of our Insight Platform and bolster our ability to solve emerging customer challenges, allowing us to deliver on the vision of becoming the SecOps leader.
Sales, Customer Support, and Marketing
We sell our solutions through direct inside and field sales team and indirect channel partner relationships.
6

Table of Contents
        Sales: Our sales teams focus on both new customer acquisition as well as up-selling and cross-selling additional offerings to our existing customers. Our sales teams are organized by geography, consisting of the Americas; Europe, the Middle East and Africa (EMEA); and Asia Pacific (APAC), as well as by target organization size. Our sales team consists of a mix of inside sales and field sales professionals, that sell to small, medium and large enterprise customers. Our highly technical sales engineers help define customer use cases, manage solution evaluations and train channel partners.
We maintain a global channel partner network that complements our sales organization, particularly in EMEA, APAC and Latin America. We have established strong co-sell relationships with strategic channel partners, who provide additional leverage through customer acquisition, deal execution and providing value in securing renewals. We continue to invest in partner models that enable us to create long term customer value.
We generated 43%, 39%, and 37% of sales from channel partners, in 2019, 2018, and 2017, respectively. Our revenue is not concentrated with any individual channel partner. No channel partner represented more than 10% of our revenue in 2019, 2018 or 2017.
        Customer Support: Our customer support organization is responsible for providing technical support to our customers acquired directly and through channel partners. We believe that a dedicated support team is essential to a successful customer deployment and ongoing experience, as well as overall customer satisfaction.
        Marketing: We focus our marketing efforts on increasing the strength of the Rapid7 brand, communicating product advantages and business benefits, generating leads for our sales force and channel partners and driving product adoption. We deliver targeted content to demonstrate our thought leadership in security and use digital advertising methods to drive downloads of our free trial software, which deliver opportunities to our sales organization. We work with our own researchers, as well as the broader IT and security community, to share important information about vulnerabilities and threats. We share that research through our blog, social media and traditional public relations. In addition, we host regional and national events to engage both customers and prospects, deliver product training and foster community collaboration.
Research and Development Efforts
We invest substantial resources in research and development to enhance our core technology platform and products, develop new end market-specific solutions and applications, and conduct product and quality assurance testing. Our technical and engineering team monitors and tests our products on a regular basis, and we maintain a regular release process to refine, update, and enhance our existing products. We also have a team of experienced security researchers who work to keep us abreast of the latest developments in the cyber security landscape. Our research and development teams are located in our offices in Boston, Massachusetts; Austin, Texas; Los Angeles and San Francisco, California; Arlington, Virginia; Toronto, Canada; Dublin and Galway, Ireland; Belfast, Northern Ireland; and Stockholm, Sweden, providing us with a broad, worldwide reach to engineering talent.
Metasploit Community: Our Metasploit product has an active community of contributors and users. This online security community provides us with a robust and growing network of active users and influencers who promote the usage of our software. Security researchers contribute modules to the Metasploit Framework that serve as a resource about real-world attacker techniques. The community also provides us with near real-time visibility into new cyber attacks as they occur and a deep understanding of attacker behaviors.
We perform security research that enables the analytics in our platform and products as well as delivers strategic value to the security community at large. The output of our research results in threat intelligence, exposure analysis and attacker awareness that we publish as well as integrate into our platform. This data is used for security research, product development, and across our services to help protect and inform our customers, partners and community. We share this data with validated educational and private security researchers, research partners, vetted threat sharing communities, and organizational security teams through our Open Data portal to foster collaboration and encourage discovery of new insights. We collect data for research purposes through two key areas:
        Attacker Intelligence: We collect data from across the internet through a variety of honeypots distributed both geographically and across IP space. The honeypots collect many data types which are then analyzed to help enhance our understanding of attacker methods.
        Internet Intelligence: We conduct internet-wide scans across many services and protocols to gain insight into global exposures and vulnerabilities.
This data collected is analyzed for the purpose of analytics in our platform and results in core research reports. We publish a variety of reports including The National Exposure Index, The Industry Cyber Exposure Report and Under the Hoodie. The
7

Table of Contents
National Exposure Index, published annually, is a census report that highlights the state of exposed internet services at the nation-state level and provides key trending information on the use of insecure protocols. The Industry Cyber Exposure Index details the attack surface, insecure service presence, email safety configurations, malware infection rates and internet supply-chain risks of Fortune 500 companies. The Under the Hoodie report sheds light on the art of penetration testing by revealing not just the process, techniques and tools that go into it, but also revealing the real-world experience of our engineers and investigators, gathered over thousands of penetration tests.
Our Customers
Our customer base has grown from approximately 5,100 customers at the end of 2015 to more than 9,000 customers as of December 31, 2019, in 144 countries, including 47% of the organizations in the Fortune 100. We define a customer as any entity that has (1) an active Rapid7 contract or a contract that expired within 90 days or less of the applicable measurement date; and for Logentries products, those customers with a contract value equal to or greater than $2,400 per year, or (2) purchased Rapid7 professional services within the 12 months preceding the applicable measurement date.
Our customers span a wide variety of industries including technology, energy, financial services, healthcare and life sciences, manufacturing, media and entertainment, retail, education, real estate, transportation, government and professional services, with customers in the finance industry representing our largest industry in 2019 at 15% of our revenue. In 2019, 52% of our revenue was generated from large enterprises, which we define as organizations that have either annual revenue greater than $1.0 billion or more than 2,500 employees, and the balance was generated from middle-market and small organizations.
Our revenue is not concentrated with any individual customer and no customer represented more than 1% of our revenue in 2019, 2018 or 2017.
Our Competition
The markets we operate in are highly competitive, fragmented and subject to technology change and innovation. Our primary competitors in Vulnerability Risk Management include Qualys and Tenable; in Incident Detection and Response (SIEM) include Splunk, Micro Focus and LogRhythm; in Application Security include Micro Focus and IBM; in Security Orchestration and Automation Response include Phantom (Splunk) and Demisto (Palo Alto Networks); and finally, while the competition in our professional services business is diverse, our competitors include FireEye’s Mandiant, SecureWorks and NCC Group.
We compete on the basis of a number of factors, including:
product functionality;
breadth of offerings;
performance;
brand name, reputation and customer satisfaction;
ease of implementation, use and maintenance;
total cost of ownership; and
scalability, reliability and security.
Some of our competitors have greater sales, marketing and financial resources, more extensive geographic presence or greater brand awareness than we do. We may face future competition in our markets from other large, established companies, as well as from emerging companies. In addition, we expect that there is likely to be continued consolidation in our industry that could lead to increased price competition and other forms of competition.
Intellectual Property
Our future success and competitive position depends in part on our ability to protect our intellectual property and proprietary technologies. To safeguard these rights, we rely on a combination of patents, trademarks, copyrights, trade secrets, employee and third-party nondisclosure agreements, licensing arrangements and other contractual protections to protect our intellectual property in the United States and other jurisdictions.
We have numerous issued patents and a number of registered and unregistered trademarks. We believe that the duration of our issued patents is sufficient when considering the expected lives of our products. We file patent applications to protect our intellectual property and have a number of patent applications pending. We require our employees, consultants and other third
8

Table of Contents
parties to enter into confidentiality and proprietary rights agreements and control access to software, documentation and other proprietary information. Although we rely on intellectual property rights, including trade secrets, patents, copyrights and trademarks, as well as contractual protections to establish and protect our proprietary rights, we believe that factors such as the technological and creative skills of our personnel, creation of new modules, features and functionality, and frequent enhancements to our solutions are more essential to establishing and maintaining our technology leadership position.
We also license software from third parties for integration into our offerings, including open source software and other software available on commercially reasonable terms. We believe our continuing research and product development are not materially dependent on any single license or other agreement with a third party relating to the development of our products.
Employees
As of December 31, 2019, we had 1,544 full-time employees, including 294 in product and service delivery and support, 656 in sales and marketing, 393 in research and development and 201 in general and administrative. As of December 31, 2019, we had 1,118 full-time employees in the United States and 426 full-time employees internationally. None of our U.S. employees are covered by collective bargaining agreements. We believe our employee relations are good and we have not experienced any work stoppages.
Corporate Information
We were initially incorporated in July 2000 in Delaware. Rapid7 LLC, a limited liability company organized under the laws of the Commonwealth of Massachusetts, was formed in January 2004. In August 2004, pursuant to an exchange agreement among Rapid7 LLC and the stockholders of Rapid7, Inc., the stockholders exchanged their shares in Rapid7, Inc. for equity interests in Rapid7 LLC, after which Rapid7, Inc. was dissolved. In August 2008, Rapid7 LLC was merged with and into Rapid7 LLC, a newly-formed Delaware limited liability company. Rapid7, Inc. was reincorporated in Delaware in October 2011. In a series of transactions in November 2011, equity holders of Rapid7 LLC exchanged their equity interests in Rapid7 LLC for capital stock in Rapid7, Inc. and Rapid7 LLC became a wholly-owned subsidiary of Rapid7, Inc.
Our principal executive offices are located at 120 Causeway Street, Boston, Massachusetts. Our telephone number is +1 617-247-1717. Our website address is www.rapid7.com.
“Rapid7,” the Rapid7 logo, and other trademarks or service marks of Rapid7, Inc. appearing in this Annual Report on Form 10-K are the property of Rapid7, Inc. This Annual Report on Form 10-K contains additional trade names, trademarks and service marks of others, which are the property of their respective owners. Solely for convenience, trademarks and trade names referred to in this Annual Report on Form 10-K may appear without the ® or TM symbols. The information contained on our website or information that may be accessed through links on our website is not incorporated by reference into this Annual Report on Form 10-K.
Available Information
Our Annual Report on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K and amendments to these reports filed pursuant to Sections 13(a) and 15(d) of the Securities Exchange Act of 1934, as amended, are made available free of charge on or through our website at investors.rapid7.com as soon as reasonably practicable after such reports are filed with, or furnished to, the SEC.
9

Table of Contents
Item 1A. Risk Factors.
Our operations and financial results are subject to various risks and uncertainties including those described below. You should consider carefully the risks and uncertainties described below, in addition to other information contained in this Annual Report on Form 10-K, including our consolidated financial statements and related notes, as well as our other public filings with the Securities and Exchange Commission (the SEC), before making an investment decision. The risks and uncertainties described below are not the only ones we face. Additional risks and uncertainties that we are unaware of, or that we currently believe are not material, may also become important factors that adversely affect our business. If any of the following risks or others not specified below materialize, our business, financial condition and results of operations could be materially adversely affected. In that event, the trading price of our common stock could decline. Please also see "Special Note Regarding Forward-Looking Statements."
Risks Related to Our Business and Industry
We are a rapidly growing company, which makes it difficult to evaluate our future operating and financial results and may increase the risk that we will not be successful.
We are a rapidly growing company. Our ability to forecast our future operating and financial results is subject to a number of uncertainties, including our ability to plan for and model future growth. We have encountered and will continue to encounter risks and uncertainties frequently experienced by growing companies in rapidly evolving industries. If our assumptions regarding these uncertainties, which we use to plan our business, are incorrect or change in reaction to changes in our markets, or if we do not address these risks successfully, our operating and financial results could differ materially from our expectations, our business could suffer and the trading price of our common stock may decline.
If we are unable to sustain our revenue growth rate, we may not achieve or maintain profitability in the future.
From the year ended December 31, 2015 to the year ended December 31, 2019, our revenue grew from $110.5 million to $326.9 million. Although we have experienced rapid growth historically and currently have high renewal rates, we may not continue to grow as rapidly in the future and our renewal rates may decline. Any success that we may experience in the future will depend, in large part, on our ability to, among other things:
maintain and expand our customer base;
increase revenues from existing customers through increased or broader use of our products and professional services within their organizations;
improve the performance and capabilities of our products through research and development;
continue to develop our cloud-based solutions;
maintain the rate at which customers purchase and renew subscriptions to our cloud-based solutions, content subscriptions, maintenance and support and managed services;
continue to successfully expand our business domestically and internationally;
continue to effectively improve the productivity of our sales teams; and
successfully compete with other companies.
If we are unable to maintain consistent revenue or revenue growth, our stock price could be volatile, and it may be difficult to achieve and maintain profitability. You should not rely on our revenue for any prior quarterly or annual periods as any indication of our future revenue or revenue growth.
We have not been profitable historically and may not achieve or maintain profitability in the future.
We have posted a net loss in each year since inception, including net losses of $53.8 million, $55.5 million and $45.5 million in the years ended December 31, 2019, 2018 and 2017, respectively. As of December 31, 2019, we had an accumulated deficit of $518.4 million. While we have experienced significant revenue growth in recent periods, we may not obtain a high enough volume of sales of our products and professional services to sustain or increase our growth or achieve or maintain profitability in the future. We also expect our costs to increase in future periods, which could negatively affect our future operating results if our revenue does not increase. In particular, we expect to continue to expend financial and other resources on:
10

Table of Contents
research and development related to our offerings, including investments in our research and development team;
sales and marketing, including a continued expansion of our sales organization, both domestically and internationally;
continued international expansion of our business;
strategic acquisitions and expansion of our partner ecosystem; and
general and administrative expenses as we continue to implement and enhance our administrative, financial and operational systems, procedures and controls.
These investments may not result in increased revenue or growth in our business. If we are unable to increase our revenue at a rate sufficient to offset the expected increase in our costs, our business, financial position and results of operations will be harmed, and we may not be able to achieve or maintain profitability over the long term. Additionally, we may encounter unforeseen operating expenses, difficulties, complications, delays and other unknown factors that may result in losses in future periods. If our revenue growth does not meet our expectations in future periods, our financial performance may be harmed, and we may not achieve or maintain profitability in the future.
If our products or professional services fail to detect vulnerabilities or identify and respond to cyber security incidents, or if our products contain undetected errors or defects, our brand and reputation could be harmed, which could have an adverse effect on our business and results of operations.
If our products or professional services fail to detect vulnerabilities in our customers’ cyber security infrastructure, or if our products or professional services fail to identify and respond to new and increasingly complex methods of cyber attacks, our business and reputation may suffer. There is no guarantee that our products or professional services will detect all vulnerabilities, especially in light of the rapidly changing security landscape to which we must respond. Additionally, our products may falsely detect vulnerabilities or threats that do not actually exist. For example, our Metasploit offering relies on information provided by an active community of security researchers who contribute new exploits, attacks and vulnerabilities. If the information from these third parties is inaccurate, the potential for false indications of security vulnerabilities increases. These false positives, while typical in the industry, may impair the perceived reliability of our offerings and may therefore adversely impact market acceptance of our products and professional services and could result in negative publicity, loss of customers and sales and increased costs to remedy any problem.
Our products may also contain undetected errors or defects. Errors or defects may be more likely when a product is first introduced or as new versions are released, or when we introduce an acquired company's products. We have experienced these errors or defects in the past in connection with new products, acquired products and product upgrades and we expect that these errors or defects will be found from time to time in the future in new, acquired or enhanced products after commercial release. Defects may cause our products to be vulnerable to attacks, cause them to fail to detect vulnerabilities, or temporarily interrupt customers’ networking traffic. Any errors, defects, disruptions in service or other performance problems with our products may damage our customers’ businesses and could hurt our reputation. If our products or professional services fail to detect vulnerabilities for any reason, we may incur significant costs, the attention of our key personnel could be diverted, our customers may delay or withhold payment to us or elect not to renew or other significant customer relations problems may arise. We may also be subject to liability claims for damages related to errors or defects in our products. A material liability claim or other occurrence that harms our reputation or decreases market acceptance of our products may harm our business and operating results.
Many federal, state and foreign governments have enacted laws requiring companies to notify individuals of data security breaches involving their personal data. These mandatory disclosures regarding a security breach often lead to widespread negative publicity, and any association of us with such publicity may cause our customers to lose confidence in the effectiveness of our data security solutions. An actual or perceived security breach or theft of the sensitive data of one of our customers, regardless of whether the breach is attributable to the failure of our products or professional services, could adversely affect the market’s perception of our offerings and subject us to legal claims.
Our brand, reputation and ability to attract, retain and serve our customers are dependent in part upon the reliable performance of our products and network infrastructure.
Our brand, reputation and ability to attract, retain and serve our customers are dependent in part upon the reliable performance of our products and network infrastructure. We have experienced, and may in the future experience, disruptions, outages and other performance problems due to a variety of factors, including infrastructure changes, human or software errors, capacity
11

Table of Contents
constraints and fraud or security attacks. In some instances, we may not be able to identify the cause or causes of these performance problems within an acceptable period of time.
We utilize third-party data centers located in North America, in addition to operating and maintaining certain elements of our own network infrastructure. We also utilize other cloud providers, such as Amazon Web Services, for our Insight Platform infrastructure. Some elements of our complex infrastructure are operated by third parties that we do not control and that could require significant time to replace. We expect this dependence on third parties to continue. More specifically, certain of our products, in particular our cloud-based products, are hosted on cloud providers such as Amazon Web Services, which provides us with computing and storage capacity. Interruptions in our systems or the third-party systems on which we rely, whether due to system failures, computer viruses, physical or electronic break-ins, or other factors, could affect the security or availability of our products, network infrastructure and website.
Prolonged delays or unforeseen difficulties in connection with adding capacity or upgrading our network architecture when required may cause our service quality to suffer. Problems with the reliability or security of our systems could harm our reputation. Damage to our reputation and the cost of remedying these problems could negatively affect our business, financial condition, and operating results.
Additionally, our existing data center facilities and third-party hosting providers have no obligations to renew their agreements with us on commercially reasonable terms or at all, and certain of the agreements governing these relationships may be terminated by either party at any time. If we are unable to maintain or renew our agreements with these providers on commercially reasonable terms or if in the future we add additional data center facilities or third-party hosting providers, we may experience additional costs or downtime or delays as we transition our operations.
Any disruptions or other performance problems with our products could harm our reputation and business and may damage our customers’ businesses. Interruptions in our service delivery might reduce our revenue, cause us to issue credits to customers, subject us to potential liability and cause customers to not renew their purchases or our products.
If we fail to manage our operations infrastructure, our customers may experience service outages and/or delays.
Our future growth is dependent upon our ability to continue to meet the expanding needs of our customers and to attract new customers. As existing customers gain more experience with our products, they may broaden their reliance on our products, which will require that we expand our operations infrastructure. We also seek to maintain excess capacity in our operations infrastructure to facilitate the rapid provision of new customer deployments. In addition, we need to properly manage our technological operations infrastructure in order to support changes in hardware and software parameters and the evolution of our products, all of which require significant lead time. If we do not accurately predict our infrastructure requirements, our existing customers may experience service outages that may subject us to financial penalties, financial liabilities and customer losses. If our operations infrastructure fails to keep pace with increased sales, customers may experience delays as we seek to obtain additional capacity, which could adversely affect our reputation and our revenue.
Our business and operations are experiencing rapid growth, and if we do not appropriately manage our future growth, or are unable to scale our systems and processes, our operating results may be negatively affected.
We are a rapidly growing company. To manage future growth effectively, we will need to continue to improve and expand our internal information technology systems, financial infrastructure, and operating and administrative systems and controls, which we may not be able to do efficiently, in a timely manner or at all. Any future growth would add complexity to our organization and require effective coordination across our organization. Failure to manage any future growth effectively could result in increased costs, harm our results of operations and lead to customers or investors losing confidence in our internal systems and processes, which could harm our results of operations and stock price.
Our business and growth depend substantially on customers renewing their subscriptions with us. Any decline in our customer renewals or failure to convince customers to expand their use of our subscription offerings could adversely affect our future operating results.
Our subscription offerings are sold on a term basis. In order for us to improve our operating results, it is important that our existing customers renew their subscriptions with us when the existing subscription term expires, and renew on the same or more favorable terms. Our customers have no obligation to renew their subscriptions with us and we may not be able to accurately predict customer renewal rates. Our customers’ renewal rates may decline or fluctuate as a result of a number of factors, including their satisfaction or dissatisfaction with our new or current product offerings, our pricing, the effects of economic conditions, competitive offerings, our customers' perception of their exposure, or alterations or reductions in their spending levels. If our customers do not renew their agreements with us or renew on terms less favorable to us, our revenues and results of operations may be adversely impacted.

12

Table of Contents
Our future growth is also affected by our ability to sell additional offerings to our existing customers, which depends on a number of factors, including customers’ satisfaction with our products and services and general economic conditions. If our efforts to cross-sell and upsell to our customers are unsuccessful, the rate at which our business grows might decline.

The market for Security Operations is new and unproven and may not grow.
We believe our future success will depend in large part on the growth, if any, in the market for Security Operations (SecOps). This market is nascent, and as such, it is difficult to predict important market trends, including the potential growth, if any. To date, the majority of enterprise spend on cyber security has been on threat protection products, such as network, endpoint and web security that are designed to stop threats from penetrating corporate networks. Organizations that use these security products may believe that their existing security solutions sufficiently protect access to their sensitive business data. Therefore, they may continue allocating their cyber security budgets to these products and may not adopt our products and professional services in addition to, or in lieu of, such traditional products. Further, sophisticated cyber attackers are skilled at adapting to new technologies and developing new methods of gaining access to organizations’ sensitive business data, and changes in the nature of advanced cyber threats could result in a shift in IT budgets away from products and professional services such as ours. In addition, while recent high visibility attacks on prominent enterprises and governments have increased market awareness of the problem of cyber attacks, if cyber attacks were to decline, or enterprises or governments perceived that the general level of cyber attacks have declined, our ability to attract new customers and expand our sale to existing customers could be materially and adversely affected. If products and professional services such as ours are not viewed by organizations as necessary, or if customers do not recognize the benefit of our offerings as a critical layer of an effective cyber security strategy, our revenue may not grow as quickly as expected, or may decline, and the trading price of our stock could suffer. It is therefore difficult to predict how large the market will be for our solutions.
In addition, it is difficult to predict customer adoption and renewal rates, customer demand for our products and professional services, the size and growth rate of the market for SecOps, the entry of competitive products or the success of existing competitive products. Any expansion in our market depends on a number of factors, including the cost, performance and perceived value associated with our offerings and those of our competitors. If these offerings do not achieve widespread adoption or there is a reduction in demand for solutions in our market caused by a lack of customer acceptance, technological challenges, competing technologies and products, decreases in corporate spending, weakening economic conditions, or otherwise, it could result in reduced customer orders, early terminations, reduced renewal rates or decreased revenue, any of which would adversely affect our business operations and financial results. You should consider our business and prospects in light of the risks and difficulties we face in this new and unproven market.
We face intense competition in our market.
The market for SecOps solutions is highly fragmented, intensely competitive and constantly evolving. We compete with an array of established and emerging security software and services vendors. With the introduction of new technologies and market entrants, we expect the competitive environment to remain intense going forward. Our primary competitors in Vulnerability Risk Management include Qualys and Tenable; in Incident Detection and Response (SIEM) include Splunk, Micro Focus and LogRhythm; in Application Security include Micro Focus and IBM; in Security Orchestration and Automation Response include Phantom (Splunk) and Demisto (Palo Alto Networks); and finally, while the competition in our professional services business is diverse, our competitors include FireEye's Mandiant, SecureWorks and NCC Group.
Some of our actual and potential competitors have advantages over us, such as longer operating histories, significantly greater financial, technical, marketing or other resources, stronger brand and business user recognition, larger and more mature intellectual property portfolios and broader global distribution and presence. In addition, our industry is evolving rapidly and is becoming increasingly competitive. Larger and more established companies may focus on security operations and could directly compete with us. Smaller companies could also launch new products and services that we do not offer and that could gain market acceptance quickly.
Our competitors may be able to respond more quickly and effectively than we can to new or changing opportunities, technologies, standards or customer requirements. With the introduction of new technologies, the evolution of our offerings and new market entrants, we expect competition to intensify in the future. In addition, some of our larger competitors have substantially broader product offerings and can bundle competing products and services with other software offerings. As a result, customers may choose a bundled product offering from our competitors, even if individual products have more limited functionality than our solutions. These competitors may also offer their products at a lower price as part of this larger sale, which could increase pricing pressure on our offerings and cause the average sales price for our offerings to decline. These larger competitors are also often in a better position to withstand any significant reduction in spending by customers, and will therefore not be as susceptible to economic downturns.
13

Table of Contents
Furthermore, our current and potential competitors may establish cooperative relationships among themselves or with third parties that may further enhance their resources and product and services offerings in the markets we address. In addition, current or potential competitors may be acquired by third parties with greater available resources. As a result of such relationships and acquisitions, our current or potential competitors might be able to adapt more quickly to new technologies and customer needs, devote greater resources to the promotion or sale of their products and services, initiate or withstand substantial price competition, take advantage of other opportunities more readily or develop and expand their product and service offerings more quickly than we do. For all of these reasons, we may not be able to compete successfully against our current or future competitors, or we may be required to expend significant resources in order to remain competitive. If our competitors are more successful than we are in developing new product and service offerings or in attracting and retaining customers, our business, financial condition and results of operations could be adversely affected.
Our sales cycle may be unpredictable.
The timing of sales of our offerings is difficult to forecast because of the length and unpredictability of our sales cycle, particularly with large enterprises and with respect to certain of our products. We sell our products primarily to IT departments that are managing a growing set of user and compliance demands, which has increased the complexity of customer requirements to be met and confirmed during the sales cycle and prolonged our sales cycle. Further, the length of time that potential customers devote to their testing and evaluation, contract negotiation and budgeting processes varies significantly, depending on the size of the organization and nature of the product or service under consideration. In addition, we might devote substantial time and effort to a particular unsuccessful sales effort, and as a result, we could lose other sales opportunities or incur expenses that are not offset by an increase in revenue, which could harm our business.
Our quarterly operating results may vary from period to period, which could result in our failure to meet expectations with respect to operating results and cause the trading price of our stock to decline.
Our operating results, including the levels of our revenue, annualized recurring revenue, renewal rates, cash flow, deferred revenue and gross margins, have historically varied from period to period, and we expect that they will continue to do so as a result of a number of factors, many of which are outside of our control, including:
the level of demand for our products and professional services;
customer renewal rates and ability to attract new customers;
the extent to which customers purchase additional products or professional services;
the mix of our products, as well as professional services, sold during a period;
the ability to successfully grow our sales of our cloud-based solutions;
the level of perceived threats to organizations’ cyber security;
network outages, security breaches, technical difficulties or interruptions with our products;
changes in the growth rate of the markets in which we compete;
sales of our products and professional services due to seasonality and customer demand;
the timing and success of new product or service introductions by us or our competitors or any other changes in the competitive landscape of our industry, including consolidation among our competitors;
the introduction or adoption of new technologies that compete with our offerings;
decisions by potential customers to purchase cyber security products or professional services from other vendors;
the amount and timing of operating costs and capital expenditures related to the operations and expansion of our business;
price competition;
our ability to successfully manage and integrate any future acquisitions of businesses, including without limitation the amount and timing of expenses and potential future charges for impairment of goodwill from acquired companies;
14

Table of Contents
our ability to increase, retain and incentivize the channel partners that market and sell our products and professional services;
our continued international expansion and associated exposure to changes in foreign currency exchange rates, including any fluctuations caused by uncertainties relating to United Kingdom's referendum in June 2016 in which voters approved an exit from the European Union, commonly referred to as "Brexit";
the amount and timing of operating expenses related to the maintenance and expansion of our business, operations and infrastructure;
the announcement or adoption of new regulations and policy mandates or changes to existing regulations and policy mandates;
the cost or results of existing or unforeseen litigation and intellectual property infringement;
the strength of regional, national and global economies;
the impact of natural disasters or manmade problems such as terrorism or war; and
future accounting pronouncements or changes in our accounting policies.
Each factor above or discussed elsewhere herein or the cumulative effect of some of these factors may result in fluctuations in our operating results. This variability and unpredictability could result in our failure to meet expectations with respect to operating results, or those of securities analysts or investors, for a particular period. If we fail to meet or exceed expectations for our operating results for these or any other reasons, the market price of our stock could fall and we could face costly lawsuits, including securities class action suits.
If we do not continue to innovate and offer products and professional services that address the dynamic threat landscape, we may not remain competitive, and our revenue and operating results could suffer.
The market for SecOps solutions is characterized by rapid technological advances, changes in customer requirements, frequent new product introductions and enhancements and evolving industry standards. Our success also depends, in part, upon our ability to anticipate industry evolution and introduce or acquire new products and professional services to keep pace with technological developments and market requirements both within our industry and in related industries. While we continue to invest significant resources in research and development in order to ensure that our products continue to address the cyber security risks that our customers face, the introduction of products and professional services embodying new technologies could render our existing products or professional services obsolete or less attractive to customers. In addition, developing new products and product enhancements is expensive and time consuming, and there is no assurance that such activities will result in significant cost savings, revenue or other expected benefits. If we spend significant time and effort on research and development and are unable to generate an adequate return on our investment, our business and results of operations may be materially and adversely affected. Further, we may not be able to successfully anticipate or adapt to changing technology or customer requirements or the dynamic threat landscape on a timely basis, in a way that sufficiently differentiates us from competing solutions such that customers choose to purchase our solutions. If any of our competitors implement new technologies before we are able to implement them or better anticipate the innovation opportunities in related industries, those competitors may be able to provide more effective or more cost-effective solutions than ours. In addition, we may experience technical problems and additional costs as we introduce new products and product enhancements, deploy future iterations of our products and integrate new products with existing customer systems. If any of these problems were to arise, our business, financial condition and results of operations could be adversely affected.
To date, we have derived a majority of our revenue from customers using our vulnerability management offerings. If we are unable to renew or increase sales of our vulnerability management offerings, or if we are unable to increase sales of our other offerings, our business and operating results could be adversely affected.
Although we continue to introduce and acquire new products and professional services, we derive and expect to continue to derive a majority of our revenue from customers using certain of our vulnerability management offerings, InsightVM, Nexpose and Metasploit. Greater than half of our revenue was attributable to InsightVM, Nexpose and Metasploit in each of our last three fiscal years. As a result, our operating results could suffer due to:
any decline in demand for our vulnerability management offerings;
failure of our vulnerability management offerings to detect vulnerabilities in our customers’ IT environments;
15

Table of Contents
the introduction of products and technologies that serve as a replacement or substitute for, or represent an improvement over, our vulnerability management offerings;
technological innovations or new standards that our vulnerability management offerings do not address;
sensitivity to current or future prices offered by us or competing solutions; and
our inability to release enhanced versions of our vulnerability management offerings on a timely basis in response to the dynamic threat landscape.
Our inability to renew or increase sales of our vulnerability management offerings, including cloud-based subscriptions, content subscriptions, managed services and content and maintenance and support subscriptions, or a decline in prices of our vulnerability management offerings would harm our business and operating results more seriously than if we derived significant revenues from a variety of offerings. In addition, we have introduced several non-VM subscription products, including InsightIDR, InsightAppSec, and InsightConnect. These products are relatively new, and it is uncertain whether they will gain the market acceptance we expect. Any factor adversely affecting sales of our non-VM products or professional services, including release cycles, market acceptance, competition, performance and reliability, reputation and economic and market conditions, could adversely affect our business and operating results.
If we are unable to successfully hire, train, manage and retain qualified personnel, especially those in sales and marketing and research and development, our business may suffer.
We continue to be substantially dependent on our sales force to obtain new customers and increase sales with existing customers. Our ability to successfully pursue our growth strategy will also depend on our ability to attract, motivate and retain our personnel, especially those in sales, marketing and research and development. We face intense competition for these employees from numerous technology, software and other companies, especially in certain geographic areas in which we operate, and we cannot ensure that we will be able to attract, motivate and/or retain sufficient qualified employees in the future. If we are unable to attract new employees and retain our current employees, we may not be able to adequately develop and maintain new products or professional services or market our existing products or professional services at the same levels as our competitors and we may, therefore, lose customers and market share. Our failure to attract and retain personnel, especially those in sales and marketing and research and development positions for which we have historically had a high turnover rate, could have an adverse effect on our ability to execute our business objectives and, as a result, our ability to compete could decrease, our operating results could suffer and our revenue could decrease. Even if we are able to identify and recruit a sufficient number of new hires, these new hires will require significant training before they achieve full productivity and they may not become productive as quickly as we would like or at all.
We believe that our corporate culture has been a critical component to our success. We have invested substantial time and resources in building our team. As we grow and mature as a public company, we may find it difficult to maintain our corporate culture. Any failure to preserve our culture could negatively affect our future success, including our ability to attract, motivate and retain personnel and effectively focus on and pursue our business strategy.
If Metasploit were to be used by attackers to exploit vulnerabilities in the cyber security infrastructures of third parties, our reputation and business could be harmed.
Although Metasploit is a penetration testing tool that is intended to allow organizations to test the effectiveness of their cyber security programs, Metasploit has in the past and may in the future be used to exploit vulnerabilities in the cyber security infrastructures of third parties. While we have incorporated certain features into Metasploit to deter misuse, there is no guarantee that these controls will not be circumvented or that Metasploit will only be used defensively or for research purposes. Any actual or perceived security breach, malicious intrusion or theft of sensitive data in which Metasploit is believed to have been used could adversely affect perception of, and demand for, our offerings. Further, the identification of new exploits and vulnerabilities by the Metasploit community may enhance the knowledge base of cyber attackers or enable them to undertake new forms of attacks. If any of the foregoing were to occur, we could suffer negative publicity and loss of customers and sales, as well as possible legal claims.
A component of our growth strategy is dependent on our continued international expansion, which adds complexity to our operations.
We market and sell our products and professional services throughout the world and have personnel in many parts of the world. For the years ended December 31, 2019, 2018 and 2017, operations located outside of North America generated 16%, 15% and 15%, respectively, of our revenue. Our growth strategy is dependent, in part, on our continued international expansion. We expect to conduct a significant amount of our business with organizations that are located outside the United States, particularly
16

Table of Contents
in Europe and Asia. We cannot assure you that our expansion efforts into international markets will be successful in creating further demand for our products and professional services or in effectively selling our products and professional services in the international markets that we enter. Our current international operations and future initiatives will involve a variety of risks, including:
increased management, infrastructure and legal costs associated with having international operations;
reliance on channel partners;
trade and foreign exchange restrictions;
economic or political instability or uncertainty in foreign markets and around the world, such as related to Brexit;
foreign currency exchange rate fluctuations;
greater difficulty in enforcing contracts, accounts receivable collection and longer collection periods;
changes in regulatory requirements, including, but not limited to data privacy, data protection and data security regulations;
difficulties and costs of staffing and managing foreign operations;
the uncertainty and limitation of protection for intellectual property rights in some countries;
costs of compliance with foreign laws and regulations and the risks and costs of non-compliance with such laws and regulations;
costs of compliance with U.S. laws and regulations for foreign operations, including the U.S. Foreign Corrupt Practices Act, import and export control laws, tariffs, trade barriers, economic sanctions and other regulatory or contractual limitations on our ability to sell or provide our solutions in certain foreign markets, and the risks and costs of non-compliance;
heightened risks of unfair or corrupt business practices in certain geographies and of improper or fraudulent sales arrangements that may impact financial results and result in restatements of, and irregularities in, financial statements;
the potential for political unrest, acts of terrorism, hostilities or war;
management communication and integration problems resulting from cultural differences and geographic dispersion;
costs associated with language localization of our products; and
costs of compliance with multiple and possibly overlapping tax structures.
Our business, including the sales of our products and professional services by us and our channel partners, may be subject to foreign governmental regulations, which vary substantially from country to country and change from time to time. Our failure, or the failure by our channel partners, to comply with these regulations could adversely affect our business. Further, in many foreign countries it is common for others to engage in business practices that are prohibited by our internal policies and procedures or U.S. regulations applicable to us. Although we have implemented policies and procedures designed to comply with these laws and policies, there can be no assurance that our employees, contractors, channel partners and agents have complied, or will comply, with these laws and policies. Violations of laws or key control policies by our employees, contractors, channel partners or agents could result in delays in revenue recognition, financial reporting misstatements, fines, penalties or the prohibition of the importation or exportation of our products and could have a material adverse effect on our business and results of operations. If we are unable to successfully manage the challenges of international expansion and operations, our business and operating results could be adversely affected.
We are also monitoring developments related to Brexit, which could have significant implications for our business. Brexit could lead to economic and legal uncertainty, including significant volatility in global stock markets and currency exchange rates, and differing laws and regulations as the United Kingdom determines which European Union laws to replace or replicate. In particular, although the United Kingdom enacted a Data Protection Act in May 2018 that is consistent with the EU General Data Protection Regulation, uncertainty remains regarding how data transfers to and from the United Kingdom will be
17

Table of Contents
regulated. Any of these effects of Brexit, among others, could adversely affect our operations in the United Kingdom and our financial results.
Because our products collect and store user and related information, domestic and international privacy and cyber security concerns, and other laws and regulations, could result in additional costs and liabilities to us or inhibit sales of our products.
We, and our customers, are subject to a number of domestic and international laws and regulations that apply to online services and the internet generally. These laws, rules and regulations address a range of issues including data privacy and cyber security, and restrictions or technological requirements regarding the collection, use, storage, protection, retention or transfer of data. The regulatory framework for online services, data privacy and cyber security issues worldwide can vary substantially from jurisdiction to jurisdiction, is rapidly evolving and is likely to remain uncertain for the foreseeable future. Many federal, state and foreign government bodies and agencies have adopted or are considering adopting laws, rules and regulations regarding the collection, use, storage and disclosure of information, web browsing and geolocation data collection, data analytics, cyber security and breach notification procedures. Interpretation of these laws, rules and regulations and their application to our products and professional services in the United States and foreign jurisdictions is ongoing and cannot be fully determined at this time.
In the United States, these include rules and regulations promulgated under the authority of the Federal Trade Commission, the Electronic Communications Privacy Act, Computer Fraud and Abuse Act, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Gramm Leach Bliley Act and state breach notification laws, as well as regulator enforcement positions and expectations reflected in federal and state regulatory actions, settlements, consent decrees and guidance documents. In June 2018, California enacted the California Consumer Privacy Act (CCPA), which took effect on January 1, 2020. The CCPA requires a broad range of companies that do business in California to honor the requests of California residents to access and require deletion of their personal information, opt out of certain personal information sharing and receive detailed information about how their personal information is used and shared. The CCPA provides for civil penalties of up to $7,500 for violations, and a private right of action for data breaches that allows private plaintiffs to seek the greater of actual damages or statutory damages of up to $750 per affected consumer per data breach. These statutory remedies are expected to prompt an increase in data breach litigation and the cost to resolve it. The CCPA has prompted a number of proposals for new federal and state privacy legislation in the United States that, if passed, could increase our potential liability, increase our compliance costs and adversely affect our business.
Internationally, virtually every jurisdiction in which we operate has established its own data security and privacy legal frameworks with which we, and/or our customers, must comply, including the European Union's General Data Protection Regulation, (EU) 2016/679 (GDPR), which went into effect in May 2018 and is designed to update current privacy laws to better reflect the digital economy and to unify data protection within the European Union (EU) under a single law and laws implemented by EU member states which contain derogations from, or exemptions or authorizations for the purposes of, the GDPR, or which are otherwise intended to supplement the GDPR and any legislation that replaces or converts into domestic law the GDPR or any other law relating to data protection, the processing of personal data and privacy as a consequence of the United Kingdom leaving the EU. The GDPR presents significantly greater risks, compliance burdens and costs for companies with users and operations in the European Union. Under the GDPR, fines of up to 20 million euros or up to 4% of the annual global turnover of the infringer, whichever is greater, could be imposed for significant non-compliance. These laws are broad in their application and apply when we do business with EU-based customers and when our U.S.-based customers collect and use personal data that originates from individuals resident in the EU. They also apply to transfers of information between us and our European Union-based subsidiaries, including employee information. Further, many U.S. federal and state and other foreign government bodies and agencies have introduced, and are currently considering, additional laws and regulations. Non-compliance with these laws could result in penalties or significant legal liability. We could be adversely affected if legislation or regulations are expanded to require changes in our business practices or if governing jurisdictions interpret or implement their legislation or regulations in ways that negatively affect our business, results of operations or financial condition.
In addition, to facilitate the transfer of both customer and personnel data from the European Union to the United States, we self-certified under the EU-US Privacy Shield framework on December 20, 2016. However, it is possible that the Privacy Shield may be challenged in the future, so there is some uncertainty regarding its future validity and our ability to rely on it for EU to US data transfers. The EU is monitoring the arrangement, and the EU Commissioner and the U.S. Department of Commerce carry out annual joint reviews to assess whether it continues to ensure an adequate level of protection of personal data, the most recent of which took place in October 2019. Non-compliance with the transfer restrictions could result in the EU data protection authorities imposing a number of different sanctions on us until we do, including fines and, ultimately, a prohibition on transfers.
18

Table of Contents
In addition to government regulation, privacy advocates and industry groups may propose new and different self-regulatory standards that either legally or contractually apply to us. Because the interpretation and application of privacy and data protection laws are still uncertain, it is possible that these laws may be interpreted and applied in a manner that is inconsistent with our existing practices or the features of our products. We may also be subject to claims of liability or responsibility for the actions of third parties with whom we interact or upon whom we rely in relation to various services, including but not limited to vendors and business partners. If so, in addition to the possibility of fines, lawsuits and other claims, we could be required to fundamentally change our business activities and practices or modify our products, which could have an adverse effect on our business. Any inability to adequately address privacy concerns, even if unfounded, or comply with applicable privacy or data protection laws, regulations and policies, could result in additional cost and liability to us, damage our reputation, inhibit sales and adversely affect our business.
The costs of compliance with, and other burdens imposed by, the laws, rules, regulations and policies that are applicable to the businesses of our customers may limit the use and adoption of, and reduce the overall demand for, our software. Privacy or cyber security concerns, whether valid or not valid, may inhibit market adoption of our products particularly in certain industries and foreign countries.
Further, there are active legislative discussions regarding the implementation of laws or regulations that could restrict the manner in which security research is conducted and that could restrict or possibly bar the conduct of penetration testing and the use of exploits, which are an essential component of our Metasploit product and our business strategy more generally. Our failure to comply with existing laws, rules or regulations, changes to existing laws or their interpretation, or the imposition of new laws, rules or regulations, could result in additional costs and may necessitate changes to our business practices and divergent operating models, which may have a material and adverse impact on our business, results of operations, and financial condition.
Organizations may be reluctant to purchase our cloud-based offerings due to the actual or perceived vulnerability of cloud solutions.
Some organizations have been reluctant to use cloud solutions for cyber security, such as our InsightVM, InsightIDR, InsightAppSec and InsightConnect, because they have concerns regarding the risks associated with the reliability or security of the technology delivery model associated with this solution. If we or other cloud service providers experience security incidents, breaches of customer data, disruptions in service delivery or other problems, the market for cloud solutions as a whole may be negatively impacted, which could harm our business.
As a cyber security provider, we are a target of cyber attacks and other cyber risks that could adversely impact our reputation and operating results.
We sell cyber security and data analytics products. As a result, we have been and will be a target of cyber attacks designed to impede the performance of our products, penetrate our network security or the security of our cloud platform or our internal systems, or that of our customers, misappropriate proprietary information and/or cause interruptions to our services. For example, because Metasploit serves as an introduction to hacking for many individuals, a successful cyber attack on us may be perceived as a victory for the cyber attacker, thereby increasing the likelihood that we may be a target of cyber attacks, even absent financial motives. Further, if our systems are breached as a result of third-party action, employee error or misconduct, attackers could learn critical information about how our products operate to help protect our customers’ IT infrastructures from cyber risk, thereby making our customers more vulnerable to cyber attacks. In addition, if actual or perceived breaches of our network security occur, they could adversely affect the market perception of our products, negatively affecting our reputation, and may expose us to the loss of our proprietary information or information belonging to our customers, investigations or litigation and possible liability, including injunctive relief and monetary damages. Such security breaches could also divert the efforts of our technical and management personnel. In addition, such security breaches could impair our ability to operate our business and provide products to our customers. If this happens, our reputation could be harmed, our revenue could decline and our business could suffer.
Additionally, we cannot be certain that our insurance coverage will be adequate for data security liabilities actually incurred, will cover any indemnification claims against us relating to any incident, that insurance will continue to be available to us on economically reasonable terms, or at all, or that any insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could have a material adverse effect on our business, including our financial condition, operating results, and reputation.
19

Table of Contents
We recognize a significant percentage of our revenue ratably over the term of our agreements with customers, and as a result, downturns or upturns in sales may not be immediately reflected in our operating results.
We recognize a significant percentage of our revenue ratably over the various terms of our agreements with customers. As a result, a substantial portion of the revenue that we report in each period will be derived from the recognition of deferred revenue relating to agreements entered into during previous periods. Consequently, a decline in new sales or renewals in any one period may not be immediately reflected in our revenue results for that period. This decline, however, will negatively affect our revenue in future periods. Accordingly, the effect of significant downturns in sales and market acceptance of our products and potential changes in our rate of renewals may not be fully reflected in our results of operations until future periods. Our model also makes it difficult for us to rapidly increase our revenue through additional sales in any period, as revenue from new customers generally will be recognized over the applicable term.
We also intend to increase our investment in research and development, sales and marketing, and general and administrative functions and other areas to grow our business. We are likely to recognize the costs associated with these increased investments earlier than some of the anticipated benefits and the return on these investments may be lower, or may develop more slowly, than we expect, which could adversely affect our operating results.
We may be unable to rapidly and efficiently adjust our cost structure in response to significant revenue declines, which could adversely affect our operating results.
If our customers are unable to implement our products successfully, customer perceptions of our offerings may be impaired or our reputation and brand may suffer.
Our products are deployed in a wide variety of IT environments, including large-scale, complex infrastructures. Some of our customers have experienced difficulties implementing our products in the past and may experience implementation difficulties in the future. If our customers are unable to implement our products successfully, customer perceptions of our offerings may be impaired or our reputation and brand may suffer.
In addition, in order for our products to achieve their functional potential, our products must effectively integrate into our customers’ IT infrastructures, which have different specifications, utilize varied protocol standards, deploy products from multiple different vendors and contain multiple layers of products that have been added over time. Our customers’ IT infrastructures are also dynamic, with a myriad of devices and endpoints entering and exiting the customers’ IT systems on a regular basis, and our products must be able to effectively adapt to and track these changes.
Any failure by our customers to appropriately implement our products or any failure of our products to effectively integrate and operate within our customers’ IT infrastructures could result in customer dissatisfaction, impact the perceived reliability of our products, result in negative press coverage, negatively affect our reputation and harm our financial results.
Future acquisitions could disrupt our business and harm our financial condition and operating results.
In order to remain competitive, we have in the past and may in the future seek to acquire additional businesses, products or technologies. The environment for acquisitions in our industry is very competitive and acquisition candidate purchase prices will likely exceed what we would prefer to pay. We also may not find suitable acquisition candidates, and acquisitions we complete may be unsuccessful.
Achieving the anticipated benefits of future acquisitions will depend in part upon whether we can integrate acquired operations, products and technology in a timely and cost-effective manner and successfully market and sell these as new product offerings, or as new features within our existing offerings, including, for example, the operations, products and technology acquired in connection with our acquisition of NetFort Technologies Limited (NetFort) in April 2019. Some of our acquisitions could improve the capabilities of our existing offerings or platform, as opposed to becoming a new offering. The acquisition of NetFort's network monitoring, traffic visibility and analytics technology is intended to help our Insight cloud customers improve their ability to detect attacks, investigate incidents and gain increased visibility into devices that pose a risk to the organization. The process of integrating a new business or technology into our product offerings, such as NetFort and its technology, requires, among other things, coordination of administrative, sales and marketing, accounting and finance functions, and expansion of information and management systems. Integration of any future acquisition may prove to be difficult due to the necessity of coordinating geographically separate organizations and integrating personnel with disparate business backgrounds and accustomed to different corporate cultures. The acquisition and integration processes are complex, expensive and time consuming, and may cause an interruption of, or loss of momentum in, product development, sales activities and operations of both companies. Further, we may be unable to retain key personnel of an acquired company following the acquisition, including certain employees which we acquired in connection with our acquisition of NetFort. If we are unable to effectively execute or integrate acquisitions, our business, financial condition and operating results could be adversely affected.
20

Table of Contents
In addition, we may only be able to conduct limited due diligence on an acquired company’s operations or may discover that the products or technology acquired were not as capable as we thought based upon the initial or limited due diligence. Following an acquisition, we may be subject to unforeseen liabilities arising from an acquired company’s past or present operations and these liabilities may be greater than the warranty and indemnity limitations that we negotiate. Any unforeseen liability that is greater than these warranty and indemnity limitations could have a negative impact on our financial condition.
If we are unable to maintain successful relationships with our channel partners, our business operations, financial results and growth prospects could be adversely affected.
Our success is dependent in part upon establishing and maintaining relationships with a variety of channel partners that we utilize to extend our geographic reach and market penetration. We anticipate that we will continue to rely on these partners in order to help facilitate sales of our offerings as part of larger purchases in the United States and to grow our business internationally. For 2019, 2018 and 2017, we derived approximately 43%, 39%, and 37%, respectively, of our revenue from sales of products and professional services through channel partners, and the percentage of revenue derived from channel partners may increase in future periods. Our agreements with our channel partners are non-exclusive and do not prohibit them from working with our competitors or offering competing solutions, and some of our channel partners may have more established relationships with our competitors. If our channel partners choose to place greater emphasis on products of their own or those offered by our competitors or do not effectively market and sell our products and professional services, our ability to grow our business and sell our products and professional services, particularly in key international markets, may be adversely affected. In addition, our failure to recruit additional channel partners, or any reduction or delay in their sales of our products and professional services or conflicts between channel sales and our direct sales and marketing activities may harm our results of operations. Finally, even if we are successful, our relationships with channel partners may not result in greater customer usage of our products and professional services or increased revenue.
If we are not able to maintain and enhance our brand, our business and operating results may be adversely affected.
We believe that maintaining and enhancing our brand identity is critical to our relationships with our customers and channel partners and to our ability to attract new customers and channel partners. The successful promotion of our brand will depend largely upon our marketing efforts, our ability to continue to offer high-quality offerings and our ability to successfully differentiate our offerings from those of our competitors. Our brand promotion activities may not be successful or yield increased revenues. In addition, independent industry analysts often provide reviews of our offerings, as well as those of our competitors, and perception of our offerings in the marketplace may be significantly influenced by these reviews. If these reviews are negative, or less positive as compared to those of our competitors’ products and professional services, our brand may be adversely affected.
Moreover, it may be difficult to maintain and enhance our brand in connection with sales through channel or strategic partners. The promotion of our brand requires us to make substantial expenditures, and we anticipate that the expenditures will increase as our market becomes more competitive, as we expand into new markets and as more sales are generated through our channel partners. To the extent that these activities yield increased revenues, these revenues may not offset the increased expenses we incur. If we do not successfully maintain and enhance our brand, our business may not grow, we may have reduced pricing power relative to competitors with stronger brands, and we could lose customers and channel partners, all of which would adversely affect our business operations and financial results.
Failure to maintain high-quality customer support could have a material adverse effect on our business.
Once our products are deployed within our customers’ networks, our customers depend on our technical and other customer support services to resolve any issues relating to the implementation and maintenance of our products. If we do not effectively assist our customers in deploying our products, help our customers quickly resolve post-deployment issues or provide effective ongoing support, our ability to renew or sell additional products or professional services to existing customers would be adversely affected and our reputation with potential customers could be damaged. Further, to the extent that we are unsuccessful in hiring, training and retaining adequate technical and customer success personnel, our ability to provide adequate and timely support to our customers will be negatively impacted, and our customers’ satisfaction with our offerings will be adversely affected.
We are dependent on the continued services and performance of our senior management and other key employees, the loss of any of whom could adversely affect our business, operating results and financial condition.
Our future performance depends on the continued services and contributions of our senior management, particularly Corey Thomas, our Chief Executive Officer, and other key employees to execute on our business plan and to identify and pursue new opportunities and product innovations. From time to time, there may be changes in our senior management team resulting from the termination or departure of our executive officers and key employees. Our senior management and key employees are
21

Table of Contents
employed on an at-will basis, which means that they could terminate their employment with us at any time. The loss of the services of our senior management, particularly Mr. Thomas, or other key employees for any reason could significantly delay or prevent the achievement of our development and strategic objectives and harm our business, financial condition and results of operations.
We rely on third-party software to operate certain functions of our business.
We rely on software vendors to operate certain critical functions of our business, including financial management, customer relationship management and human resource management. If we experience difficulties in implementing new software or if these services become unavailable due to extended outages or interruptions or because they are no longer available on commercially reasonable terms or prices, our expenses could increase, our ability to manage our finances could be interrupted and our processes for managing sales of our solutions and supporting our customers could be impaired until equivalent services, if available, are identified, obtained and integrated, all of which could harm our business.
We use third-party software and data that may be difficult to replace or that may cause errors or failures of our solutions, which could lead to lost customers or harm to our reputation and our operating results.
We license third-party software and security and compliance data from various third parties that are used in our solutions in order to deliver our offerings. In the future, this software or data may not be available to us on commercially reasonable terms, or at all. Any loss of the right to use any of this software or data could result in delays in the provisioning of our offerings until equivalent technology or data is either developed by us, or, if available, is identified, obtained and integrated, which could harm our business. In addition, any errors or defects in or failures of this third-party software could result in errors or defects in our products or cause our products to fail, which could harm our business and be costly to correct. Many of these providers attempt to impose limitations on their liability for such errors, defects or failures, and if enforceable, we may have additional liability to our customers or third-party providers that could harm our reputation and increase our operating costs.
We will need to maintain our relationships with third-party software and data providers, and to obtain software and data from such providers that do not contain errors or defects. Any failure to do so could adversely impact our ability to deliver effective solutions to our customers and could harm our operating results.
Our products contain third-party open source software components, and our failure to comply with the terms of the underlying open source software licenses could restrict our ability to sell our products.
Our products contain software licensed to us by third parties under so-called “open source” licenses, including the GNU General Public License, the GNU Lesser General Public License, the BSD License, the Apache License and others. From time to time, there have been claims against companies that distribute or use open source software in their products and services, asserting that such open source software infringes the claimants’ intellectual property rights. We could be subject to suits by parties claiming that what we believe to be licensed open source software infringes their intellectual property rights. Use and distribution of open source software may entail greater risks than use of third-party commercial software, as open source licensors generally do not provide warranties or other contractual protections regarding infringement claims or the quality of the code. In addition, certain open source licenses require that source code for software programs that are subject to the license be made available to the public and that any modifications or derivative works to such open source software continue to be licensed under the same terms.
Although we monitor our use of open source software in an effort both to comply with the terms of the applicable open source licenses and to avoid subjecting our products to conditions we do not intend, the terms of many open source licenses have not been interpreted by U.S. courts, and there is a risk that these licenses could be construed in a way that could impose unanticipated conditions or restrictions on our ability to commercialize our products. The terms of certain open source licenses require us to release the source code of our applications and to make our applications available under those open source licenses if we combine or distribute our applications with open source software in a certain manner. In the event that portions of our applications are determined to be subject to an open source license, we could be required to publicly release the affected portions of our source code, re-engineer all, or a portion of, those applications or otherwise be limited in the licensing of our applications. Disclosing our proprietary source code could allow our competitors to create similar products with lower development effort and time and ultimately, could result in a loss of sales for us. Disclosing the source code of our proprietary software could also make it easier for cyber attackers and other third parties to discover vulnerabilities in or to defeat the protections of our products, which could result in our products failing to provide our customers with the security they expect. Any of these events could have a material adverse effect on our business, operating results and financial condition.
22

Table of Contents
Our technology alliance partnerships expose us to a range of business risks and uncertainties that could have a material adverse impact on our business and financial results.
We have entered, and intend to continue to enter, into technology alliance partnerships with third parties to support our future growth plans, including with certain of our actual or potential competitors. For example, through these technology alliance partnerships, we integrate with certain third-party application program interfaces (APIs), which enhance our data collection capabilities in our customers’ IT environments. If these third parties no longer allow us to integrate with their APIs, or if we determine not to maintain these integrations, the functionality of our products may be reduced and our products may not be as marketable to certain potential customers. Technology alliance partnerships require significant coordination between the parties involved, particularly if a partner requires that we integrate its products with our products. Further, we have invested and will continue to invest significant time, money and resources to establish and maintain relationships with our technology alliance partners, but we have no assurance that any particular relationship will continue for any specific period of time, result in new offerings that we can effectively commercialize or result in enhancements to our existing offerings. In addition, while we believe that entering into technology alliance partnerships with certain of our actual or potential competitors is currently beneficial to our competitive position in the market, such partnerships may also give our competitors insight into our offerings that they may not otherwise have, thereby allowing them to compete more effectively against us.
The continued utility of Metasploit depends in part on the continued contributions from security researchers.
Our Metasploit product relies on information provided by an active community of security researchers who contribute new exploits, attacks and vulnerabilities. We expect that the continued contributions from these third parties will both enhance the robustness of Metasploit and also support our sales and marketing efforts. However, to the extent that the information provided by these third parties is inaccurate or malicious, the potential for false indications of security vulnerabilities and susceptibility to attack increases, which could adversely impact market acceptance of our products and professional services and could result in negative publicity, loss of customers and sales and increased costs to remedy any problem. Further, to the extent that our community of third parties is reduced in size or participants become less active, we may lose valuable insight into the dynamic threat landscape and our ability to quickly respond to new exploits, attacks and vulnerabilities may be reduced.
If our products fail to help our customers achieve and maintain compliance with regulations and/or industry standards, our revenue and operating results could be harmed.
We generate a portion of our revenue from our vulnerability management offerings that help organizations achieve and maintain compliance with regulations and industry standards both domestically and internationally. For example, many of our customers subscribe to our vulnerability management offerings to help them comply with the security standards developed and maintained by the Payment Card Industry Security Standards Council (the PCI Council), which apply to companies that process, transmit or store cardholder data. In addition, our vulnerability management offerings are used by customers in the health care industry to help them comply with numerous federal and state laws and regulations related to patient privacy. In particular, HIPAA, and the 2009 Health Information Technology for Economic and Clinical Health Act include privacy standards that protect individual privacy by limiting the uses and disclosures of individually identifiable health information and implementing data security standards. The foregoing and other state, federal and international legal and regulatory regimes may affect our customers’ requirements for, and demand for, our products and professional services. Governments and industry organizations, such as the PCI Council, may also adopt new laws, regulations or requirements, or make changes to existing laws or regulations, that could impact the demand for, or value of, our products. If we are unable to adapt our products to changing legal and regulatory standards or other requirements in a timely manner, or if our products fail to assist with, or expedite, our customers’ cyber security defense and compliance efforts, our customers may lose confidence in our products and could switch to products offered by our competitors or threaten or bring legal actions against us. In addition, if laws, regulations or standards related to data security, vulnerability management and other IT security and compliance requirements are relaxed or the penalties for non-compliance are changed in a manner that makes them less onerous, our customers may view government and industry regulatory compliance as less critical to their businesses, and our customers may be less willing to purchase our products. In any of these cases, our revenue and operating results could be harmed.
In addition, government and other customers may require our products to comply with certain privacy, security or other certifications and standards. If our products are late in achieving or fail to achieve or maintain compliance with these certifications and standards, or our competitors achieve compliance with these certifications and standards, we may be disqualified from selling our products to such customers, or may otherwise be at a competitive disadvantage, either of which would harm our business, results of operations, and financial condition.
A portion of our revenue is generated by sales to government entities, which are subject to a number of challenges and risks.
Selling to government entities can be highly competitive, expensive and time consuming, and often requires significant upfront time and expense without any assurance that we will win a sale. Government demand and payment for our products and
23

Table of Contents
professional services may also be impacted by public sector budgetary cycles and funding authorizations, with funding reductions or delays adversely affecting public sector demand for our offerings. Government entities also have heightened sensitivity surrounding the purchase of cyber security solutions due to the critical importance of their IT infrastructures, the nature of the information contained within those infrastructures and the fact that they are highly-visible targets for cyber attacks. Accordingly, increasing sales of our products and professional services to government entities may be more challenging than selling to commercial organizations. Further, in the course of providing our products and professional services to government entities, our employees and those of our channel partners may be exposed to sensitive government information. Any failure by us or our channel partners to safeguard and maintain the confidentiality of such information could subject us to liability and reputational harm, which could materially and adversely affect our results of operations and financial performance.
We are exposed to fluctuations in currency exchange rates, which could negatively affect our financial condition and results of operations.
Our reporting currency is the U.S. dollar and we generate a majority of our revenue in U.S. dollars. However, for each of the years ended December 31, 2019, 2018 and 2017 we incurred 13% of our expenses outside of the United States in foreign currencies, primarily the British pound sterling and euro, principally with respect to salaries and related personnel expenses associated with our sales and research and development operations. Additionally, for the years ended December 31, 2019, 2018 and 2017, 8%, 7% and 5%, respectively, of our revenue was generated in foreign currencies. Accordingly, changes in exchange rates may have an adverse effect on our business, operating results and financial condition. The exchange rate between the U.S. dollar and foreign currencies has fluctuated in recent years and may fluctuate substantially in the future. To date, we have not engaged in any hedging strategies, and any such strategies, such as forward contracts, options and foreign exchange swaps related to transaction exposures that we may implement to mitigate this risk may not eliminate our exposure to foreign exchange fluctuations.
Changes in financial accounting standards may adversely impact our reported results of operations.
A change in accounting standards or practices could adversely affect our operating results and may even affect our reporting of transactions completed before the change is effective. New accounting pronouncements and varying interpretations of accounting pronouncements have occurred and may occur in the future. Changes to existing rules or the questioning of current practices may adversely affect our operating results.
We may require additional capital to support business growth, and this capital might not be available on acceptable terms, if at all.
We intend to continue to make investments to support our business growth and may require additional funds to respond to business challenges, including the need to develop new features or enhance our products, improve our operating infrastructure or acquire complementary businesses and technologies. Accordingly, we may need to engage in equity or debt financings to secure additional funds. If we raise additional funds through future issuances of equity or convertible debt securities, our existing stockholders could suffer significant dilution, and any new equity securities we issue could have rights, preferences and privileges superior to those of holders of our common stock. Any debt financing that we may secure in the future could involve restrictive covenants relating to our capital raising activities and other financial and operational matters, which may make it more difficult for us to obtain additional capital and to pursue business opportunities, including potential acquisitions. We may not be able to obtain additional financing on terms favorable to us, if at all. If we are unable to obtain adequate financing or financing on terms satisfactory to us when we require it, our ability to continue to support our business growth and to respond to business challenges could be significantly impaired, and our business may be adversely affected.
Risks Related to Intellectual Property, Litigation, Government Regulation, Data Collection and Catastrophic Events
Failure to protect our proprietary technology and intellectual property rights could substantially harm our business and operating results.
Our success and competitive position depend in part on our ability to protect our intellectual property and proprietary technologies. To safeguard these rights, we rely on a combination of patent, trademark, copyright and trade secret laws and contractual protections in the United States and other jurisdictions, all of which provide only limited protection and may not now or in the future provide us with a competitive advantage.
We cannot assure you that any patents will issue from any patent applications, that patents that issue from such applications will give us the protection that we seek or that any such patents will not be challenged, invalidated, or circumvented. Any patents that may issue in the future from our pending or future patent applications may not provide sufficiently broad protection and may not be enforceable in actions against alleged infringers. We have registered the “Rapid7,” “Nexpose” and “Metasploit”
24

Table of Contents
names and logos in the United States and certain other countries. We have registrations and/or pending applications for additional marks in the United States and other countries; however, we cannot assure you that any future trademark registrations will be issued for pending or future applications or that any registered trademarks will be enforceable or provide adequate protection of our proprietary rights. While we have copyrights in our software, we do not typically register such copyrights with the Copyright Office. This failure to register the copyrights in our software may preclude us from obtaining statutory damages for infringement under certain circumstances. We also license software from third parties for integration into our products, including open source software and other software available on commercially reasonable terms. We cannot assure you that such third parties will maintain such software or continue to make it available.
In order to protect our unpatented proprietary technologies and processes, we rely on trade secret laws and confidentiality agreements with our employees, consultants, channel partners, vendors and others. Despite our efforts to protect our proprietary technology and trade secrets, unauthorized parties may attempt to misappropriate, reverse engineer or otherwise obtain and use them. In addition, others may independently discover our trade secrets, in which case we would not be able to assert trade secret rights, or develop similar technologies and processes. Further, the contractual provisions that we enter into may not prevent unauthorized use or disclosure of our proprietary technology or intellectual property rights and may not provide an adequate remedy in the event of unauthorized use or disclosure of our proprietary technology or intellectual property rights. Moreover, policing unauthorized use of our technologies, trade secrets and intellectual property is difficult, expensive and time-consuming, particularly in foreign countries where the laws may not be as protective of intellectual property rights as those in the United States and where mechanisms for enforcement of intellectual property rights may be weak. We may be unable to determine the extent of any unauthorized use or infringement of our solutions, technologies or intellectual property rights.
From time to time, legal action by us may be necessary to enforce our patents and other intellectual property rights, to protect our trade secrets, to determine the validity and scope of the intellectual property rights of others or to defend against claims of infringement or invalidity. Such litigation could result in substantial costs and diversion of resources and could result in impairment or loss of portions of our intellectual property. Furthermore, our efforts to enforce our intellectual property rights may be met with defenses, counterclaims and countersuits attacking the validity and enforceability of our intellectual property rights. Our failure to secure, protect and enforce our intellectual property rights could negatively affect our brand and adversely impact our business, operating results and financial condition.
Assertions by third parties of infringement or other violations by us of their intellectual property rights, whether or not correct, could result in significant costs and harm our business and operating results.
Patent and other intellectual property disputes are common in our industry. We are periodically involved in disputes brought by non-practicing entities alleging patent infringement and we may, from time to time, be involved in other such disputes in the ordinary course of our business. Some companies, including some of our competitors, own large numbers of patents, copyrights and trademarks, which they may use to assert claims against us. Many of these companies have the capability to dedicate substantially greater resources to enforce their intellectual property rights. Third parties have in the past and may in the future assert claims of infringement, misappropriation or other violations of intellectual property rights against us and we are currently involved in legal proceedings with Finjan, Inc., which has filed a complaint against us and our wholly-owned subsidiary, Rapid7 LLC, in the United States District Court, District of Delaware, alleging patent infringement. Third parties may also assert claims against our customers or channel partners, whom we typically indemnify against claims that our solutions infringe, misappropriate or otherwise violate the intellectual property rights of third parties. As the numbers of products and competitors in our market increase and overlaps occur, claims of infringement, misappropriation and other violations of intellectual property rights may increase. Any claim of infringement, misappropriation or other violation of intellectual property rights by a third party, even those without merit, could cause us to incur substantial costs defending against the claim and could distract our management from our business.
The patent portfolios of our most significant competitors are larger than ours. This disparity may increase the risk that they may sue us for patent infringement and may limit our ability to counterclaim for patent infringement or settle through patent cross-licenses. In addition, future assertions of patent rights by third parties, and any resulting litigation, may involve patent holding companies or other adverse patent owners who have no relevant product revenues and against whom our own patents may therefore provide little or no deterrence or protection. There can be no assurance that we will not be found to infringe or otherwise violate any third-party intellectual property rights or to have done so in the past.
An adverse outcome of a dispute may require us to:
pay substantial damages, including treble damages, if we are found to have willfully infringed a third party’s patents or copyrights;
cease making, licensing or using solutions that are alleged to infringe or misappropriate the intellectual property of others;
25

Table of Contents
expend additional development resources to attempt to redesign our solutions or otherwise develop non-infringing technology, which may not be successful;
enter into potentially unfavorable royalty or license agreements in order to obtain the right to use necessary technologies or intellectual property rights; and
indemnify our partners and other third parties.
In addition, royalty or licensing agreements, if required or desirable, may be unavailable on terms acceptable to us, or at all, and may require significant royalty payments and other expenditures. Some licenses may also be non-exclusive, and therefore, our competitors may have access to the same technology licensed to us.
Any of the foregoing events could seriously harm our business, financial condition and results of operations.
We are subject to governmental export and import controls that could impair our ability to compete in international markets and/or subject us to liability if we are not in compliance with applicable laws.
Like other U.S.-based IT security products, our products are subject to U.S. export control and import laws and regulations, including the U.S. Export Administration Regulations and various economic and trade sanctions regulations administered by the U.S. Treasury Department’s Office of Foreign Assets Control. Exports of these products must be made in compliance with these laws and regulations. Compliance with these laws and regulations is complex, and if we were to fail to comply with these laws and regulations, we and certain of our employees could be subject to substantial civil and criminal penalties, including fines for our company and responsible employees or managers, and, in extreme cases, incarceration of responsible employees and managers and the possible loss of export privileges. Complying with export control laws and regulations, including obtaining the necessary licenses or authorizations, for a particular sale may be time-consuming, is not guaranteed and may result in the delay or loss of sales opportunities. Changes in export or import laws and regulations, shifts in the enforcement or scope of existing laws and regulations, or changes in the countries, governments, persons, products or services targeted by such laws and regulations, could also result in decreased use of our products by, or in our decreased ability to export or sell our products to, existing or potential customers. A decreased use of our products or limitation on our ability to export or sell our products could adversely affect our business, financial condition and results of operations.
We also incorporate encryption technology into our products. These encryption products may be exported outside of the United States only with the required export authorizations, including by a license, a license exception or other appropriate government authorizations, including the filing of a product classification request. In addition, various countries regulate the import and domestic use of certain encryption technology, including through import permitting and licensing requirements, and have enacted laws that could limit our ability to distribute our products or could limit our customers’ ability to implement our products in those countries. Governmental regulation of encryption technology and regulation of imports or exports of encryption products, or our failure to obtain required import or export approval for our products, when applicable, could harm our international sales and adversely affect our revenue. Compliance with applicable laws and regulations regarding the export and import of our products, including with respect to new products or changes in existing products, may create delays in the introduction of our products in international markets, prevent our customers with international operations from deploying our products globally or, in some cases, could prevent the export or import of our products to certain countries, governments, entities or persons altogether.
Further, U.S. export control laws and economic sanctions prohibit the shipment of certain products and services to U.S. embargoed or sanctioned countries, governments or persons. Although we take precautions to prevent our products from being provided to those subject to U.S. sanctions, such measures may be circumvented and we have in the past identified limited instances of non-compliance with these rules. After these instances were disclosed to U.S. authorities, those authorities decided to not bring enforcement actions against or impose penalties on us.
Finally, in recent years, there have been multinational efforts to impose additional restrictions on certain cyber security products that could include commercial versions of Metasploit. Such restrictions have been imposed by individual countries, but are not currently in effect in the United States. The implementation of such restrictions could adversely affect our business, financial condition and results of operations. We are closely monitoring these efforts and are prepared to work with interested parties and/or stakeholders with respect to the implementation of restrictions potentially applicable to our products.
Failure to comply with governmental laws and regulations could harm our business.
Our business is subject to regulation by various federal, state, local and foreign governments. In certain jurisdictions, these regulatory requirements may be more stringent than those in the United States. Noncompliance with applicable regulations or requirements could subject us to investigations, sanctions, mandatory product recalls, enforcement actions, disgorgement of
26

Table of Contents
profits, fines, damages, civil and criminal penalties, injunctions or other collateral consequences. If any governmental sanctions are imposed, or if we do not prevail in any possible civil or criminal litigation, our business, results of operations, and financial condition could be materially adversely affected. In addition, responding to any action will likely result in a significant diversion of management’s attention and resources and an increase in professional fees. Enforcement actions and sanctions could harm our business, reputation, results of operations and financial condition.
Our intercompany relationships are subject to complex transfer pricing regulations, which may be challenged by taxing authorities.
We generally conduct our international operations through wholly-owned subsidiaries and report our taxable income in various jurisdictions worldwide based upon our business operations in those jurisdictions. Our intercompany relationships are and will continue to be subject to complex transfer pricing regulations administered by taxing authorities in various jurisdictions. The relevant taxing authorities may disagree with our determinations as to the income and expenses attributable to specific jurisdictions. If such a disagreement were to occur, and our position were not sustained, we could be required to pay additional taxes, interest and penalties, which could result in one-time tax charges, higher effective tax rates, reduced cash flows and lower overall profitability of our operations.
Our ability to use net operating losses to offset future taxable income may be subject to certain limitations.
As of December 31, 2019, we had federal and state net operating loss carryforwards (NOLs), of $275.8 million and $209.7 million, respectively, available to offset future taxable income, which expire in various years beginning in 2021 if not utilized. A lack of future taxable income would adversely affect our ability to utilize these NOLs before they expire. Under the provisions of the Internal Revenue Code of 1986, as amended (the Internal Revenue Code), substantial changes in our ownership may limit the amount of pre-change NOLs that can be utilized annually in the future to offset taxable income. Section 382 of the Internal Revenue Code imposes limitations on a company’s ability to use NOLs if a company experiences a more-than-50-percentage point ownership change over a three-year testing period. Based upon our analysis as of December 31, 2019, we determined that although a limitation on our historical NOLs exists, we do not expect this limitation to impair our ability to use our NOLs prior to expiration. However, if changes in our ownership occur in the future, our ability to use our NOLs may be further limited. For these reasons, we may not be able to utilize a material portion of the NOLs, even if we achieve profitability. If we are limited in our ability to use our NOLs in future years in which we have taxable income, we will pay more taxes than if we were able to fully utilize our NOLs. This could adversely affect our operating results, cash balances and the market price of our common stock.
We could be subject to additional tax liabilities.
We are subject to U.S. federal, state, local and sales taxes in the United States and foreign income taxes, withholding taxes and transaction taxes in numerous foreign jurisdictions. Significant judgment is required in evaluating our tax positions and our worldwide provision for taxes. During the ordinary course of business, there are many activities and transactions for which the ultimate tax determination is uncertain. In addition, our tax obligations and effective tax rates could be adversely affected by changes in the relevant tax, accounting and other laws, regulations, principles and interpretations by recognizing tax losses or lower than anticipated earnings in jurisdictions where we have lower statutory rates and higher than anticipated earnings in jurisdictions where we have higher statutory rates, by changes in foreign currency exchange rates, or by changes in the valuation of our deferred tax assets and liabilities. We may be audited in various jurisdictions, and such jurisdictions may assess additional taxes, sales taxes and value-added taxes against us. Although we believe our tax estimates are reasonable, the final determination of any tax audits or litigation could be materially different from our historical tax provisions and accruals, which could have a material adverse effect on our operating results or cash flows in the period for which a determination is made.
Our business is subject to the risks of earthquakes, fire, power outages, floods and other catastrophic events, and to interruption by manmade problems such as terrorism.
A significant natural disaster, such as an earthquake, fire or a flood, or a significant power outage could have a material adverse impact on our business, operating results and financial condition. In addition, natural disasters could affect our channel partners’ ability to perform services for us on a timely basis. In the event we or our channel partners are hindered by any of the events discussed above, our ability to provide our products or professional services to customers could be delayed.
In addition, our facilities and those of our third-party data centers and hosting providers are vulnerable to damage or interruption from human error, intentional bad acts, pandemics, earthquakes, hurricanes, floods, fires, war, terrorist attacks, power losses, hardware failures, systems failures, telecommunications failures and similar events. The occurrence of a natural disaster, power failure or an act of terrorism, vandalism or other misconduct, a decision by a third party to close a facility on which we rely without adequate notice, or other unanticipated problems could result in lengthy interruptions in provision or delivery of our products, potentially leaving our customers vulnerable to cyber attacks. The occurrence of any of the foregoing
27

Table of Contents
events could damage our systems and hardware or could cause them to fail completely, and our insurance may not cover such events or may be insufficient to compensate us for the potentially significant losses, including the potential harm to the future growth of our business, that may result from interruptions in our service as a result of system failures.
All of the aforementioned risks may be exacerbated if our disaster recovery plans or the disaster recovery plans established for our third-party data centers and hosting providers prove to be inadequate. To the extent that any of the above results in delayed or reduced customer sales, our business, financial condition and results of operations could be adversely affected.
Risks Related to our Common Stock
The market price of our common stock has been and is likely to continue to be volatile.
The market price of our common stock may be highly volatile and may fluctuate substantially as a result of a variety of factors, some of which are related in complex ways. Since shares of our common stock were sold in our initial public offering, or IPO, in July 2015 at a price of $16.00 per share, our stock price has ranged from an intraday low of $9.05 to an intraday high of $66.01 through February 21, 2020. Factors that may affect the market price of our common stock include:
actual or anticipated fluctuations in our financial condition and operating results;
variance in our financial performance from expectations of securities analysts;
changes in our projected operating and financial results;
changes in the prices of our products and professional services;
changes in laws or regulations applicable to our products or professional services;
announcements by us or our competitors of significant business developments, acquisitions or new offerings;
our involvement in any litigation or investigations by regulators;
our sale of our common stock or other securities in the future;
changes in our board of directors, senior management or key personnel;
trading volume of our common stock;
price and volume fluctuations in the overall stock market;
changes in the anticipated future size and growth rate of our market; and
general economic, regulatory and market conditions.
The stock markets, and in particular the market on which our common stock is listed, have experienced price and volume fluctuations that have affected and continue to affect the market prices of equity securities of many companies. These fluctuations have often been unrelated or disproportionate to the operating performance of those companies. Broad market and industry fluctuations, as well as general economic, political, regulatory and market conditions, may negatively impact the market price of our common stock. In the past, companies that have experienced volatility in the market price of their securities have been subject to securities class action litigation. We may be the target of this type of litigation in the future, which could result in substantial costs and divert our management’s attention.
We may fail to meet our publicly announced guidance or other expectations about our business and future operating results, which would cause our stock price to decline.
We have provided and may continue to provide guidance about our business, future operating results and other business metrics. In developing this guidance, our management must make certain assumptions and judgments about our future performance. Furthermore, analysts and investors may develop and publish their own projections of our business, which may form a consensus about our future performance. Our business results may vary significantly from such guidance or that consensus due to a number of factors, many of which are outside of our control, and which could adversely affect our operations and operating results. Furthermore, if we make downward revisions of our previously announced guidance, or if our publicly announced guidance of future operating results fails to meet expectations of securities analysts, investors or other interested parties, the price of our common stock would decline.
28

Table of Contents
If securities or industry analysts do not publish research or reports about our business, or publish negative reports about our business, our stock price and trading volume could decline.
The trading market for our common stock depends, in part, on the research and reports that securities or industry analysts publish about us or our business. We do not have any control over these analysts. If our financial performance fails to meet analyst estimates or one or more of the analysts who cover us downgrade our shares or change their opinion of our shares, our share price would likely decline. If one or more of these analysts cease coverage of our company or fail to regularly publish reports on us, we could lose visibility in the financial markets, which could cause our share price or trading volume to decline.
We do not intend to pay dividends for the foreseeable future and, as a result, your ability to achieve a return on your investment will depend on appreciation in the price of our common stock.
We have never declared or paid any cash dividends on our common stock and do not intend to pay any cash dividends in the foreseeable future. We anticipate that we will retain all of our future earnings for use in the development of our business and for general corporate purposes. Any determination to pay dividends in the future will be at the discretion of our board of directors. Accordingly, investors must rely on sales of their common stock after price appreciation, which may never occur, as the only way to realize any future gains on their investments.
We are obligated to maintain proper and effective internal controls over financial reporting and any failure to maintain the adequacy of these internal controls may adversely affect investor confidence in our company and, as a result, the value of our common stock.
We have been and are required, pursuant to Section 404 of the Sarbanes-Oxley Act (Section 404), to furnish a report by management on, among other things, the effectiveness of our internal control over financial reporting on an annual basis. This assessment includes disclosure of any material weaknesses identified by our management in our internal control over financial reporting. During the evaluation and testing process, if we identify one or more material weaknesses in our internal control over financial reporting, we will be unable to assert that our internal controls are effective. While we have established certain procedures and control over our financial reporting processes, we cannot assure you that these efforts will prevent restatements of our financial statements in the future.
Our independent registered public accounting firm is also required, pursuant to Section 404, to report annually on the effectiveness of our internal control over financial reporting. This assessment is required to include disclosure of any material weaknesses identified by our management in our internal control over financial reporting. For future reporting periods, our independent registered public accounting firm may issue a report that is adverse in the event it is not satisfied with the level at which our controls are documented, designed or operating. We may not be able to remediate any future material weaknesses, or to complete our evaluation, testing and any required remediation in a timely fashion.
If we are unable to conclude that our internal control over financial reporting is effective, or if our independent registered public accounting firm is unable to express an opinion that our internal controls over financial reporting are effective, investors could lose confidence in the accuracy and completeness of our financial reports, which could cause the price of our common stock to decline, and we could be subject to sanctions or investigations by regulatory authorities, including the SEC and Nasdaq. Failure to remediate any material weakness in our internal control over financial reporting, or to maintain other effective control systems required of public companies, could also restrict our future access to the capital markets.
Anti-takeover provisions in our charter documents and under Delaware law could make an acquisition of us more difficult, limit attempts by our stockholders to replace or remove our current management and limit the market price of our common stock.
Provisions in our amended and restated certificate of incorporation and amended and restated bylaws may have the effect of delaying or preventing a change in control or changes in our management. Among other things, our amended and restated certificate of incorporation and amended and restated bylaws include provisions that:
authorize our board of directors to issue preferred stock without further stockholder action and with voting liquidation, dividend and other rights superior to our common stock;
require that any action to be taken by our stockholders be effected at a duly called annual or special meeting and not by written consent, and limit the ability of our stockholders to call special meetings;
establish an advance notice procedure for stockholder proposals to be brought before an annual meeting, including proposed nominations of persons for director nominees;
29

Table of Contents
establish that our board of directors is divided into three classes, with directors in each class serving three-year staggered terms;
require the approval of holders of two-thirds of the shares entitled to vote at an election of directors to adopt, amend or repeal our amended and restated bylaws or amend or repeal the provisions of our amended and restated certificate of incorporation regarding the election and removal of directors and the ability of stockholders to take action by written consent or call a special meeting;
prohibit cumulative voting in the election of directors; and
provide that vacancies on our board of directors may be filled only by a majority of directors then in office, even though less than a quorum.
These provisions may frustrate or prevent any attempts by our stockholders to replace or remove our current management by making it more difficult for stockholders to replace members of our board of directors, who are responsible for appointing the members of our management. In addition, because we are incorporated in Delaware, we are governed by the provisions of Section 203 of the Delaware General Corporation Law, which generally prohibits a Delaware corporation from engaging in any of a broad range of business combinations with any “interested” stockholder for a period of three years following the date on which the stockholder became an “interested” stockholder. Any of the foregoing provisions could limit the opportunity for our stockholders to receive a premium for their shares of our common stock and could also affect the price that some investors are willing to pay for our common stock.
Our amended and restated certificate of incorporation designates the Court of Chancery of the State of Delaware as the exclusive forum for certain litigation that may be initiated by our stockholders, which could limit our stockholders’ ability to obtain a favorable judicial forum for disputes with us.
Pursuant to our amended and restated certificate of incorporation, unless we consent in writing to the selection of an alternative forum, the Court of Chancery of the State of Delaware is the sole and exclusive forum for (1) any derivative action or proceeding brought on our behalf, (2) any action asserting a claim of breach of a fiduciary duty owed by any of our directors, officers or other employees to us or our stockholders, (3) any action asserting a claim arising pursuant to any provision of the Delaware General Corporation Law, our amended and restated certificate of incorporation or our amended and restated bylaws or (4) any action asserting a claim governed by the internal affairs doctrine. Our amended and restated certificate of incorporation further provides that any person or entity purchasing or otherwise acquiring any interest in shares of our common stock is deemed to have notice of and consented to the foregoing provision. The forum selection clause in our amended and restated certificate of incorporation may limit our stockholders’ ability to obtain a favorable judicial forum for disputes with us.
Risks Related to our Indebtedness
We have a significant amount of debt that may decrease our business flexibility, access to capital, and/or increase our borrowing costs, and we may still incur additional debt in the future, which may adversely affect our operations and financial results. We may not have sufficient cash flow from our business to pay our substantial debt when due.
As of December 31, 2019, we had $230.0 million aggregate principal amount of indebtedness under our 1.25% convertible senior notes due 2023 (the Notes). Our indebtedness may:
limit our ability to borrow additional funds for working capital, capital expenditures, acquisitions or other general business purposes;
limit our ability to use our cash flow or obtain additional financing for future working capital, capital expenditures, acquisitions or other general business purposes;
require us to use a substantial portion of our cash flow from operations to make debt service payments;
limit our flexibility to plan for, or react to, changes in our business and industry;
place us at a competitive disadvantage compared to our less leveraged competitors; and
increase our vulnerability to the impact of adverse economic and industry conditions.
Further, the indenture governing the Notes does not restrict our ability to incur additional indebtedness and we and our subsidiaries may incur substantial additional indebtedness in the future, subject to the restrictions contained in any future debt instruments existing at the time, some of which may be secured indebtedness.
30

Table of Contents
Our ability to pay our debt when due or to refinance our indebtedness, including the Notes, depends on our future performance, which is subject to economic, financial, competitive, and other factors beyond our control. Our business may not generate cash flow from operations in the future sufficient to service our debt and make necessary capital expenditures. In addition, any required repurchase of the Notes for cash as a result of a fundamental change or voluntary redemption (in each case, pursuant to the terms of the Notes) would lower our current cash on hand such that we would not have that cash available to fund operations. If we are unable to generate sufficient cash flow, we may be required to adopt one or more alternatives, such as selling assets, restructuring our debt or obtaining additional equity capital on terms that may be onerous or highly dilutive. Our ability to refinance our indebtedness will depend on the capital markets and our financial condition at such time. We may not be able to engage in any of these activities or engage in these activities on desirable terms, which could result in a default on our debt obligations.
In addition, we and our subsidiaries may incur additional debt in the future. We will not be restricted under the terms of the indenture governing the Notes from incurring additional debt, securing existing or future debt, recapitalizing our debt or taking a number of other actions that are not limited by the terms of the indenture governing the Notes that could have the effect of diminishing our ability to make payments on the Notes when due.
The conditional conversion feature of the Notes, if triggered, may adversely affect our financial condition and operating results.
In the event the conditional conversion feature of the Notes is triggered, holders of the Notes will be entitled to convert their Notes at any time during specified periods at their option. If one or more holders elect to convert their Notes, unless we elect to satisfy our conversion obligation by delivering solely shares of our common stock (other than paying cash in lieu of delivering any fractional share), we would be required to settle a portion or all of our conversion obligation in cash, which could adversely affect our liquidity. As disclosed in Note 9 to our consolidated financial statements, the conditional conversion feature of the Notes was triggered as of December 31, 2019, and the Notes are currently convertible at the option of the holders, in whole or in part, between January 1, 2020 and March 31, 2020. Whether the Notes will be convertible following such fiscal quarter will depend on the continued satisfaction of this condition or another conversion condition in the future. In addition, even if holders of Notes do not elect to convert their Notes, we could be required under applicable accounting rules to reclassify all or a portion of the outstanding principal of the Notes as a current rather than long-term liability, which would result in a material reduction of our net working capital.
The accounting method for convertible debt securities that may be settled in cash, such as the Notes, could have a material effect on our reported financial results.
Under Accounting Standards Codification 470-20, Debt with Conversion and Other Options (ASC 470-20), an entity must separately account for the liability and equity components of the convertible debt instruments (such as the Notes) that may be settled entirely or partially in cash upon conversion in a manner that reflects the issuer’s economic interest cost. The effect of ASC 470-20 on the accounting for the Notes is that the equity component is required to be included in the additional paid-in capital section of stockholders’ equity on our consolidated balance sheet at the issuance date and the value of the equity component would be treated as debt discount for purposes of accounting for the debt component of the Notes. As a result, we will be required to record non-cash interest expense through the amortization of the excess of the face amount over the carrying amount of the expected life of the Notes. We will report larger net losses (or lower net income) in our financial results because ASC 470-20 requires interest to include both the amortization of the debt discount and the instrument’s cash coupon interest rate, which could adversely affect our reported or future financial results, the trading price of our common stock and the trading price of the Notes.
In addition, under certain circumstances, convertible debt instruments (such as the Notes) that may be settled entirely or partly in cash may be accounted for utilizing the treasury stock method, the effect of which is that the shares issuable upon conversion of such Notes are not included in the calculation of diluted earnings per share except to the extent that the conversion value of such Notes exceeds their principal amount. Under the treasury stock method, for diluted earnings per share purposes, the transaction is accounted for as if the number of shares of common stock that would be necessary to settle such excess, if we elected to settle such excess in shares, are included in the denominator for purposes of calculating diluted earnings per share. We cannot be sure that the accounting standards in the future will continue to permit the use of the treasury stock method. If we are unable or otherwise elect not to use the treasury stock method in accounting for the shares issuable upon conversion of the Notes, then our diluted earnings per share could be adversely affected.
The capped call transactions may affect the value of the Notes and our common stock.
In connection with the pricing of the Notes and the exercise by the initial purchasers of their option to purchase additional Notes, we entered into capped call transactions with certain counterparties (Capped Calls). The Capped Calls cover, subject to customary adjustments, the number of shares of our common stock initially underlying the Notes. The Capped Calls are
31

Table of Contents
expected to offset the potential dilution as a result of conversion of the Notes. In connection with establishing their initial hedge of the capped call transactions, the counterparties or their respective affiliates entered into various derivative transactions with respect to our common stock concurrently with or shortly after the pricing of the Notes, including with certain investors in the Notes. The counterparties or their respective affiliates may modify their hedge positions by entering into or unwinding various derivatives with respect to our common stock and/or purchasing or selling our common stock or other securities of ours in secondary market transactions prior to the maturity of the Notes (and are likely to do so on each exercise date of the capped call transactions, which are scheduled to occur during the observation period relating to any conversion of the Notes on or after February 1, 2023). We cannot make any prediction as to the direction or magnitude of any potential effect that the transactions described above may have on the price of the Notes or the shares of our common stock. Any of these activities could adversely affect the value of the Notes and our common stock.
We are subject to counterparty risk with respect to the capped call transactions.
The option counterparties are financial institutions, and we will be subject to the risk that one or more of the option counterparties may default or otherwise fail to perform, or may exercise certain rights to terminate, their obligations under the Capped Calls. Our exposure to the credit risk of the option counterparties will not be secured by any collateral. Recent global economic conditions have resulted in the actual or perceived failure or financial difficulties of many financial institutions. If an option counterparty becomes subject to insolvency proceedings, we will become an unsecured creditor in those proceedings with a claim equal to our exposure at the time under such transaction. Our exposure will depend on many factors but, generally, our exposure will increase if the market price or the volatility of our common stock increases. In addition, upon a default or other failure to perform, or a termination of obligations, by an option counterparty, we may suffer more dilution than we currently anticipate with respect to our common stock. We can provide no assurances as to the financial stability or viability of the option counterparties.
Provisions in the indenture for the Notes may deter or prevent a business combination that may be favorable to our stockholders.
If a fundamental change occurs prior to the maturity date of the Notes, holders of the Notes will have the right, at their option, to require us to repurchase all or a portion of their Notes. In addition, if a “make-whole fundamental change” (as defined in the indenture) occurs prior the maturity date, we will in some cases be required to increase the conversion rate of the Notes for a holder that elects to convert its Notes in connection with such make-whole fundamental change.
Furthermore, the indenture will prohibit us from engaging in certain mergers or acquisitions unless, among other things, the surviving entity assumes our obligations under the Notes. These and other provisions in the indenture could deter or prevent a third party from acquiring us even when the acquisition may be favorable to our stockholders.
Conversion of the Notes will dilute the ownership interest of existing stockholders, including holders who had previously converted their Notes, or may otherwise depress the price of our common stock.
The conversion of some or all of the convertible Notes will dilute the ownership interests of existing stockholders to the extent we deliver shares of our common stock upon conversion of any of the Notes. As disclosed in Note 9 to our consolidated financial statements, the conditional conversion feature of the Notes was triggered as of December 31, 2019, and the Notes are currently convertible at the option of the holders, in whole or in part, between January 1, 2020 and March 31, 2020. Whether the Notes will be convertible following such fiscal quarter will depend on the continued satisfaction of this condition or another conversion condition in the future. Any sales in the public market of the common stock issuable upon such conversion could adversely affect prevailing market prices of our common stock. In addition, the existence of the Notes may encourage short selling by market participants because the conversion of the Notes could be used to satisfy short positions, or anticipated conversion of the Notes into shares of our common stock could depress the price of our common stock.
Item 1B. Unresolved Staff Comments.
None.
Item 2. Properties.
Our corporate headquarters occupy approximately 147,000 square feet in Boston, Massachusetts under an operating lease that expires in November 2029. In July 2019, we entered into a lease agreement with respect to approximately 67,000 square feet at 100 Causeway Street, Boston, Massachusetts, to be located in the same complex as, and in order to expand, our corporate headquarters. The term of the lease is 102 months and is expected to commence in June 2021. We have additional U.S. offices including Los Angeles and San Francisco, California; Austin, Texas; and Alexandria, Virginia. We also lease various
32

Table of Contents
international offices including in Toronto, Canada; Reading, United Kingdom; Belfast, Northern Ireland; Dublin and Galway, Ireland; Melbourne, Australia and Singapore.
We believe that our current facilities are suitable and adequate to meet our current needs. We intend to add new facilities or expand existing facilities as we add employees, and we believe that suitable additional or substitute space will be available as needed to accommodate any such expansion of our operations.
Item 3. Legal Proceedings.
In October 2018, Finjan, Inc. (Finjan) filed a complaint against us and our wholly-owned subsidiary, Rapid7 LLC, in the United States District Court, District of Delaware, alleging patent infringement of seven patents held by them. In the complaint, Finjan sought unspecified damages, attorneys' fees and injunctive relief. We intend to vigorously contest Finjan's claims. The final outcome, including our liability, if any, with respect to Finjan's claims, is uncertain. Regardless of the outcome, litigation can have an adverse impact on us because of defense and settlement costs, diversion of management resources and other factors.
In addition, from time to time, we are a party to litigation or subject to claims incident to the ordinary course of business. Although the results of litigation and claims cannot be predicted with certainty, we currently believe that the final outcome of these ordinary course matters will not have a material adverse effect on our business, financial condition or results of operations. Regardless of the outcome, litigation can have an adverse impact on us because of defense and settlement costs, diversion of management resources and other factors.
Item 4. Mine Safety Disclosures.
Not applicable.
33

Table of Contents
PART II
Item 5. Market for Registrant’s Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities.
Market Information
Our common stock is listed on the Nasdaq Global Market under the symbol “RPD."
As of December 31, 2019, there were 53 holders of record of our common stock, including Cede & Co., a nominee for The Depository Trust Company (DTC), which holds shares of our common stock on behalf of an indeterminate number of beneficial owners. All of the shares of common stock held by brokerage firms, banks and other financial institutions as nominees for beneficial owners are deposited into participant accounts at DTC, and are considered to be held of record by Cede & Co. as one stockholder. Because many of our shares are held by brokers and other institutions on behalf of stockholders, we are unable to estimate the total number of stockholders represented by these record holders.
Stock Performance Graph
The following shall not be deemed incorporated by reference into any of our other filings under the Securities Exchange Act of 1934, as amended, or the Securities Act of 1933, as amended, except to the extent we specifically incorporate it by reference into such filings.
The following graph shows a comparison from July 17, 2015 (the date our common stock commenced trading on the Nasdaq Global Market) through December 31, 2019 of the cumulative total return for an investment of $100 in our common stock, the Nasdaq Global Market and the Nasdaq Computer Index. Data for the Nasdaq Global Market and the Nasdaq Computer Index assume reinvestment of dividends.
rp-20191231_g1.jpg
The comparisons in the graph below are based upon historical data and are not indicative of, nor intended to forecast, future performance of our common stock.
34

Table of Contents
July 17,
  2015  
December 31,
2015
December 31,
2016
December 31,
2017
December 31,
2018
December 31,
2019
Rapid7, Inc.$100.00  $59.85  $48.14  $73.81  $123.26  $221.60  
Nasdaq Global Market Composite100.00  81.67  75.93  95.11  89.07  116.64  
Nasdaq Computer100.00  105.13  117.72  168.48  163.53  249.06  
Recent Sales of Unregistered Securities
None.
Use of Proceeds from Initial Public Offering of Common Stock
None.
Purchase of Equity Securities by the Issuer and Affiliated Purchasers
None.
Securities Authorized for Issuance Under Equity Compensation Plans
Information about securities authorized for issuance under our equity compensation plan is incorporated herein by reference to Item 12 of Part III of this Annual Report on Form 10-K.
Item 6. Selected Financial Data.
The following selected historical financial data should be read in conjunction with Item 7, “Management’s Discussion and Analysis of Financial Condition and Results of Operations,” and our consolidated financial statements and the related notes appearing in Item 8, “Financial Statements and Supplementary Data,” of this Annual Report on Form 10-K to fully understand the factors that may affect the comparability of the information presented below.
The selected consolidated financial data in this section are not intended to replace the consolidated financial statements and are qualified in their entirety by the consolidated financial statements and related notes included elsewhere in this Annual Report on Form 10-K.
The following selected consolidated statements of operations data for the years ended December 31, 2019, 2018 and 2017, and the consolidated balance sheet data as of December 31, 2019 and 2018, have been derived from our audited consolidated financial statements included elsewhere in this Annual Report on Form 10-K. The consolidated statements of operations data for the year ended December 31, 2016 and 2015 and the consolidated balance sheet data as of December 31, 2017, 2016 and 2015 have been derived from our audited consolidated financial statements not included in this Annual Report on Form 10-K.
35

Table of Contents
Year Ended December 31,
 201920182017 (1)2016 (1)2015 (1)
 (in thousands, except share and per share data)
Consolidated Statement of Operations Data:
Revenue:
Products$261,119  $168,571  $116,748  $89,404  $63,407  
Maintenance and support36,778  42,223  46,268  37,403  26,903  
Professional services29,050  33,297  37,924  30,630  20,216  
Total revenue326,947  244,091  200,940  157,437  110,526  
Cost of revenue(2):
Products59,684  39,810  25,583  12,447  6,921  
Maintenance and support8,495  7,678  7,491  7,105  6,002  
Professional services22,967  23,595  23,836  20,173  16,321  
Total cost of revenue91,146  71,083  56,910  39,725  29,244  
Operating expenses(2):
Research and development79,364  67,743  50,938  47,955  38,746  
Sales and marketing157,722  123,310  111,593  90,524  67,365  
General and administrative44,710  34,993  30,293  28,282  21,731  
Total operating expense281,796  226,046  192,824  166,761  127,842  
Loss from operations(45,995) (53,038) (48,794) (49,049) (46,560) 
Interest income6,014  3,229  862  —  —  
Interest expense(13,389) (4,934) (87) 131  (2,523) 
Other income (expense), net(433) (336) 313  (109) (278) 
Loss before income taxes(53,803) (55,079) (47,706) (49,027) (49,361) 
Provision for (benefit from) income taxes42  466  (2,236) (27) 496  
Net loss(53,845) (55,545) (45,470) (49,000) (49,857) 
Accretion of preferred stock to redemption value—  —  —  —  (35,061) 
Beneficial conversion feature relating to IPO participation payment—  —  —  —  (14,161) 
Net loss attributable to common stockholders(53,845) (55,545) $(45,470) $(49,000) $(99,079) 
Net loss per share attributable to common stockholders, basic and diluted$(1.10) $(1.20) $(1.06) $(1.19) $(4.00) 
Weighted-average common shares outstanding, basic and diluted48,731,791  46,456,825  42,952,950  41,248,473  24,740,480  
(1) On January 1, 2018, we adopted Financial Accounting standards Board (FASB) Accounting Standards Update (ASU) 2014-09, Revenue from Contracts with Customers (ASC 606) using the modified retrospective method. The consolidated statement of operations for the years ended December 31, 2017, 2016 and 2015 were not adjusted for the adoption of ASC 606. See Note 2, to our consolidated financial statements included in this Annual Report on Form 10-K for additional discussion of the impact of the adoption of this new accounting guidance.
36

Table of Contents
(2) Includes stock-based compensation expense and depreciation and amortization expense as follows:
 Year Ended December 31,
 20192018201720162015
 (in thousands)
Stock-based compensation expense:
Cost of revenue$2,580  $1,692  $1,085  $610  $532  
Research and development15,670  10,822  7,205  6,054  5,010  
Sales and marketing11,883  7,569  5,756  6,607  3,139  
General and administrative10,531  7,510  5,495  4,045  2,004  
Total stock-based compensation expense$40,664  $27,593  $19,541  $17,316  $10,685  
Depreciation and amortization expense:
Cost of revenue$9,110  $5,673  $3,597  $2,529  $1,890  
Research and development2,083  1,336  1,077  1,080  1,138  
Sales and marketing3,971  2,783  1,986  1,842  1,617  
General and administrative1,364  1,305  968  1,274  707  
Total depreciation and amortization expense$16,528  $11,097  $7,628  $6,725  $5,352  

 As of December 31,
 201920182017 (1)2016 (1)2015 (1)
 (in thousands)
Consolidated Balance Sheet Data:
Cash and cash equivalents$123,413  $99,565  $51,562  $53,148  $86,553  
Working capital, excluding deferred revenue309,441  310,646  139,604  101,527  109,015  
Total assets664,913  559,369  284,136  243,303  230,561  
Total deferred revenue267,744  248,571  224,500  169,063  130,317  
Total debt185,200  174,688  —  —  —  
Total liabilities581,745  472,050  259,983  201,265  162,486  
Total stockholders’ equity83,168  87,319  24,153  42,038  68,075  
(1) On January 1, 2018, we adopted ASC 606 using the modified retrospective method. The consolidated balance sheets as of December 31, 2017, 2016 and 2015 were not adjusted for the adoption of ASC 606. See Note 2, to our consolidated financial statements included in this Annual Report on Form 10-K for additional discussion of the impact of the adoption of this new accounting guidance.

37

Table of Contents
Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations.
The following discussion and analysis of our financial condition and results of operations should be read in conjunction with our consolidated financial statements and related notes appearing elsewhere in this Annual Report on Form 10-K. In addition to historical financial information, the following discussion contains forward-looking statements that reflect our plans, estimates and beliefs. Our actual results could differ materially from those contained in or implied by any forward-looking statements. Factors that could cause or contribute to these differences include those under “Risk Factors” included in Part I, Item 1A or in other parts of this Annual Report on Form 10-K.
Overview
Rapid7 is a leading cyber security solutions provider, on a mission to make successful security tools and practices accessible to all. Rapid7 Insight Platform technology, expert services, and thought-leading research enables over 9,000 customers to improve their security programs so that they can safely advance and innovate.
In the nearly 20 years that Rapid7 has been in business, security companies and trends have come and gone, while broader technology innovation continues to advance rapidly. Every company is now a technology company, and rampant innovation inevitably creates security risk. The migration of businesses to the cloud and ubiquitous connected devices present security teams with an increasingly complex, ever-changing, and unpredictable attack surface.
We believe as cybersecurity challenges continue to rise exponentially, two key factors can prevent organizations from effectively managing their growing security exposure. First, the tools to manage complex security problems are often equally complicated to use. Second, there is a scarcity of cybersecurity professionals who are qualified to successfully manage these sophisticated tools. These two factors compound the difficulties that resource-constrained organizations face when attempting to minimize their security exposure, meet security compliance regulations and provide visibility to their leadership. The expanding divide between risk created through innovation and risk managed by security teams is called the Security Achievement Gap.
We believe Rapid7 is uniquely positioned to improve how customer security challenges are addressed. Our solutions simplify the complex, allowing teams to more effectively reduce vulnerabilities, monitor malicious behavior, investigate and shut down attacks, and automate routine tasks. All of our solutions and services are built with and supported by the expertise of our dedicated team of security researchers and consultants, who bring knowledge of attacker behavior and emerging vulnerabilities directly to customers. We also continue to invest in further simplifying our technology to improve usability, lowering the barrier to managing security for teams and organizations who lack resources.
While our security technology is the foundation of our mission to make successful security accessible to all, technology alone will not solve today’s cybersecurity challenges. Our ongoing commitment to researching and partnering with the technology community helps to curb new security risks born through innovation. We are also investing in under-served, at risk communities, like non-profits and hospitals, to better understand their needs and make security technology and services accessible. By continuously improving our technology, stemming the creation of risk in the community, and making security more usable and accessible, Rapid7 aims to close the Security Achievement Gap.
We market and sell our products and professional services to organizations of all sizes globally, including mid-market businesses, enterprises, non-profits, educational institutions and government agencies. Our customers span a wide variety of industries such as technology, energy, financial services, healthcare and life sciences, manufacturing, media and entertainment, retail, education, real estate, transportation, government and professional services. As of December 31, 2019, we had over 9,000 customers in 144 countries, including 47% of the Fortune 100. Our revenue was not concentrated with any individual customer and no customer represented more than 1% of our revenue in 2019, 2018 or 2017.
We sell our products and professional services through direct inside and field sales teams and indirect channel partner relationships. Our sales teams focus on both new customer acquisition as well as up-selling and cross-selling additional offerings to our existing customers. Our sales teams are organized by geography, consisting of the Americas; Europe, the Middle East and Africa (EMEA); and Asia Pacific (APAC), as well as by target organization size. Our highly technical sales engineers help define customer use cases, manage solution evaluations and train channel partners. In addition, we maintain a global channel partner network that complements our sales organization, particularly in EMEA, APAC and Latin America.
Our Business Model
We have offerings in four key areas: (1) Vulnerability Risk Management, (2) Incident Detection and Response, (3) Application Security and (4) Security Orchestration and Automation Response.
We offer our products through a variety of delivery models to meet the needs of our diverse customer base, including:
38

Table of Contents
Cloud-based subscriptions, which provide our software capabilities to our customers through cloud access and on a Software as a Service basis. Our InsightIDR, InsightVM, InsightAppSec and InsightConnect products are offered as cloud-based subscriptions, generally with a one-year term.
Managed services, through which we operate our products and provide our capabilities on behalf of our customers. Our Managed Vulnerability Management, Managed Application Security and Managed Detection and Response products are offered on a managed service basis, generally pursuant to one-year agreements.
Licensed software, including both term and perpetual licenses, and the simultaneous sale of maintenance and support. Our Nexpose, Metasploit and AppSpider products are offered through term or perpetual software licenses. Our customers who purchase software licenses also purchase maintenance and support, which provides our customers with telephone and web-based support and ongoing bug fixes and repairs during the term of the maintenance and support agreement, and our customers who purchase our Nexpose and Metasploit products also purchase content subscriptions, which provide them with real-time access to the latest vulnerabilities and exploits. Our maintenance and support and content subscription agreements are typically for one-year terms.
We also offer various professional services across all of our offerings, including deployment and training services related to our software and cloud-based products, incident response services and security advisory services. Customers can purchase our professional services together with our product offerings or on a stand-alone basis pursuant to fixed fee or time-and-materials agreements.
An important component of our revenue growth strategy is to have our existing customers renew their agreements with us and purchase additional products from us. To assess our performance against this objective, we monitor the renewal rates of our existing customers. We calculate our renewal rate by dividing the dollar value of renewed customer agreements, including upsells and cross-sells of additional products, but excluding professional services and Logentries, in a trailing 12-month period by the dollar value of the corresponding customer agreements. Our renewal rate was 108%, 119% and 116% in 2019, 2018 and 2017, respectively. For the years ended December 31, 2018 and 2017, our renewal rate was adjusted from the previously disclosed 120% and 122%, respectively, to 119% and 116%, respectively, based on a reclassification of certain upsells and cross-sells. Our goal is to maintain strong renewal rates and continue to increase the renewal rates over time however, our renewal rates may decline or fluctuate as a result of a number of factors, including customers’ satisfaction or dissatisfaction with our products and professional services, pricing, competitive offerings, economic conditions or overall changes in our customers’ spending levels.
In 2019, 2018 and 2017 recurring revenue, defined as revenue from term software licenses, content subscriptions, managed services, cloud-based subscriptions and maintenance and support, was 87%, 81% and 70%, respectively, of total revenue.
Key Metrics
We monitor the following key metrics to help us measure and evaluate the effectiveness of our operations:
 Year Ended December 31,
 201920182017
 (dollars in thousands)
Total revenue$326,947  $244,091  $200,940  
Year-over-year growth (1)
33.9 %21.5 %27.6 %
Non-GAAP income (loss) from operations$2,404  $(20,381) $(26,273) 
Operating cash flow$(1,420) $6,066  $13,286  
(1) For 2018, we recognized revenue under ASC 606. For 2017, we recognized revenue under ASC 605 and therefore, the periods are not directly comparable.
 As of December 31,
 20192018
(dollars in thousands) 
Number of customers9,022  7,808  
Year-over-year growth15.5 %11.1 %
Annualized recurring revenue (ARR)$338,714  $251,819  
Year-over-year growth34.5 %52.7 %
39

Table of Contents
Total Revenue and Growth. We are focused on driving continued revenue growth through increased sales of our products and professional services to new and existing customers.
Non-GAAP Income (Loss) from Operations. We monitor non-GAAP income (loss) from operations, a non-GAAP financial measure, to analyze our financial results. We believe non-GAAP income (loss) from operations is useful to investors, as a supplement to U.S. GAAP measures, in evaluating our ongoing operational performance and enhancing an overall understanding of our past financial performance and allow for greater transparency with respect to metrics used by our management in its financial and operational decision-making. See Non-GAAP Financial Results for further information on non-GAAP income (loss) from operations and a reconciliation of non-GAAP income (loss) from operations to the comparable GAAP financial measure.
Operating Cash Flow. We monitor our operating cash flow as a measure of our overall business performance, which enables us to analyze our financial performance without the effects of certain non-cash items such as stock-based compensation expenses and depreciation and amortization. Additionally, operating cash flow takes into account the increase in deferred revenue as a result of increases in sales of products and services, which reflects the receipt of cash payment for products before they are recognized into revenue. Our operating cash flow is significantly impacted by the timing of commission and bonus payments, accounts payable payments and collections of accounts receivable. During 2019, as we continued to shift from a perpetual license business model to a subscription business model, our average contract lengths declined which decreased our annual billings and, as a result, our cash flow from operations was negatively impacted.
Number of Customers. We believe that the size of our customer base is an indicator of our global market penetration and that our net customer additions are an indicator of the growth of our business. We define a customer as any entity that has (1) an active Rapid7 contract or a contract that expired within 90 days or less of the applicable measurement date; and for Logentries products, those customers with a contract value equal to or greater than $2,400 per year, or (2) purchased Rapid7 professional services within the 12 months preceding the applicable measurement date.
Annualized Recurring Revenue and Growth. Annualized recurring revenue (ARR) is defined as the annual value of all recurring revenue related to contracts in place at the end of the quarter. ARR should be viewed independently of revenue and deferred revenue as ARR is an operating metric and is not intended to be combined with or replace these items. ARR is not a forecast of future revenue, which can be impacted by contract start and end dates and renewal rates and does not include revenue reported as perpetual license or professional services revenue in our consolidated statement of operations.
Non-GAAP Financial Results
To supplement our consolidated financial statements, which are prepared and presented in accordance with GAAP, we provide investors with certain non-GAAP financial measures, including non-GAAP gross profit, non-GAAP income (loss) from operations, non-GAAP net income (loss), non-GAAP net income (loss) per share and adjusted EBITDA. The presentation of the non-GAAP financial measures is not intended to be considered in isolation or as a substitute for, or superior to, the financial information prepared and presented in accordance with GAAP. We use these non-GAAP financial measures for financial and operational decision-making purposes and as a means to evaluate period-to-period comparisons, and use certain non-GAAP financial measures as performance measures under our executive bonus plan. We believe that these non-GAAP financial measures provide useful information about our operating results, enhance the overall understanding of past financial performance and future prospects and allow for greater transparency with respect to metrics used by our management in its financial and operational decision-making. While our non-GAAP financial measures are an important tool for financial and operational decision-making and for evaluating our own operating results over different periods of time, you should review the reconciliation of our non-GAAP financial measures to the comparable GAAP financial measures included below, and not rely on any single financial measure to evaluate our business.
We define non-GAAP gross profit, non-GAAP income (loss) from operations, non-GAAP net income (loss) and non-GAAP net income (loss) per share as the respective GAAP balances excluding the effect of stock-based compensation expense, amortization of acquired intangible assets, amortization of debt discount and issuance costs, and certain other items such as acquisition-related expenses, follow-on public offering costs and litigation-related expenses. Non-GAAP net income (loss) per basic and dilutive share is calculated as Non-GAAP net income (loss) divided by the weighted average shares used to compute net income (loss) per share, with the number of weighted average shares decreased to reflect the anti-dilutive impact of the capped call transactions (Capped Calls) entered into in connection with the 1.25% convertible senior note issued in August 2018 (Notes).
We believe these non-GAAP financial measures are useful to investors in assessing our operating performance due to the following factors:
40

Table of Contents
Stock-based compensation expense. We exclude stock-based compensation expense because of varying available valuation methodologies, subjective assumptions and the variety of equity instruments that can impact our non-cash expense. We believe that providing non-GAAP financial measures that exclude stock-based compensation expense allows for more meaningful comparisons between our operating results from period to period.
Amortization of acquired intangible assets. We believe that excluding the impact of amortization of acquired intangible assets allows for more meaningful comparisons between operating results from period to period as the intangible assets are valued at the time of acquisition and are amortized over several years after the acquisition.
Amortization of debt discount and issuance costs. In August 2018, we issued $230 million of convertible senior notes, which bear interest at an annual fixed rate of 1.25%. The imputed interest rate of the convertible senior notes was approximately 7.37%. This is a result of the debt discount recorded for the conversion feature that is required to be separately accounted for as equity, and debt issuance costs, which reduce the carrying value of the convertible debt instrument. The debt discount is amortized as interest expense together with the issuance costs of the debt. The expense for the amortization of debt discount and debt issuance costs is a non-cash item, and we believe the exclusion of this interest expense provides a more useful comparison of our operational performance in different periods.
Litigation-related expenses. We exclude certain litigation-related expenses consisting of professional fees and related costs incurred by us related to significant litigation outside the ordinary course of business. We believe it is useful to exclude such expenses because we do not consider such amounts to be part of our ongoing operations.
Acquisition-related expenses and follow-on public offering costs. We exclude acquisition-related expenses and follow-on public offering costs as costs that are unrelated to the current operations and neither are comparable to the prior period nor predictive of future results.
Anti-dilutive impact of capped call transaction. In connection with the issuance of our convertible senior notes, we entered into capped call transactions to offset potential dilution from the embedded conversion feature in the notes. Although we cannot reflect the anti-dilutive impact of the capped call transactions under GAAP, we do reflect the anti-dilutive impact of the capped call transactions in non-GAAP net income (loss) per basic and diluted share to provide investors with useful information in evaluating our financial performance on a per share basis.
We define adjusted EBITDA as net loss before (1) interest income, (2) interest expense, (3) other income (expense), net, (4) provision for (benefit from) income taxes, (5) depreciation expense, (6) amortization of intangible assets, (7) stock-based compensation expense, and (8) certain other items. We believe that the use of adjusted EBITDA is useful to investors and other users of our financial statements in evaluating our operating performance because it provides them with an additional tool to compare business performance across companies and across periods. Adjusted EBITDA should not be considered as a substitute for other measures of financial performance reported in accordance with GAAP. There are limitations to using this non-GAAP financial measure, including that other companies may calculate this measure differently than we do, that it does not reflect our capital expenditures or future requirements for capital expenditures and that it does not reflect changes in, or cash requirements for, our working capital and excludes some items that are cash based.
Our non-GAAP financial measures may not provide information that is directly comparable to that provided by other companies in our industry, as other companies in our industry may calculate non-GAAP financial results differently, particularly related to non-recurring, unusual items. In addition, there are limitations in using non-GAAP financial measures because the non-GAAP financial measures are not prepared in accordance with GAAP, may be different from non-GAAP financial measures used by other companies and exclude expenses that may have a material impact upon our reported financial results. Further, stock-based compensation expense has been and will continue to be for the foreseeable future a significant recurring expense in our business and an important part of the compensation provided to our employees.
41

Table of Contents
The following tables reconcile GAAP gross profit to non-GAAP gross profit for the years ended December 31, 2019, 2018 and 2017:
 Year Ended December 31,
 201920182017
 (in thousands)
GAAP total gross profit$235,801  $173,008  $144,030  
Stock-based compensation expense2,580  1,692  1,085  
Amortization of acquired intangible assets6,339  3,985  2,639  
Non-GAAP total gross profit$244,720  $178,685  $147,754  

 Year Ended December 31,
 201920182017
 (in thousands)
GAAP gross profit – products$201,435  $128,761  $91,165  
Stock-based compensation expense789  493  336  
Amortization of acquired intangible assets6,339  3,985  2,639  
Non-GAAP gross profit – products$208,563  $133,239  $94,140  

 Year Ended December 31,
 201920182017
 (in thousands)
GAAP gross profit – maintenance and support$28,283  $34,545  $38,777  
Stock-based compensation expense616  233  247  
Non-GAAP gross profit – maintenance and support$28,899  $34,778  $39,024  

 Year Ended December 31,
 201920182017
 (in thousands)
GAAP gross profit – professional services$6,083  $9,702  $14,088  
Stock-based compensation expense1,175  966  502  
Non-GAAP gross profit – professional services$7,258  $10,668  $14,590  
The following table reconciles GAAP loss from operations to non-GAAP income (loss) from operations for the years ended December 31, 2019, 2018 and 2017:
 Year Ended December 31,
 201920182017
 (in thousands)
GAAP loss from operations$(45,995) $(53,038) $(48,794) 
Stock-based compensation expense40,664  27,593  19,541  
Amortization of acquired intangible assets6,479  4,144  2,813  
Acquisition-related expenses514  115  167  
Follow-on public offering costs—  205  —  
Litigation-related expenses742  600  —  
Non-GAAP income (loss) from operations$2,404  $(20,381) $(26,273) 
The following table reconciles GAAP net loss to non-GAAP net income (loss) for the years ended December 31, 2019, 2018 and 2017:
42

Table of Contents
 Year Ended December 31,
 201920182017
 (in thousands, except share and per share data)
GAAP net loss(53,845) (55,545) (45,470) 
Stock-based compensation expense40,664  27,593  19,541  
Amortization of acquired intangible assets6,479  4,144  2,813  
Acquisition-related expenses514  115  167  
Follow-on public offering costs—  205  —  
Litigation-related expenses742  600  —  
Release of valuation allowance, acquisition-related(761) —  (2,632) 
Tax adjustment for the impact of tax reform—  —  (352) 
Amortization of debt discount and issuance costs10,513  3,831  —  
Non-GAAP net income (loss)$4,306  $(19,057) $(25,933) 
Reconciliation of net income (loss) per share, basic:
GAAP net loss per share, basic$(1.10) $(1.20) $(1.06) 
Non-GAAP adjustments to net loss$1.19  $0.79  $0.46  
Non-GAAP net income (loss) per share, basic$0.09  $