Rapid7 Q1 Earnings Call Highlights

Key Points

• Beat guidance: Rapid7 reported Q1 ARR of $832 million and revenue of about $210 million, with non-GAAP operating income of $24 million and free cash flow of $33 million, exceeding all guided metrics.
• Strategic refocus on core platform: Management says >80% of ARR comes from core platform solutions (detection & response ~55% of ARR, up ~7% YoY) while standalone non-platform products are declining and driving recent ARR churn.
• Kenzo acquisition and guidance mix: The company bought Kenzo Security to accelerate its AI SOC/autonomous detection and remediation roadmap, but it still expects Q2 ARR to fall to about $820 million and FY revenue to be modestly down while raising full-year non-GAAP operating income guidance to $112–118 million to drive margin expansion.

Rapid7 NASDAQ: RPD executives said the company exceeded its first-quarter fiscal 2026 guidance across all guided metrics, while continuing to reorient the business around its “core platform” offerings in detection and response and exposure management. Management also highlighted an acquisition aimed at accelerating what CEO Corey Thomas described as a shift in cybersecurity from reactive defense to “preemptive exposure management, autonomous detection, and remediation at scale.”

Q1 results: ARR and profit outperformance amid mixed business trends

Thomas said Rapid7 delivered “outperformance against all guided metrics,” reporting total annual recurring revenue (ARR) of $832 million and revenue of $210 million for the quarter. He added that non-GAAP operating income was $24 million and free cash flow was $33 million.

CFO Rafe Brown, who said he has been at Rapid7 for five months, reported revenue of $209.7 million, down 0.3% year-over-year. Product revenue of $204 million was flat year-over-year, while services revenue declined slightly. Rapid7 ended the quarter with more than 11,500 customers and average ARR per customer of about $72,000, according to Brown.

On profitability, Brown said non-GAAP gross margin was 72%, down about 280 basis points year-over-year, which he attributed to “improved staffing in our global security operation centers.” Rapid7 posted non-GAAP operating income of $24.4 million, or an 11.7% margin, and non-GAAP earnings of $0.36 per diluted share. Free cash flow was $33.4 million, driven by “strong collections,” Brown said.

Core platform vs. non-core: Management reframes the business mix

Brown provided a detailed framework for how management is viewing Rapid7’s portfolio. He said the company should be thought of as two groupings:

• Core platform solutions: detection and response (including MDR) and exposure management (including vulnerability management and Exposure Command), which Brown said represent “more than 80%” of total ARR.
• Standalone non-platform offerings: products that have been declining year-over-year as customers shift toward platforms and which management characterized as profitable but not central to its strategy.

Brown said the core platform group grew about 2% year-over-year, led by detection and response, which he said is about 55% of total ARR and grew about 7% year-over-year. He said the exposure management business within core was partially offsetting growth, though he noted momentum in “more holistic Exposure Command offerings,” including migrations by existing customers.

In contrast, Brown said non-platform products declined and “have been the driver of the sequential net ARR declines we have witnessed in recent periods.” Thomas echoed that dynamic in Q&A, saying Rapid7 saw “acceleration” of churn in the non-core business during Q1 and that the company took “a more cautious outlook” in its Q2 ARR guidance as a result.

Cybersecurity and AI: “Frontier models” as a tailwind, not a threat

Thomas spent much of his prepared remarks arguing that advances in AI are accelerating the threat environment and increasing the volume and velocity of vulnerabilities enterprises must address. He cited examples including “Anthropic’s Mythos and Google’s Big Sleep,” and said Mythos “surfaced more than 2,000 previously unknown vulnerabilities in 7 weeks.”

However, Thomas argued that while vulnerability identification is becoming commoditized, operationalizing vulnerability management is not. “It has not commoditized the operational reality of managing those vulnerabilities across complex enterprise environments,” he said, adding that it makes detection and response and exposure management “all the more essential.”

In Q&A, Thomas said he sees more confusion among investors than among security practitioners, emphasizing differences among “code-level vulnerabilities,” vulnerability management, and exposure management. He also described customer demand for prioritization based on “exploitability” and “reachability,” as well as remediation management at scale.

Asked what prevents frontier models from moving deeper into exploitability and remediation workflows, Thomas outlined what he called three “moats,” emphasizing cost efficiency at scale, the need for specialized data and domain knowledge to assess exploitability based on vulnerabilities plus configurations and controls, and the trust and safety requirements for autonomous response in production environments.

Kenzo Security acquisition and product roadmap emphasis

Thomas said Rapid7 acquired Kenzo Security during the quarter, describing it as “an agentic platform built to run security operations autonomously and at machine speed.” He said the deal is intended to accelerate Rapid7’s AI SOC vision, shifting investigations from “a per alert investigation model to a system-driven one,” and he tied the acquisition to both MDR growth and potential margin improvement via “software-driven efficiency.”

In response to analyst questions about integration, Thomas said Rapid7 is “in the act of integrating it in right now,” calling it “not like a done integration.” He said Kenzo capabilities would begin rolling out to customers “starting the next couple of months,” continuing “through the rest of this year.” He characterized Kenzo’s core strength as processing alerts and conducting investigations at scale at “machine speed,” and said Rapid7 is extending the model to cover “a much wider range of data sources.”

Thomas also highlighted two Exposure Command capabilities released in March: runtime validation for cloud environments and data security posture management (DSPM). He described these as mechanisms to reduce noise by identifying which vulnerabilities are actually exploitable in a customer’s environment and mapping where sensitive data resides and who can access it.

Guidance: Q2 ARR decline expected, revenue down; operating income outlook raised for the year

For the second quarter, Brown said Rapid7 expects to end the quarter with ARR of about $820 million. He said core platform solutions are expected to be “approximately flat” sequentially, while the company expects a sequential ARR decline in non-core standalone offerings.

Rapid7 guided Q2 revenue to $207 million to $209 million, which Brown said implies a year-over-year decline of about 2.9% at the midpoint. Non-GAAP operating income is expected to be $24 million to $26 million (about a 12% margin at the midpoint). Non-GAAP EPS is expected to be $0.33 to $0.36 on about 78.3 million fully diluted shares.

For full-year fiscal 2026, Brown guided revenue to $836 million to $842 million, representing about a 2.4% year-over-year decline at the midpoint. He said the company is raising non-GAAP operating income guidance to $112 million to $118 million, implying a 13.7% non-GAAP operating margin at the midpoint. Non-GAAP EPS is expected to be $1.52 to $1.60 on about 79.4 million fully diluted shares, and free cash flow is expected to be $125 million to $135 million.

Brown also discussed liquidity and debt, saying Rapid7 ended Q1 with $670 million in cash, cash equivalents, and short-term investments, plus a $200 million undrawn revolver. He said those resources and ongoing cash generation support Rapid7’s ability to settle its March 2027 convertible debt at maturity and fund operations.

Throughout the call, executives reiterated a focus on operating discipline and margin improvement. Thomas said the management team has “a mandate that we have to actually expand margins over time,” while Brown said the company expects non-GAAP operating margins to improve to the “mid-teens as 2026 progresses” and that the company remains focused on improving operating margins in 2027.

About Rapid7 NASDAQ: RPD

Rapid7, Inc is a publicly traded cybersecurity company headquartered in Boston, Massachusetts. Since its founding in 2000, the company has specialized in delivering cloud-based security data and analytics solutions designed to help organizations detect, investigate, and remediate cyber threats. Rapid7 operates under the NASDAQ symbol “RPD” and serves a broad range of industries, including technology, financial services, healthcare, retail, and the public sector.

The core of Rapid7's offering is its Insight platform, a unified, cloud-native security operations and analytics suite.

This instant news alert was generated by narrative science technology and financial data from MarketBeat in order to provide readers with the fastest reporting and unbiased coverage. Please send any questions or comments about this story to contact@marketbeat.com.