Rapid7 Q1 2026 Earnings Call - AI-Driven Security Shift Fuels Core Platform Growth

Adam Borg, Analyst, Stifel1: Good day, everyone. My name is Kahealani, and I’ll be your conference operator today. At this time, I would like to welcome you to the Q1 2026 Rapid7 earnings call. All lines have been placed on mute to prevent any background noise. After the speaker’s remarks, there will be a question and answer session. If you would like to ask a question during this time, and if you have joined via the webinar, please use the raise hand icon, which can be found at the bottom of your webinar application. At this time, I would like to turn the call over to Matthew Wells, Vice President of Investor Relations.

Matthew Wells, Vice President of Investor Relations, Rapid7: Thank you, operator, and good afternoon, everyone. We appreciate you joining us. Today, we will be discussing Rapid7’s first quarter fiscal 2026 financial results. We’ve distributed our earnings press release over the wire, and it can be accessed on our investor relations website. With me on the call today are Corey Thomas, our CEO, and Rafe Brown, our CFO. As a reminder, all participants are in a listen-only mode, and a question and answer session will follow our opening remarks. Before I hand the call over to Corey, I want to note that certain statements made during this conference call may be considered forward-looking under federal securities laws.

Such statements are made pursuant to the Safe Harbor Provisions of the Private Securities Litigation Reform Act of 1995 and include our outlook for the 2nd quarter and fiscal year 2026, any assumptions for fiscal periods beyond that period, and our positioning, strategy, business plan, operational improvements, and growth drivers. These forward-looking statements are based on our current expectations and beliefs and information currently available to us. While we believe any forward-looking statements we make are reasonable, actual results could differ materially due to a number of risks and uncertainties, including those contained in our filings with the SEC. Reported results should not be considered as indicative of future performance. We do not undertake and expressly disclaim any obligation to update or alter our forward-looking statements, whether as a result of new information, future events, or otherwise, except to the extent required by applicable law.

Further information on these forward-looking statements and risk factors are included in the filings we make with the SEC, including the section titled Cautionary Language concerning forward-looking statements in our earnings press release. Over the course of this call, we’ll reference non-GAAP measures to describe our performance. Please review our earnings press release and filings with the SEC for a rationale behind the use of non-GAAP measures and for a full reconciliation of these GAAP to non-GAAP metrics. These documents, in addition to a replay of this call, will be available on the Rapid7 investor relations website. I’d like to turn the call over to Corey.

Corey Thomas, Chief Executive Officer, Rapid7: Thank you, Matt. Welcome to everyone joining Rapid7’s first quarter 2026 earnings call. Let me start by sharing insights from the influx of conversations we’ve been having with customers as they navigate the rapidly evolving cyber landscape. CIOs and CISOs are telling us the same thing in different ways. Advances from frontier models have fundamentally accelerated the threat environment and outpaced operating models built to defend against it. Vulnerabilities can now be discovered and exploited autonomously, and attackers are moving at machine speed. This fundamentally rewrites the value equation in security. The premium is no longer on detecting threats faster after they emerge. It shifts to preemptive exposure management, autonomous detection, and remediation at scale, closing the windows attackers exploit before they can be exploited at all.

This is precisely the environment that plays to our strengths, and that’s why our investments in the AI SOC and preemptive security operations are resonating so strongly with customers. The shift we’re enabling from reactive to preemptive, from human scale to machine scale is not a marketing reframe. It’s the only viable path forward for teams that need to anticipate where attackers will move next, prioritize the exposures that actually matter, and respond at the speed of modern attacks. Customers are looking for a partner who can unify their data, apply AI with the right context, drive remediation at scale, and translate all of it into measurable outcomes. That is exactly where we are focused. The core platform we’re building across detection response and exposure management is becoming the foundation customers turn to as they modernize for this new threat reality.

By unifying exposure and inspection on the Command Platform and combining AI-driven operations with the depth of expertise that we’ve built over 25 years, we’re giving customers a single coherent way to reduce risk, disrupt attackers, and build durable cyber resilience. The opportunity in front of us has never been clearer, and our conviction in this strategy has never been higher. Turning to the first quarter, I am pleased to report that Rapid7 delivered outperformance against all guided metrics. ARR of $832 million and revenue of $210 million were driven by sustained growth in our detection and response business, offset by trends in other parts of our business, particularly our non-core standalone offerings. non-GAAP operating income of $24 million exceeded our guidance and helped drive strong free cash flow of $33 million.

Our quarterly results reflect a greater focus on balancing strategic investment and driving scale in the business. In Detection and Response, ARR growth of approximately 7% was driven by strength in MDR business. Our approach to delivering AI SOC, combined with deep services expertise, continues to receive strong market validation. This quarter, we added a new Fortune 500 customer and a 7-figure ARR deal. In Exposure Management, we’re continuing to simplify the migration process of upgrading our large vulnerability management base into the Exposure Command Platform. Our approach to a unified AI-driven exposure platform continues to resonate with new and existing customers. In this quarter, a large Fortune 500 customer consolidated on Rapid7 as their exposure platform of choice in a competitive deal cycle. In the quarter, we acquired Kenzo Security, an agentic platform built to run security operations autonomously and at machine speed.

This is a direct accelerant to our AI SOC vision. Kenzo’s data mesh shifts customers away from a per alert investigation model to a system-driven one. Coverage scales with the environment, not head count. This unlocks 2 things, a meaningful tailwind for MDR growth and a path to higher contribution margins through software-driven efficiency. Most importantly, Kenzo opens the door to the full MDR market. Rapid7 is evolving into a preemptive agentic security platform that accelerates the entire SOC, delivered either as a managed service or a self-managed platform. By combining deep MDR expertise with exposure-driven visibility into vulnerabilities and attacker behavior, Rapid7 enables organizations to detect, investigate, and stop threats earlier. We also continue to innovate on our Exposure Command platform, delivering 2 major capabilities, runtime validation for cloud environments, and data security posture management to strengthen proactive exposure reduction across hybrid environments.

In plain terms, we no longer just tell customers what their vulnerabilities are. We tell them which ones are actively being exploited in their environment. Runtime validation determines what attackers can actually reach in production, and DSPM maps where the high-value data lives and who has access to it. Together, they collapse the noise and surface to the small set of exposures that actually matter. These steps accelerate the playbook we shared with you in February, strategically investing in our AI-enabled SOC to deliver preemptive security infrastructure while also deploying expert talent towards high-value customer engagements that AI cannot replicate. Turning to customer wins in the quarter, Rapid7 continues to be the partner of choice for global organizations securing complex on-prem, cloud, and hybrid environments. The go-to-market changes Alan, our Chief Commercial Officer, put in place at the start of the year are beginning to bear fruit.

We are running a sharper, more focused organization, and productivity has improved. While it’s still early, the operating discipline we’re committed to in February is beginning to take hold, and we believe that as an organization, we can continue to drive efficiencies over the middle term. In this quarter alone, a Fortune 500 mining company with global operations selected Rapid7 as its MDR provider of choice in a 7-figure deal. This was a long, competitive sales cycle in which our SIEM and detection response capabilities stood out to their security leaders. Rapid7’s history managing cloud, hybrid, and on-prem environments, and strong technical knowledge helped cement this decision. After years of only covering a portion of its environment, a global Fortune 500 aviation manufacturer expanded with Rapid7 as their preferred global exposure management provider in a large 6-figure deal.

The capabilities of our Command Platform, combined with our in-house technical talent, were resonant points during the expansion process. Lastly, a leading health services provider selected Rapid7 as their MDR provider of choice in a large six-figure deal. Previously, subsidiaries of the organization used disparate tools and lacked unified coverage. Rapid7’s ability to address challenges at a regional and local level, in addition to a unified coverage across ecosystems, stood out to security leaders at the organization. Now, before I pass the call to Rafe, I want to dive deeper into the implications of the unprecedented shift frontier models bring to the security landscape. I want to be clear that this market shift is a long-term tailwind for us, not a threat.

Vulnerability discovery has been accelerating and commoditizing for years, driven by advances in AI coding and reasoning. Frontier models like Anthropic’s Mythos and Google’s Big Sleep have made that trajectory undeniable. Mythos surfaced more than 2,000 previously unknown vulnerabilities in 7 weeks. That is a new baseline. Here’s the part of the stories that headlines miss. Mythos commoditize vulnerability identification, finding bugs in code. It has not commoditized the operational reality of managing those vulnerabilities across complex enterprise environments. It does not commoditize detection response. It has not commoditized exposure management. If anything, it makes it all the more essential because the volume and velocity of findings every enterprise has to act on is about to increase dramatically. The value is migrating in 3 directions, Rapid7 is at the intersection of each trend. First, remediation at scale.

The Command Platform provides the granular visibility and tracking required to manage thousands of filings across hybrid environments. Combined with our SOAR capabilities and Kenzo’s agentic AI, we are moving from traditional patch management towards AI-native remediation, identifying flaws and deploying fixes autonomously. Second, detection response. A faster discovery cycle on the attacker side means a faster response cycle on the defender side. Kenzo accelerates our MDR service from AI-as-assistant workflows to autonomous machine speed investigation. Detection is no longer the bottleneck. It becomes a precursor to near instantaneous response. Third, preemptive exposure management. Our March releases of runtime validation and data security posture management move Exposure Command from continuous assessment to continuous validation, telling customers which exposures are actually exploitable in their environment against their sensitive data given their identity surface. This is the shift the market is describing. It is the shift that Rapid7 has been building toward.

More vulnerabilities found means more demand for operational platform that turns findings into outcomes. To close, this is the moment of real change in our industry. We have the data foundation. We now have a step change AI capability accelerated by Kenzo, and we have the expertise customers do not get from a model alone. The team is executing with urgency. The operating discipline has taken hold, and the work we’re doing this year sets up share gains we expect to deliver over the medium term. With that, I’d like to pass the call to Rafe to discuss Q1 results in more detail and our updated 2026 guidance. Rafe, over to you.

Adam Borg, Analyst, Stifel2: Thank you, Corey, and good afternoon, everyone. As a quick reminder, unless otherwise noted, all numbers except revenue and balance sheet items mentioned during my remarks today are non-GAAP. Please refer to our earnings release and SEC filings for additional details regarding the presentation of our results and guidance metrics. In the first quarter of 2026, I’m pleased to report that we exceeded guidance across all guided metrics. We finished the first quarter with total ARR of $832 million. Let me add a bit more color. I’ve now been at Rapid7 for five months, making this a good opportunity to step back and share some of my observations, which I think will also help you better understand our underlying mix of businesses, as well as the rationale for the strategy we are pursuing.

A key takeaway is that while many people think of Rapid7 as a VM and D&R provider, that categorization of our business is incomplete. I believe that the business should be thought of in two distinct groupings. First, our core platform solutions group, comprised of our detection response solutions, which includes MDR, and our exposure management business, which includes VM and Exposure Command. These core platform solutions constitute more than 80% of our total ARR and have been the sustained growth driver in our business in recent years. As you know, we have different underlying trajectories within core platform solutions, led by our strong MDR business and work underway to return the exposure management business to growth. These core platform solutions are where our business is focused.

As such, the performance of our core platform solutions is the clearest indicator of the ongoing transformation within Rapid7, and they are the solutions where we are concentrating product development and go-to-market resources. The remainder of our business mix, or second grouping, consists of standalone non-platform offerings. As customers have shifted towards platform-based offerings over the past few years, these standalone non-platform products have declined on a year-over-year basis. While they remain profitable and we continue to support our customer using these products, standalone non-platform offerings are not central to our strategy. As a result, they have experienced declines and have been the driver of the sequential net ARR declines we have witnessed in recent periods. With the benefit of that context and framing, let me unpack our Q1 ARR performance.

Our core platform solutions, which now total over 80% of our overall ARR, as I shared moments ago, grew approximately 2% on a year-over-year basis, led by our strongest offering in the group, our detection response business, which at approximately 55% of total ARR, grew approximately 7% on a year-over-year basis. While D&R growth was partially offset by our exposure management business within these core platform solutions, we remain pleased to see ongoing momentum in our more holistic Exposure Command offerings, driven by both new customers and customers migrating to this new platform. We are not where we want to be across all elements of our core platform solutions, but re-accelerating the growth of these core platform solutions is the focus of our strategy and where we are placing our bets, as you heard Corey describe in detail earlier.

In contrast, our non-platform products declined in the quarter, driving the sequential decline we saw in total ARR. As we plan for the remainder of 2026 and beyond, we see opportunities to optimize margins for these standalone non-platform solutions as we take steps to improve the alignment of our investment resources to our growing core platform solutions. Returning now to other important metrics. Total revenue of $209.7 million declined 0.3% year-over-year. Within this, product revenue of $204 million was flat year-over-year, and services revenue declined slightly. We finished the quarter with over 11,500 customers and an average ARR per customer of approximately $72,000.

Turning to first quarter profitability, total non-GAAP gross margins of 72% were down approximately 280 basis points year-over-year, consistent with our expectations, driven by improved staffing in our global security operation centers. We reported non-GAAP operating income at $24.4 million, or a margin of 11.7%, favorable to our guidance. This upside to profitability drove non-GAAP earnings of $0.36 per diluted share. Free cash flow totaled $33.4 million in the first quarter, driven by strong collections. From a balance sheet perspective, we ended the first quarter with $670 million in cash equivalents, and short-term investments. In addition to these resources, we have a $200 million undrawn revolver in place.

Our cash and investment balances, undrawn credit facility, and continued free cash flow generation give us confidence in our ability to settle our March 2027 convertible debt upon maturity, as well as fund ongoing operations. This brings us to second quarter 2026 guidance. We expect to end the second quarter with ARR of approximately $820 million. On a sequential basis, we expect ending ARR for our core platform solutions, D&R and Exposure Management, will be approximately flat quarter-on-quarter, with an expected sequential ARR decline in our non-core standalone non-platform offerings. For the second quarter, we expect total revenue in the range of $207 million-$209 million, or down approximately 2.9% the midpoint on a year-on-year basis.

Non-GAAP operating income is expected to be in the range of $24 million-$26 million, or a margin of 12% at the midpoint. Non-GAAP earnings per diluted share are expected in the range of $0.33-$0.36 on approximately 78.3 million fully diluted shares. Updating our full year fiscal 2026 guidance, we expect total revenue in the range of $836 million-$842 million, a year-on-year decline of approximately 2.4% at the midpoint. We are raising non-GAAP operating income guidance to a range of $112 million-$118 million, or a full year non-GAAP operating margin of 13.7% at the midpoint.

As previously highlighted, the business exited 2025 with a higher expense run rate, reflecting 2025 investments across people, technology, and our India Global Capability Center. By closely managing ongoing investments, we expect non-GAAP operating margins to improve to the mid-teens as 2026 progresses, and we remain focused on continuing to improve operating margins in 2027. Non-GAAP earnings per share are expected to be in the range of $1.52-$1.60 per share on approximately 79.4 million fully diluted shares. We expect 2026’s free cash flow in the range of $125 million-$135 million for the full year, flat with prior year performance at the midpoint, and a free cash flow margin of approximately 15.5%.

In conclusion, there is a tremendous opportunity for cybersecurity companies who can help their customers respond at the incredible pace of new vulnerabilities and increasing attacks. Rapid7’s core platform offerings of detection and response and exposure management are uniquely positioned to help companies navigate these threats, which we believe presents a long-term growth opportunity for our business. With that, I’d like to turn the call over to the operator for Q&A.

Adam Borg, Analyst, Stifel1: If you’ve joined via the webinar, please use the raise hand icon, which can be found at the bottom of your webinar application. When you are called on, please unmute your line and ask your question. We kindly ask that you limit yourself to one question and one follow-up. Our first question comes from Mike Cikos with Needham. Please unmute your line to ask your question.

Adam Borg, Analyst, Stifel0: Hey, guys. Thanks for taking the questions here. Can you hear me okay?

Corey Thomas, Chief Executive Officer, Rapid7: Yeah, we can hear you just fine.

Adam Borg, Analyst, Stifel0: Terrific. Thank you again. I just wanted to start out with the guidance we have here for the ARR, and thanks for splitting out the core versus the non-core. Could you help us think about that core ARR business? Where are we specifically with the exposure management in helping that business start to see growth versus some of the headwinds we’ve seen in recent quarters?

Corey Thomas, Chief Executive Officer, Rapid7: Yeah, I mean, Raph and I can tag team it. On exposure management, we’re happy that we’re seeing the stabilization. I would not say that it is a growth driver, just to be clear. It’s not, we’re seeing the stabilization and improvements that we would expect, and we see good leading indicators that that business is sort of like set up to improve. It’s nothing that we can claim sort of success or improvement on. We’re still working through the upgrade cycle in a noisy environment. We are optimistic that the backdrop of what’s happening in AI gets customers refocused back on the need to actually take exposure management seriously as a priority, because there was lots of noise before about all the things people could focus on.

We’re certainly heartened by the early conversations, but that’s not something that we would translate directly into a forecast or guide at this stage.

Adam Borg, Analyst, Stifel0: Understood. For the follow-up here, again, I know we’re navigating the core versus the non-core ARR components. If I’m just looking at the guide we have here on the ARR for Q2, and I know you guys are only guiding a quarter out at this point, it is less than what consensus had been thinking about here. I’m just looking to see, can you give us a flavor for what the shape of the rest of the year looks like or any other things we should be mindful of as we navigate the next couple of quarters, since we are only getting that ARR data point from a guidance standpoint on a quarterly basis?

Corey Thomas, Chief Executive Officer, Rapid7: Well, you know, we’re only guiding the current quarter right now. As Rafe says, we’re getting a firm. We wanna make sure that you have the transparency as we go through it. The one thing I’ll comment on is clearly in the first half of the year, we’re seeing the non-core, which I talked about the other before, decelerating off at a faster rate. Our core is still a net positive contributor. You know, as that plays out, we’ll see how that plays out and whether we see the acceleration in Exposure, the impact of D&R. I would just say, give you revenue guidance, we feel very good about that. We have lots of confidence in all the measures that we actually got on.

We’ll keep you updated as we actually go along, but we’re not doing any further breakouts right now.

Adam Borg, Analyst, Stifel0: Thank you. I’ll leave it there.

Corey Thomas, Chief Executive Officer, Rapid7: Thank you. Appreciate it. Thanks.

Adam Borg, Analyst, Stifel1: Our next question comes from Matthew Hedberg with RBC.

Mike Richards, Analyst, RBC: Hey, guys. This is Mike Richards on for Matt. Appreciate you taking the question. Yeah, made a ton of sense when you were talking about, you know, the changes with Mythos and the other frontier models, and, you know, how that can act as a, as a tailwind for Rapid7. I was wondering about how, you know, these changes are impacting customers. You know, is there confusion in the market around frontier models and vulnerability discovery and what that means versus exposure management, or do they sort of get it? You know, just any details you guys can provide on what customers are thinking right now.

Corey Thomas, Chief Executive Officer, Rapid7: Yeah, Mike, it’s a great question. Look, 1, I think there’s probably more confusion with investors than there are with security experts, which we understand, which is why I wanted to clarify it in my prepared remarks. Look, most customers, there’s 2 classes of things that are going on, is customers that have the expertise on staff, and they’re expecting a lot more sort of like scale of vulnerabilities and confusion. What we’re hearing from them is the need to really focus on exploitability, understanding what’s on the environment. Focus on understanding reachability, what’s happening, and then remediation organization management at scale, which requires an understanding of the attack surface. These are all things that we’re focused on.

Frankly, though, we are accelerating our own efforts to make sure that we make it easier for customers to understand what are the vulnerabilities that matters most. What you’re seeing is a lot of real things, a lot of noise. What we wanna make sure is that, like, as things surge for customers, they are remediating and addressing the most important things first as quickly as possible. That’s the stance that we’ve taken there. What we’ve seen so far with customers is that those that are in the know, they understand that, they’re focused on it, and they’re asking us, "How can you help me actually manage the complexity of it? I’m gonna have a lot more to manage.

There’ll be a lot more real stuff that I actually have to address, but there’s gonna be a lot more noise too. Now there’s, I would just say a lot of customers that are less mature in their cycle, and, you know, the word vulnerability is vulnerability. Again, I actually think that what you’ll see often in security is that the knowledge does get out there. They will have to respond. They won’t be able to remediate everything that’s in place all at once. They too will actually have to understand it. I think the tricky part for investors is vulnerability, whether you do discovery or scanning or vulnerabilities in code, it all sounds the same, but they’re very different. Like, code-level vulnerabilities are very different than the vulnerability management, which is very different than exposure management.

Exposure management is about addressing the things that are actually exploitable and the vulnerabilities that actually lead to compromise and doing that at scale across the environment. There’s differences, but using the word vulnerability definitely can cause some nuance and confusion.

Mike Richards, Analyst, RBC: I appreciate it.

Corey Thomas, Chief Executive Officer, Rapid7: Great question.

Mike Richards, Analyst, RBC: That’s super helpful. Yeah, that’s super helpful. Just as a quick follow-up.

Corey Thomas, Chief Executive Officer, Rapid7: Yes.

Mike Richards, Analyst, RBC: Maybe just taking a step back from a, you know, a macro perspective, are you seeing any change in customer behavior as it relates to maybe geopolitical uncertainty or even just AI budget crowding out? As, you know, we’ve heard of more and more enterprises sort of running up on their AI budgets and, you know, that impacting other areas of enterprise software spend.

Corey Thomas, Chief Executive Officer, Rapid7: Yeah, I mean, look, I actually think everyone’s trying to figure out what’s the right way to budget and plan for it. You know, that is an obvious thing that like, you know, I don’t know an organization all over the world that’s not trying to figure out, like, what’s the right AI strategy? How do I budget for it? How do I plan for it? How do I deal with the leapfrogging that happens from time to time? I would just say universally, to be clear, this is a year where more than ever we’re seeing, regardless of what the domain is, customers are looking for, "How do I actually start showing real benefits and real outcomes from the technology?" It’s moving from pilots to delivery.

This is the thing that actually makes me excited about the investments that we’ve made organically and with Kenzo, is that customers are in the show-me stage, and they’re looking for, "How can you actually help me scale?" In our case, it’s how do we help them scale their security operations? ’Cause I hardly know any customers that are getting a lot more people allocated to their teams, They’re looking for technology and services to scale their security operations, and that’s where we’re focused. Thanks again for your questions.

Adam Borg, Analyst, Stifel1: Thank you. Our next question comes from Joseph Gallo with Jefferies. Please unmute to ask your question.

Joseph Gallo, Analyst, Jefferies: Hey, guys. Thanks for the question. I just want to ask, you know, one high-level one and one explicit about 2Q. High-level, you guys are investing in areas of growth, MDR, go-to-market, integrating AI. How should we think about the trade-off between stabilizing ARR growth and maintaining gross margins going forward? Any guardrails that we can think through?

Corey Thomas, Chief Executive Officer, Rapid7: Well, Rick and I can tag team this. You know, our team has a very clear mandate, is that we have to scale margins over time, and we feel that we have the right setup for that. You know, if you think about our MDR business, which is our fastest growing business, that also historically has had, frankly, less contribution margins at scale than some of the other businesses, that also is a business that we expect the gross margins to expand. That was a big part of the Kenzo thesis, is that we can deliver better service at better efficiency and better cost leverage, so we’re quite excited by that. We can deliver our customers a better experience and do it more efficiently, which is good for our investors too.

Just to be clear, is both myself and the full management team have a mandate that we have to actually expand margins over time. We are willing to make tactical investments to make sure we’re going the right way. It was absolutely the right thing to do this year as we saw the tsunami of cyber risk coming into customers, to make sure that we were properly staffed in our MDR environment to manage that and respond to that and make sure we’re delivering a great quality of service, which leads to long-term retention and expansion. We know that we can actually do more AI and automation to actually do some of those SOC services over time.

We feel very, very good that we made the right decisions and make sure the customers are set up well, but we are managing the business to expand margins over time.

Adam Borg, Analyst, Stifel2: I would just call out, you know, as we mentioned in our remarks, we do continue to expect to see bottom line margins improving as we go across 2026. You know, we’re very actively, when we do planning, we roll it out and look at those carry forward numbers to make sure we’re very conscious of run rates going into the next year. I, you know, I think we talked about in 2025 we saw some investment and we knew that would impact year-over-year comparisons as we go for the first part of the year. You’ll start to see the benefits of that and see those improving margins even here in 2026 as we move to the back half of the year.

Joseph Gallo, Analyst, Jefferies: Okay. No, that’s very clear and really helpful. Maybe just, yeah, a follow-up. I just wanna understand exactly what our takeaway should be with your 2Q ARR guide, right? 1Q declined to $8 million quarter-over-quarter, you’re guiding to another decline at $12 million. I’m just trying to understand, like, is that 20% of the non-platform business, is that churn getting worse? Is it, you know, lower expected new business for the 80% of the business that’s growing? We’re 1 month into 2Q. I’m just kinda curious what you’re seeing in 2Q that kinda indicates that, you know, new ARR might be a little bit worse than you saw in 1Q. Thanks.

Corey Thomas, Chief Executive Officer, Rapid7: I would just say, look, in 1Q, even though we’re not actively, even though we expect other or the non-core to actually churn, and it’s not a core area of focus and it’s not a core area of investment, when we see acceleration, we take a more cautious outlook about what that does. We definitely saw acceleration of the. We’re not adding new, it’s really just churn, just to be clear, and that’s of the standalone, non-core businesses. We saw acceleration of that in Q1. We are taking an appropriately, I think, thoughtful viewpoint of that as we actually go into Q2. We also just don’t wanna predict that we’re going to overcompensate for that by acceleration of core. That’s the primary driver and that’s the primary takeaway that I would have now.

I think that’s part of why Raf gave the commentary.

Adam Borg, Analyst, Stifel2: Yeah. I think that’s exactly right. We want to share that color on what’s exactly going on there because it is really important for everyone to see where our core business is, how it’s been growing, and have that clarity. That’s really going to be that long-term future for the organization. Those products will be the ones that we’re taking to customers on a regular basis. We hope by breaking that out, that kind of illuminates exactly what’s going on.

Joseph Gallo, Analyst, Jefferies: Yep. No, extremely helpful. Thank you very much for that. Thanks.

Corey Thomas, Chief Executive Officer, Rapid7: Thank you very much.

Adam Borg, Analyst, Stifel1: Our next question is from Adam Tindle with Raymond James. Please unmute to ask your question.

Adam Tindle, Analyst, Raymond James: Okay, thanks. Good afternoon. I just wanted to continue on the topic of core versus non-core. If I was to rewind back, Corey, I know the strategy was to really create a lot of synergy between the platform historically. I guess, you know, as we fast-forward to today and having one piece of the business that’s understandably, you know, kinda non-regrettable churn are in decline, how are you managing the impact on core while non-core churns? Meaning, you know, I imagine there’s some customer overlap. Why would churn in the non-core piece potentially not impact core? What are you doing to mitigate that potential risk?

Corey Thomas, Chief Executive Officer, Rapid7: No, it’s exactly the right question. Look, wherever you have dynamics, and just to remind you, like, non-core is things that are on the lower on the priority list, but it is also, you know, standalone business, some legacy stuff there. You hit the nail, you hit the core point is that as you manage these things, you know what we have to do well. We have to nail how we help customers scale their security operations, and the core of that is the Preempt platform with exposure management and detection response and how we weave that together. As you said, there’s a subset, not all of the customers are overlapping. Let’s be clear that we have a healthy amount of standalone customers. For customers that are overlapping, their experience matters deeply.

Our teams are actively working to make sure that we deliver those customers the right experience. In the world of rapid innovation at the pace of AI, we’re rapidly rolling out new services that are addressed their need, and we’re expanding their scope and their experience with them. If you look at some of the announcements that we’ve been making, we’ve been picking up our pace of innovation and our pace of things that we’re actually communicating to the market, our pace of what we’re actually providing customers as far as their existing subscriptions. Our view is if we do that well, if we keep delivering on that, we’re actually adding more strategic value in areas that matter more. We can actually really continue to focus in on those areas.

As you know, these type of transitions have to be managed well, and it’s something that we’re focused on doing.

Adam Tindle, Analyst, Raymond James: Got it. Okay. Yep, Raf, maybe just a quick follow-up. You talked about, obviously, you know, silver lining here has been profitability. I think you mentioned mid-teens operating margin in fiscal 2026 and threw in that you expect to continue to improve in fiscal 2027. Understandable that, you know, obviously not providing official guidance on 2027, that’s helpful to give us a sense of trajectory of the business. I guess as you know, think about that, you know, it’s uncommon that we see platforms that are undergoing, you know, growth pressure that are still able to scale and not experience, you know, that lack of leverage on the downside. What are the drivers, you know, in terms of your confidence in margins in mid-teens and continuing to improve in fiscal 2027?

any parameters that you’d like to set, just, so we can understand what continue to improve in fiscal 2027 might mean. Thanks.

Adam Borg, Analyst, Stifel2: Sure. I think what’s given us confidence as we go through 26 is like, first of all, you’ll recall that there was a great deal of investments across people and technology last year of opening up the India center.

Corey Thomas, Chief Executive Officer, Rapid7: You know, all of those things happened in 2025, you know, especially early parts of the year, the year-over-year comparisons, you know, you’re now bearing the brunt of that cost uptick. A lot of that work was in place to help build efficiencies in our organizations, giving us locations where we can, you know, give great productivity at an affordable rate. It’s extremely helpful. You know, having SOCs that are around the world on a global basis, extremely important to our customers, but also important to our efficient operations. As we, you know, get people ramped up and get that part of the business locked in, that’s what really is offering some efficiencies for us.

You know, we’re also being very careful in 2026 about cost management, you know, just across the board, we want to deliver on that commitment we’ve made about our margins. We’re being quite cautious about where we spend. Some of this plays out really as when we start talking about core versus non-core. Being really clear about where we should invest because we think that’ll drive long-term growth versus where we need to be more moderate in how we manage those costs. All of that coming together is giving us, you know, what we’re planning for 2026 and giving us confidence as, you know, we need to be looking at those run rates as we leave this year into next.

Adam Tindle, Analyst, Raymond James: Thank you.

Adam Borg, Analyst, Stifel1: Our next question comes from Jonathan Ho with William Blair. Please unmute and ask your question.

Jonathan Ho, Analyst, William Blair: Hi, good afternoon. Just wanted to maybe dig a little bit into sort of this emergence of the Mythos models. Like, how do we think about the broader opportunity set around MDR and CTEM evolving, you know, with that AI landscape? How does your product specifically maybe need to change to address, you know, sort of the emerging landscape?

Corey Thomas, Chief Executive Officer, Rapid7: Yeah. Let’s just, and if you guys can mute on the phone, please. Great question, Jonathan. I think that you have to first understand what’s changing for customers in order to understand, frankly, what the work that we’re doing that’s valuable and the work that we need to do differently. I think that’s a very good question, Jonathan. The first thing, what’s changing for customers? Customers are gonna see an influx of zero days. They’re going to see a much larger volume of vulnerabilities. They’re going to see more exploitable vulnerabilities, but the amount of vulnerabilities that they’re going to see are not all gonna be exploitable. Their ability to actually figure out what really matters is gonna be key. Their ability to actually manage remediation at scale in tighter time frames.

If, you know, if you could do a remediation in months before, then figuring out which stuff matters and manage the remediation, in days, as appropriate matters, and the things that should be weeks, and things that should be months. Keep in mind, we have a massive remediation backlog overall. The pace of what you’re looking at is being able to exploit vulnerabilities at speed and pace. Dwell time is actually shrinking, what you’re gonna see is people are gonna have to go from detection quickly to actually active response. That’s another significant change overall. When you put the picture together, customers are gonna be dealing with both the speed, the scale, and the need to respond quickly without breaking things. Now where does that actually go? Let’s just break down a couple things.

One, Rapid7 has had a long history of focusing on exploitability. Our security researchers are accelerating and moving our models and upgrading those to actually deal with the increasing insertion that we expect and the speed to actually really discern what’s exploitable from what’s not exploitable. The second thing is we actually, as we built out our overall exposure management framework, we believe that vulnerabilities are not the core thing that matter in and of themselves. It’s the intersection of vulnerabilities, how devices and networks and technology is configured, as well as the controls that are in the environment. After all, that’s what exploitability is. It’s the reachability combined with what controls are in place, what’s the configuration, combined with what’s vulnerable. We understand that better than most organizations in the world.

The last piece that we just invested in is Kenzo, which is actually to do detections quicker. The things that we’re changing from there is we’re upping the visibility and the understanding and ability to quickly process what’s exploitable in the environment. We’re accelerating the investments in our remediation management to help customers track and manage remediation across the environment. We were already bringing forth the Kenzo for actually instantaneous detection, but we’re also investing heavily in leveraging our understanding of both the configuration surface and the control surface to actually help customers understand what the best interdiction or immediate intervention options they have to contain attacks, because they will have to respond in the moment, and sometimes a full remediation is not available.

I know that was a lot, Jonathan, but those are the things that are changing for the customer, the things that we’re investing in, and frankly, the things that we’re accelerating and changing in our environment, in our technology stack.

Jonathan Ho, Analyst, William Blair: Thank you. I’ll keep it to one.

Adam Borg, Analyst, Stifel1: Thanks.

Corey Thomas, Chief Executive Officer, Rapid7: Thank you. Appreciate it.

Adam Borg, Analyst, Stifel1: Our next question is from Eric Heath with KeyBanc.

Eric Heath, Analyst, KeyBanc: All right. Thanks for taking the question. Maybe one for Corey, one for Rafe, if I may. Corey, I mean, Project Glasswing’s been out for about a month, and it feels like there is a lot of urgency out there, so just curious what impact you’ve seen thus far in 2Q in the pipeline. For Rafe, very much appreciate the color on the platform growth and the guidance, but any specificity you can give on how net new ARR in 1Q was for core platform, and then just how we should think about maybe the exit rate for the non-core platform products as we exit 2026. Thanks.

Corey Thomas, Chief Executive Officer, Rapid7: Yeah, I mean, I’ll hit it before ’cause I’ve actually hit on it partially before. With Glasswing, I think, you know, there’s two things. There’s a small cohort of our customers who have actually seen it and accessed it, and they wanna, they want insights into how we help them deal with the true exploitable ones and also the volume and the noise. That’s very straightforward. That feedback and that engagement with customers is driving some of the strategy that I talked about earlier. Then there’s those that are on the outside and trying to figure it out, and frankly, they’re looking for a perspective about how much does this change their technology strategy? You know, do they have to put all new projects on hold and just do remediation for the next six months?

If so, what type of remediation? I think they’re in an assessing mindset, just to be clear, and that’s why I say we’re still in the early days because lots of organizations don’t know what the magnitude of the impact is specifically for them.

Adam Borg, Analyst, Stifel2: Yeah. Then just to add a bit more color on the first quarter. I would say, first of all, you know, we were really pleased with the sales organization and their hard work in Q1. You’ll recall that we had a new leader, Alan, join late last year. He’d made a few changes on the team, even in, you know, even as we started this quarter. Yet the team really executed well, very much hustled and, you know, we saw an uptick in productivity across the quarter. We saw just, you know, good execution on a lot of operational details that are just really important to running a sales organization. I think hats off to the sales team on delivering good results there.

That translates into our core platform solutions where you saw, you know, first of all, within core, the Detection and Response business, which is, you know, now 55% of total ARR. I think that’s a little bit more color than we’ve shared in some of the past quarters on that, growing at 7% on a year-over-year basis. That’s, you know, new net of any churn we had in the quarter. That’s a really strong leader. That, you know, combined with Exposure Management solutions, which, you know, which rounds out the core solution, that whole total group was growing at 2%.

you know, good execution on the top line, you know, good work from the product team helping our customers and just execution all around made sure that core numbers were growing in the first quarter.

Adam Borg, Analyst, Stifel1: Our next question is from Shrenik Kothari with Baird. Please unmute to ask your question.

Adam Borg, Analyst, Stifel3: Yeah. Thanks a lot for taking my question. Just a follow-up to Jonathan’s question, and Corey, thanks a lot for the color with frontier AI, the value, how it’s shifting or will shift towards remediation at scale and the exposure validation. That makes total sense. Just in terms of monetization opportunity and timing-wise, just wanted to get your thoughts in practice. Like, how do you think that shows up in this post-frontier AI model world in terms of MDR, in terms of the urgency for Exposure Command upgrades, in terms of runtime validation and just a broader platform? Then I had a quick follow-up.

Corey Thomas, Chief Executive Officer, Rapid7: Yeah. Look, our current plan is it is a, you know, it’s not even a single, it’s probably a double, using baseball parlance, for just to actually be a catalyst to actually help move the priority of exposure management back to the forefront, which actually helps significantly with the VM upgrade initiative and focus. That’s our focus. We’re not looking to actually charge incrementally for it. We think we actually have a monetization plan that’s already attached to it. Seeing the VM to Exposure Command acceleration in the upgrade program is where we plan to primarily see the monetization. We’re accelerating some things along with that strategy. We’re refocusing and tightening, we were on this path about how you actually manage remediation at scale.

How do you actually really assess exposures from both a control and a configuration standpoint? The last thing is how you actually do active response overall. I would just say the focus doesn’t change, but from that perspective, we should see the monetizations there. On the MDR side, you know, it’s going to be interesting because I think the thing that I’m talking to most customers about is, you know, Customers are getting comfortable. They know now that they will have to enable active response and do more automation and more AI-driven response across their portfolio, and they’re getting comfortable with that. Our goal is to actually lead that discussion with trust. That is an expansion area. That’s an investment area. It’s a potential monetization area, but it’s just a little bit too early there.

That’s, you know, one of the biggest incremental areas, I would just say, of focus that we’re recalibrating resources for, is how do we actually shift the active response to machine speed, while ensuring that we can actually do that safety based on our knowledge of the overall attack surface, the control surface, and the configuration surface.

Adam Borg, Analyst, Stifel3: Very helpful. Thanks a lot, Corey. Just a follow-up, Rafe, you talked about, of course, prudence in the non-core guide and more confidence in the core platform growing. Just in terms of the go-to-market changes that have been put in place, bear fruit as Corey mentioned, productivity improving. Just can you unpack a little bit, like, what’s happening in the plumbing? Like, are you seeing just, again, in your words, Corey, I mean, is there a healthier mix of more singles than doubles now? Is the channel source pipeline becoming more efficient? Is there more better upgrade motion to, like, which ones are showing up?

Corey Thomas, Chief Executive Officer, Rapid7: The big one is that Raef has, yeah, right. Alan has really tightened in the focus on making sure that we’re actually selling the core, which is, again, the D&R exposure and the Command Platform integrated capability. You know, one thing is that when you actually have a strategy, you’re not actually selling, you know, all over the place. We actually have a tighter focus there. We’re seeing tighter pipeline builds in those areas and more focused, consistent execution. You know, the biggest thing is that, like, you know, as we set targets, we actually hit the targets. Now, we all wanna actually see acceleration, and we wanna see the growth go faster. I will say that we actually have the confidence in the trends of how we’re seeing the business performance starting to actually shift.

We want everything to go faster, but we’re seeing the confidence in the, both the management and the visibility, that gives us a lot of confidence about how we actually see the year spanning out.

Adam Borg, Analyst, Stifel3: Got it. Thanks a lot.

Thank you very much.

Adam Borg, Analyst, Stifel1: Our next question is from Meta Marshall with Morgan Stanley. Please unmute to ask your question.

Abhishek Murli, Analyst, Morgan Stanley: Hi, this is Abhishek Murli on for Meta Marshall. Thanks for taking the question. Congrats on the quarter. I wanted to touch on Kenzo Security and kind of where that product sits in the roadmap in the context of AI-driven investigation. Can you kind of clarify what capabilities have already been incorporated into customer workflows versus, like what kind of remains in development? Just, should we think of it as more of a improving of productivity or a customer-facing remediation and kind of just any further details on that?

Corey Thomas, Chief Executive Officer, Rapid7: Well, Kenzo was excellent. Both the data dimension and their model was extraordinarily at doing investigations at scale. You know, it was an alert processing engine that allowed you to come in and process alerts from all over the environment. We’re in the act of integrating it in right now, just to be clear. It’s not like a done integration. It’s probably, you know, the biggest thing, we all like are like, "Hey, that has to happen fast," you know, it has to go fast. The team has come in. We’re in the process of integrating it in. We’ll be rolling it out to customers starting the next couple of months, but rolling out through the rest of this year, you know, rolling out through the rest of this year. That’s the biggest thing.

If you say, like what’s the core of what Kenzo does? It is an AI platform for actually processing alerts and doing high-quality investigations at scale. To add some context specifically, for investors and for people on the call is that, you know, typically what a SOC analyst who typically does this is, you know, they get an alert in, one, they have to make sure it’s not deduplicated. I would just say over time, SIEM did not do a good job of this. D&R systems like Rapid7s did a good job with the deduplication. We’ve already been making advances here.

You have to go out and actually do all of the knowledge collection and contextualization to actually say, "What’s all the data I need to gather to actually figure out whether this is real or false?" Once you actually had a sense of whether it was real, then you actually had to actually do another level of investigation to figure out like how bad it was in the environment and what you actually need to contain and remediate there. That took days, just to be clear, hours and days. Kenzo is excellent at doing that at massive volume, massive scale, but in machine speed. It’s much faster, and it has better efficacy rates overall.

We’re both taking it in, we’re applying the model, and we’re extending the model out, to actually hit not just alerts, but a much wider range of data sources as we go forward. The other part that we’re actually adding into Rapid7 is that because we have so much deep knowledge of the environment, is we have a much wider range of response options that are available. Now, again, that is new development effort that’s happening. I don’t wanna get too far down the path. Customers do need to know how they can actually respond at speed and scale. Some of that’s gonna be using our technology, some of that’s gonna be using third-party technology. We have the brain to know which type of controls and systems to leverage at scale.

Whether that’s existing controls or whether that’s new startups that are actually in the space that actually make changes in the environment. We have that knowledge and that expertise to actually know what’s most efficient to apply at scale based on our knowledge of the environment.

Abhishek Murli, Analyst, Morgan Stanley: All right. Thank you.

Adam Borg, Analyst, Stifel1: Our next question is from Adam Borg with Stifel. Please go ahead.

Adam Borg, Analyst, Stifel: Awesome. Thanks for fitting me in, and I’ll just stick to 1. Maybe Corey, you talked really, I think at length in a good way about how the frontier models are driving, you know, increased vulnerability, you know, identification, but that’s really where the tailwinds begin for you. I think you talked about, you know, customers understanding how these frontier models fit in, and investors may be a little bit more confused on their role over time. Maybe just to that latter point, if you could help us understand, like what’s preventing these frontier models from moving just from identification of vulnerabilities more towards the exploitability, the reachability, the prioritization and the remediation that you talked about. They seem to be talking that they’re moving that direction.

Any way you could talk about the moats that, you know, a vendor like yourself has to prevent that from occurring would be really helpful. Thanks.

Corey Thomas, Chief Executive Officer, Rapid7: Yeah. There’s three different moats that matter. I think I want to say, just to be clear, I want to say versus the frontier models, ’cause we actually leverage frontier models inside of Rapid7. Anyone who’s not leveraging frontier models is like, you know, like just not going to be relevant. I want to be clear. This is about where the actually use cases matter and don’t matter and not. I want to frame that up and be clear. There’s a couple things that are actually significant clear moats that you actually have to do. One is just that like if anyone’s actually used frontier models in any environment at any scale, you actually know you have to actually discern what’s the cost of the activity you’re actually doing.

Look, someone can actually go scan and do exploitability analysis in the environment and do all of that. Just to be clear, they’re paying a lot more than what you actually get for the same information in the core vulnerability management system. They’re not designed to do that. Now, could they build specialized thing and specialized software to actually do that? Potentially, yes. Again, then you’re just building the product, and you can actually say you’re actually building the product and you have knowledge. That’s one is that like cost does matter, and we actually do it efficiently at scale and at cost. As someone who’s tested out some of these systems, in the environments, trust me, you can run up a fair amount of money doing what you think is a very straightforward scan.

By the way, that’s proven out in their own data that they actually go. I would just say we actually can’t miss that. The second thing that you have to say is that like it’s not whether it’s vulnerable, it’s, is it actually exploitable in the environment? Exploitability means you have to understand not just the vulnerability, you have to understand the configuration of the complete environment, and you have to understand the controls in the overall environment and how they intersect. You could make a technology to do anything, but that is actually specialized both knowledge and data that we’ve optimized around to understand the question about what’s actually both exploitable, what’s reachable, and how is that configurable in the overall environment.

The last thing, the core one about how you actually want to actually take action and respond in the environment. Look, I have a high trust, but I don’t think anyone wants a frontier model in their environment, running rampant in the environment that can actually make configuration changes, do active defense, active response in the environment. For models that are updated all the time, without clear visibility and understanding of what can change, and by many of the author’s own admission, it’s just like that’s just not the way that most people are gonna have the trust to actually deal with security. To get to the core things is that we have deep expertise and understanding of the domain. Yes, AI does a lot. By the way, it’s an accelerant for us.

The cost of doing these things at scale does matter to customers, and it will matter to customers over time. When you think about the autonomous response, you both need the knowledge base, but you also need the trust. This is why I say, like, we’re building active response, but it’s built on a system of trust and knowledge, and that’s a big deal because you do not want your active response being too smart and being too clever. If you get the keys where these systems can take over and actually have access to make any type of change in the environment overall, you can have very minor errors that actually cause catastrophe for organizations.

Again, most CISOs and frankly most IT people know that, they’re looking for things that actually do the mission and do it well and do it cost-effectively. I know that was long-winded. Again, we’re adopters of the technology, it’s important to understand, like, the constraints there too.

Adam Borg, Analyst, Stifel: Incredibly helpful. I really appreciate it.

Adam Borg, Analyst, Stifel1: Our last question comes from Gray Powell with BTIG. Please unmute to ask your question.

Gray Powell, Analyst, BTIG: Okay, great. Thank you very much. Just wanna make sure, can you hear me?

Yes.

Yes.

All right. Excellent. Well, thank you for taking the question. I think you hit on this before, but I just want to circle back on sort of the non-core products and how we should think about that trend line stabilizing over the next 12 months. Just if I’m doing math correctly, ballpark terms, you know, I would assume that non-core is maybe a little over $150 million-ish in ARR. Q2 guidance implies that it’s down about $10 million. Is there a level where we should think about that number stabilizing? They are existing customers, like, why is there not an opportunity to upsell them on the platform? Is there like a conversion opportunity there?

Corey Thomas, Chief Executive Officer, Rapid7: Thank you for the question. I think the best way to think about what we’re trying to do is build out robust platforms that are attractive to our customers. I think, you know, a couple things. First of all, some people, some of our customers have platform offerings but may have also bought something standalone that’s out there, right? That is part of the equation. As Corey mentioned, like, it’s very important that we take care of these customers and that their whole experience with Rapid7 is very important. We do think there is also an opportunity for those who may not have a platform solution, that the best thing for them is to migrate onto one of our platforms, right? We’re looking for technologies that we can integrate in and make that platform more rich.

That’s really our number one focus around those customers. You know, I wanted to break that out because this trend has actually been going on, you know, behind the scenes for some period of time, for the last few quarters, of where you’ll see those, you know, standalone non-core offerings. That’s actually where we’ve had more of the challenges on the renewal front. You know, what we’re really calling out here is we’re focused, we’re building attractive platforms with robust technology, and that creates that upgrade path for many of our customers, but it also allows us to focus on meeting the demands of the market at present.

Gray Powell, Analyst, BTIG: Understood. Okay. Thank you very much.

Corey Thomas, Chief Executive Officer, Rapid7: Thank you very much.

Adam Borg, Analyst, Stifel1: Thank you, everyone, for joining. This concludes today’s call. You may now disconnect.