Rapid7, Inc.

Good day, everyone. My name is Kahe Alani, and I'll be your conference operator today. At this time, I would like to welcome you to the Q1 2026 Rapid7 earnings call. All lines have been placed on mute to prevent any background noise. After the speaker's remarks, there will be a question and answer session. If you would like to ask a question during this time, and if you have joined via the webinar, please use the raise hand icon, which can be found at the bottom of your webinar application. At this time, I would like to turn the call over to Matt Wells, Vice President of Investor Relations.

Thank you, Operator, and good afternoon, everyone. We appreciate you joining us. Today, we will be discussing Rapid7's first quarter fiscal 2026 financial results. We've distributed our earnings press release over the wire, and it can be accessed on our investor relations website. With me on the call today are Corey Thomas, our CEO, and Rafe Brown, our CFO. As a reminder, all participants are in a listen-only mode, and a question-and-answer session will follow our opening remarks. Before I hand the call over to Corey, I want to note that certain statements made during this conference call may be considered forward-looking under federal securities laws. Such statements are made pursuant to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995 and include our outlook for the second quarter and fiscal year 2026, any assumptions for fiscal periods beyond that period, and our positioning, strategy, business plan, operational improvements, and growth drivers. These forward-looking statements are based on our current expectations and beliefs and information currently available to us. While we believe any forward-looking statements we make are reasonable, actual results could differ materially due to a number of risks and uncertainties, including those contained in our filings with the SEC. Reported results should not be considered as indicative of future performance. We do not undertake and expressly disclaim any obligation to update or alter our forward-looking statements, whether as a result of new information, future events, or otherwise, except to the extent required by applicable law. Further information on these forward-looking statements and risk factors are included in the filings we make with the SEC, including the section titled Cautionary Language Concerning Forward-Looking Statements in our earnings press release. Additionally, over the course of this call, we'll reference non-GAAP measures to describe our performance. Please review our earnings press release and filings with the SEC for a rationale behind the use of non-GAAP measures and for a full reconciliation of these GAAP to non-GAAP metrics. These documents, in addition to a replay of this call, will be available on the Rapid7 Investor Relations website. And with that, I'd like to turn the call over to Corey.

Thank you, Matt, and welcome to everyone joining Rapid7's first quarter 2026 earnings call. Let me start by sharing insights from the influx of conversations we've been having with customers as they navigate the rapidly evolving cyber landscape. CIOs and CISOs are telling us the same thing in different ways. Advances from frontier models have fundamentally accelerated the threat environment and outpaced operating models built to defend against it. Vulnerabilities can now be discovered and exploited autonomously, and attackers are moving at machine speed. This fundamentally rewrites the value equation in security. The premium is no longer on detecting threats faster after they emerge. It shifts to preemptive exposure management, autonomous detection, and remediation at scale, closing the windows attackers exploit before they can be exploited at all. This is precisely the environment that plays to our strengths. And that's why our investments in the AI SOC and preemptive security operations are resonating so strongly with customers. The shift we're enabling from reactive to preemptive, from human scale to machine scale, is not a marketing reframe. It's the only viable path forward for teams that need to anticipate where attackers will move next, prioritize the exposures that actually matter, and respond at the speed of modern attacks. Customers are looking for a partner who can unify their data, apply AI with the right context, drive remediation and scale, and translate all of it into measurable outcomes. That is exactly where we are focused. The core platform we're building across detection response and exposure management is becoming the foundation customers turn to as they modernize for this new threat reality. By unifying exposure and inspection on the command platform and combining AI-driven operations with the depth of expertise that we've built over 25 years, we're giving customers a single, coherent way to reduce risk, disrupt attackers, and build durable cyber resilience. The opportunity in front of us has never been clearer, and our conviction in this strategy has never been higher. Turning to the first quarter, I am pleased to report that Rapid7 delivered outperformance against all guided metrics. ARR of $832 million and revenue of $210 million were driven by sustained growth in our detection response business, offset by trends in other parts of our business, particularly our non-core standalone offerings. Non-GAAP operating income of $24 million exceeded our guidance and helped drive strong free cash flow of $33 million. Our quarterly results reflect a greater focus on balancing strategic investment and driving scale in the business. In detection response, ARR growth of approximately 7% was driven by strength in MDR business. Our approach to delivering AI-enabled SOC combined with deep services expertise continues to receive strong market validation. In this quarter, we added a new Fortune 500 customer and a seven-figure ARR deal. In exposure management, we'll continue to simplify the migration process of upgrading our large vulnerability management base into the exposure command platform. Our approach to a unified AI-driven exposure platform continues to resonate with new and existing customers. In this quarter, a large Fortune 500 customer consolidated on Rapid7 as their exposure platform of choice in a competitive deal cycle. In the quarter, we acquired Kenzo Security, an agentic platform built to run security operations autonomously and at machine speed. This is a direct accelerant to our AI stock vision. Kenjo's data mesh shifts customers away from a per alert investigation model to a system-driven one. Coverage scales with the environment, not headcount. This unlocks two things, a meaningful tailwind for MDR growth and a path to higher contribution margins through software-driven efficiency. Most importantly, Kenzo opens the door to the full MDR market. Rapid7 is evolving into a preemptive agentic security platform that accelerates the entire SOC, delivered either as a managed service or a self-managed platform. By combining deep MDR expertise with exposure-driven visibility into vulnerabilities and attacker behavior, Rapid7 enables organizations to detect, investigate, and stop threats earlier. We also continue to innovate on our exposure command platform, delivering two major capabilities, runtime validation for cloud environments and data security posture management to strengthen proactive exposure reduction across hybrid environments. In plain terms, we no longer just tell customers what their vulnerabilities are. We tell them which ones are actively being exploited in their environment. Runtime validation determines what attackers can actually reach in production. And DSPM maps where the high-value data lives and who has access to it. Together, they collapse the noise and surface to the small set of exposures that actually matter. These steps accelerate the playbook we shared with you in February. Strategically investing in our AI-enabled SOC to deliver preemptive security infrastructure, while also deploying expert talent towards high-value customer engagements that AI cannot replicate. Turning to customer wins in the quarter. Rapid7 continues to be the partner of choice for global organizations securing complex on-prem, cloud, and hybrid environments. The go-to-market changes Allen, our chief commercial officer, put in place at the start of the year are beginning to bear fruit. We are running a sharper, more focused organization, and productivity has improved. While it's still early, the operating discipline we're committed to in February is beginning to take hold, and we believe that as an organization, we can continue to drive efficiencies over the middle term. In this quarter alone, a Fortune 500 mining company with global operations selected Rapid7 as its MDR provider of choice in a seven-figure deal. This was a long, competitive sales cycle in which our SIEM and detection response capabilities stood out to their security leaders. Rapid7's history managing cloud, hybrid, and on-prem environments and strong technical knowledge helped cement this decision. After years of only covering a portion of its environment, a global Fortune 500 aviation manufacturer expanded with Rapid7 as their preferred global exposure management provider in a large six-figure deal. The capabilities of our command platform combined with our in-house technical talent were resonant points during the expansion process. And lastly, a leading health services provider selected Rapid7 as their MBR provider of choice in a large six-figure deal. Previously, subsidiaries of the organization used disparate tools and lacked unified coverage. Rapid7's ability to address challenges at a regional and local level, in addition to a unified coverage across ecosystems, stood out to security leaders at the organization. Now, before I pass the call to Rafe, I want to dive deeper into implications of the unprecedented shift front-tier models bring to the security landscape. And I want to be clear that this market shift is a long-term tailwind for us, not a threat. Vulnerability discovery has been accelerating and commoditizing for years, driven by advances in AI coding and reasoning, and frontier models like Anthropix's Mythos and Google's Big Sleep have made that trajectory undeniable. Mythos surfaced more than 2,000 previously unknown vulnerabilities in seven weeks. That is a new baseline. But here's the part of the stories that headlines miss. Mythos commoditized vulnerability identification. finding bugs in code. It does not commoditize the operational reality of managing those vulnerabilities across complex enterprise environments. It does not commoditize detection and response. It does not commoditize exposure management. If anything, it makes it all the more essential because the volume and velocity of findings every enterprise has to act on is about to increase dramatically. The value is migrating in three directions, and RAPID-7 is at the intersection of each trend. First, remediation at scale. The command platform provides the granular visibility and tracking required to manage thousands of filings across hybrid environments. Combined with our SOAR capabilities and Kenzo's agentic AI, we are moving from traditional patch management towards AI-native remediation, identifying flaws and deploying fixes autonomously. Second, detection response. A faster discovery cycle on the attacker side means a faster response cycle on the defender side. Kinzo accelerates our MDR service from AI-assisted workflows to autonomous machine speed investigation. Detection is no longer the bottleneck. It becomes a precursor to near instantaneous response. And third, preemptive exposure management. Our March releases of runtime validation and data security posture management move exposure command from continuous assessment to continuous validation, telling customers which exposures are actually exploitable in their environment against their sensitive data, given their identity surface. This is the shift the market is describing. It is the shift that Rapid7 has been building toward. More vulnerabilities found means more demand for operational platform that turns findings into outcomes. To close, this is the moment of real change in our industry. We have the data foundation. We now have a step change AI capability accelerated by Kenzo. And we have the expertise customers do not get from a model alone. The team is executing with urgency. The operating discipline is taking hold, and the work we're doing this year sets up share gains we expect to deliver over the medium term. With that, I'd like to pass the call to Rafe to discuss Q1 results in more detail and our updated 2026 guidance. Rafe, over to you.

Thank you, Corey, and good afternoon, everyone. As a quick reminder, unless otherwise noted, all numbers except revenue and balance sheet items mentioned during my remarks today are non-GAAP. Please refer to our earnings release and SEC filings for additional details regarding the presentation of our results and guidance metrics. In the first quarter of 2026, I am pleased to report that we exceeded guidance across all guided metrics. We finished the first quarter with total ARR of $832 million. But let me add a bit more color. I've now been at Rapid7 for five months, making this a good opportunity to step back and share some of my observations, which I think will also help you better understand our underlying mix of businesses, as well as the rationale for the strategy we are pursuing. A key takeaway is that while many people think of Rapid7 as a VM and DNR provider, that categorization of our business is incomplete. I believe that the business should be thought of in two distinct groupings. First, our core platform solutions group, comprised of our detection response solutions, which includes MDR, and our exposure management business, which includes VM and exposure command. These core platform solutions constitute more than 80% of our total ARR and have been the sustained growth driver in our business in recent years. As you know, we have different underlying trajectories within core platform solutions, led by our strong MDR business and work underway to return the exposure management business to growth. These core platform solutions are where our business is focused. As such, the performance of our core platform solutions is the clearest indicator of the ongoing transformation within Rapid7. And they are the solutions where we are concentrating product development and go-to-market resources. The remainder of our business mix or second grouping consists of standalone non-platform offerings. As customers have shifted towards platform-based offerings over the past few years, these standalone non-platform products have declined on a year-over-year basis. While they remain profitable and we continue to support our customer using these products, standalone non-platform offerings are not central to our strategy. As a result, they have experienced declines and have been the driver of the sequential net ARR declines we have witnessed in recent periods. With the benefit of that context and framing, let me unpack our Q1 ARR performance. Our core platform solutions, which now total over 80% of our overall ARR, as I shared moments ago, grew approximately 2% on a year-over-year basis. Led by our strongest offer in the group, our detection response business, which had approximately 55% of total ARR, grew approximately 7% on a year-over-year basis. While DNR growth was partially offset by our exposure management business within these core platform solutions, we remain pleased to see ongoing momentum in our more holistic exposure command offerings driven by both new customers and customers migrating to this new platform. We're not where we want to be across all elements of our core platform solutions, but re-accelerating the growth of these core platform solutions is the focus of our strategy and where we are placing our bets, as you heard Corey describe in detail earlier. In contrast, our non-platform products declined in the quarter, driving the sequential decline we saw in total ARR. As we plan for the remainder of 2026 and beyond, we see opportunities to optimize margins for these standalone non-platform solutions as we take steps to improve the alignment of our investment resources to our growing core platform solutions. Returning now to other important metrics. Total revenue of $209.7 million declined 0.3% year over year. Within this, product revenue of $204 million was flat year over year and services revenue declined slightly. We finished the quarter with over 11,500 customers and an average ARR per customer of approximately $72,000. Turning to first quarter profitability, total non-GAAP gross margins of 72% were down approximately 280 basis points year-over-year, consistent with our expectations, driven by improved staffing in our global security operations centers. We reported non-GAAP operating income of $24.4 million, or a margin of 11.7%. favorable to our guidance. This upside to profitability drove non-gap earnings of $0.36 per diluted share. Free cash flow totaled $33.4 million in the first quarter, driven by strong collections. From a balance sheet perspective, we ended the first quarter with $670 million in cash, cash equivalents, and short-term investments. In addition to these resources, we have a $200 million undrawn revolver in place. Our cash and investment balances, undrawn credit facility, and continued free cash flow generation give us confidence in our ability to settle our March 2027 convertible debt upon maturity, as well as fund ongoing operations. This brings us to second quarter 2026 guidance. We expect to end the second quarter with ARR of approximately $820 million. And on a sequential basis, we expect ending ARR for our core platform solutions, DNR and exposure management, will be approximately flat quarter on quarter. With an expected sequential ARR decline in our non-core standalone non-platform offerings, For the second quarter, we expect total revenue in the range of $207 million to $209 million, or down approximately 2.9% at the midpoint on a year-on-year basis. Non-GAAP operating income is expected to be in the range of $24 to $26 million, or a margin of 12% at the midpoint. Non-GAAP earnings per diluted share are expected in the range of $0.33 to $0.36 on approximately 78.3 million fully diluted shares. Updating our full-year fiscal 2026 guidance, we expect total revenue in the range of $836 million to $842 million, a year-on-year decline of approximately 2.4% at the midpoint. We are raising non-GAAP operating income guidance to a range of $112 million to $118 million, or a full-year non-GAAP operating margin of 13.7% at the midpoint. As previously highlighted, the business exited 2025 with a higher expense run rate, reflecting 2025 investments across people, technology, and our India Global Capability Centre. By closely managing ongoing investments, we expect non-GAAP operating margins to improve to the mid-teens as 2026 progresses, and we remain focused on continuing to improve operating margins in 2027. Non-GAAP earnings per share are expected to be in the range of $1.52 to $1.60 per share on approximately 79.4 million fully diluted shares. We expect 2026's free cash flow in the range of $125 to $135 million for the full year, flat with prior year performance at the midpoint and a free cash flow margin of approximately 15.5%. In conclusion, There is a tremendous opportunity for cybersecurity companies who can help their customers respond to the incredible pace of new vulnerabilities and increasing attacks. Rapid7's core platform offerings of detection and response and exposure management are uniquely positioned to help companies navigate these threats, which we believe presents a long-term growth opportunity for our business. And with that, I'd like to turn the call over to the operator for Q&A.

If you've joined by the webinar, please use the raise hand icon, which can be found at the bottom of your webinar application. When you are called on, please unmute your line and ask your question. We kindly ask that you limit yourself to one question and one follow-up. Our first question comes from Mike Sikos with Needham. Please unmute your line to ask your question.

Hey guys, thanks for taking the questions here. Can you hear me okay?

Yeah, we can hear you just fine.

Terrific. Thank you again. So I just wanted to start out with the guidance we have here for the ARR, and thanks for splitting out the core versus the non-core. Could you help us think about that core ARR business? Where are we specifically with the exposure management in helping that business start to see growth versus some of the headwinds we've seen in recent quarters?

Yeah, I mean, Rick and I can tag team it. So on exposure management, we're happy that we're seeing the stabilization. I would not say that it is a growth driver, just to be clear. It's not, but we're seeing the stabilization and improvements that we would expect. And we see good leading indicators that that business is sort of like set up to improve, but it's nothing that we can claim sort of success or improvement on. We're still working through the upgrade cycle in a noisy environment. We are optimistic that the backdrop of what's happening in AI gets customers refocused back on the need to actually take exposure management seriously as a priority, because there was lots of noise before about all the things people can focus on. And we're certainly heartened by the early conversations, but that's not something that we would translate directly into a forecast or guides at this stage.

Understood. And for the follow-up here, again, I know we're navigating the core versus the non-core ARR components. So if I'm just looking at the guide we have here on the ARR for Q2, and I know you guys are only guiding a quarter out at this point, it is less than what consensus had been thinking about here. And I'm just looking to see, can you give us a flavor for what the shape of the rest of the year looks like or any other things we should be mindful of as we navigate the next couple of quarters since we are only getting that ARR data point from a guidance standpoint on a quarterly basis?

Well, so we're only guiding the current quarter right now. As Rafe says, we're getting a firm. We want to make sure that you have the transparency as we go through it. The one thing I'll comment on is clearly in the first half of the year, we're seeing the non-core, which I've talked about the other before, decelerating off at a faster rate. Our core is still a net positive contributor. You know, as that plays out, we'll see how that plays out and whether we see the acceleration and exposure, the impact of DNR. But I would just say give you revenue guidance. We feel very good about that. We have lots of confidence in all the measures that we actually got on. But we'll keep you updated as we actually go along. But we're not going to do any further breakouts right now.

Thank you. I'll leave it there. Thank you.

Appreciate it. Thanks. Our next question comes from Matthew Hedberg with RBC. Please unmute to ask your question.

Hey guys, this is Mike Richards on Format. Appreciate you taking the question. It made a ton of sense when you were talking about the changes with Mythos and the other Frontier models and how that can act as a tailwind for Rapid7. But I was wondering about how these changes are impacting customers. Is there confusion in the market? around frontier models and vulnerability discovery and what that means versus exposure management, or do they sort of get it? You know, just any details you guys can provide on what customers are thinking right now.

Yeah, it's a great question. One, I think there's probably more confusion with investors than there are with security experts, which we understand, which is why I wanted to clarify it in my prepared remarks. Look, most customers, there's two classes of things that are going on, is customers that have the expertise on staff And they're expecting a lot more sort of like scale of vulnerabilities and confusion. And what we're hearing from them is the need to really focus on exploitability, understanding what's on the environment, focus on understanding reachability, what's happening, and then remediation, organization, management at scale, which requires an understanding of the attack surface. These are all things that we're focused on. And frankly, though, we are accelerating our own efforts to make sure that we make it easier for customers to understand what are the vulnerabilities that matters most because what you're seeing is a lot of real things, a lot of noise. And what we want to make sure is that as things surge for customers, they are remediating and addressing the most important things first as quickly as possible. And that's the stance that we're taking there. And what we've seen so far with customers is that those that are in the know, they understand that, they're focused on it, and they're asking us, how can you help me actually manage the complexity? I'm going to have a lot more to manage. There'll be a lot more real stuff that I actually have to address, but there's going to be a lot more noise too. Now, I would say a lot of customers are less mature in their cycle, and the word vulnerability is vulnerability. But again, I actually think that what you'll see often in security is that the knowledge does get out there. They will have to respond. They won't be able to remediate everything that's in place all at once. And so they too will actually have to understand it. I think the tricky part for investors is vulnerability, whether you do discovery or scanning or vulnerabilities in code, it all sounds the same, but they're very different. Like code level vulnerabilities are very different than the vulnerability management, which is very different than exposure management. Exposure management is about addressing the things that are actually exploitable and the vulnerabilities that actually lead to compromise and doing that at scale across the environment. There's differences, but use the word vulnerability definitely can cause some nuance and confusion.

I appreciate it. That's super helpful. Yeah, that's super helpful. And just as a quick follow up, maybe just taking a step back from a macro perspective, are you seeing any change in customer behavior as it relates to maybe geopolitical uncertainty or even just AI budget crowding out as we've heard of more and more enterprises sort of running up on their AI budgets and that impacting other areas of enterprise software spend?

Yeah, I mean, look, I actually think everyone's trying to figure out what's the right way to budget and plan for it. You know, that is an obvious thing that like, you know, I don't know an organization all over the world is not trying to figure out like, what's the right AI strategy? How do I budget for it? How do I plan for it? And how do I deal with the leapfrogging that happens from time to time? But I would just say universally, to be clear, This is a year where more than ever, we're seeing, regardless of what the domain is, customers are looking for how do I actually start showing real benefits and real outcomes for the technology. It's moving from pilots to delivery. And this is the thing that actually makes me excited about the investment that we've made organically and with Kinzo, is that customers are in the show me stage and they're looking for how can you actually help me scale? In our case, it's how do we help them scale their security operations? Because I hardly know any customers that are getting a lot more people allocated to the teams. And so they're looking for technology and services to scale their security operations. And that's where we're focused. Thanks again for your questions.

Thank you. Our next question comes from Joe Gallo with Jefferies. Please unmute to ask your question.

Hey, guys, thanks for the question. I just want to ask you one high level one and one explicit about 2Q. So high level, you guys are investing in areas of growth, MDR, go to market, integrating AI. How should we think about the tradeoff between stabilizing ARR growth and maintaining gross margins going forward? Any guardrails that we can think through?

Ref and I can tag team this. Our team has a very clear mandate is that we have to scale margins. We feel that we have the right setup for that. If you think about our MDR business, which is our fastest growing business that also historically has had, frankly, less contribution margins at scale than some of the other businesses, that also is a business that we expect the gross margins to expand. That was a big part of the Kenzo thesis is that we can deliver better service at better efficiency and better cost leverage. So we're quite excited by that. We can deliver our customers a better experience and do it more efficiently, which is good for our investors too. And so just to be clear is both myself and the full management team have a mandate that we have to actually expand margins over time. but we are willing to make tactical investments to make sure we're doing the right way it was absolutely the right thing to do this year as we saw the tsunami of cyber risk coming into customers to make sure that we were properly staffed uh in our mbr environment to manage that and respond to that and make sure we're delivering a great quality of service which leads to long-term retention and expansion we know that we can actually do more ai and automation to actually do some of those stock services over time. But we feel very, very good that we made the right decisions to make sure that customers are set up well. But we are managing the business to expand margins over time.

And I would just call out, as we mentioned in our remarks, we do continue to expect to see bottom line margins improving as we go across 2026. And we're very actively, when we do planning, we roll it out and look at those carry forward numbers to make sure we're very conscious of run rates going into the next year. So I think we talked about in 2025, we saw some investment and we knew that would impact year over year comparisons as we go for the first part of the year. But you'll start to see the benefits of that and see those improving margins even here in 2026 as we move to the back half of the year.

Okay. No, that's very clear and really helpful. Maybe just a follow-up. I just want to understand exactly what our takeaway should be with your 2Q ARR guide, right? So 1Q declined $8 million quarter-over-quarter. You're guiding to another decline of $12 million. So I'm just trying to understand, like, is that 20% of the non-platform business? Is that churn getting worse? Is it, you know, lower expected new business for the 80% of the business that's growing? Yeah. We're one month into 2Q, so I'm just kind of curious what you're seeing in 2Q that kind of indicates that new ARR might be a little bit worse than you saw in 1Q. Thanks.

Yeah, I would just say, look, in one queue, even though we're not actively, even though we expect other or the non-core to actually churn, and it's not a core area of focus, it's not a core area of investment, when we see acceleration, we take a more cautious outlook about what that does. We definitely saw acceleration of the, we're not adding new, so it's really just churn, just to be clear, and that's of the standalone non-core businesses. We saw acceleration of that in Q1, And we are taking an appropriately, I think, thoughtful viewpoint of that as we actually go into Q2. And we also just don't want to predict that we're going to overcompensate for that by acceleration of core. And so that's the primary driver and that's the primary takeaway that I would have now. I think that's part of our risk-giving commentary.

Yeah, and I think that's exactly right. We want to share that color on what's exactly going on there because it's really important for everyone to see where our core business is, how it's been growing, and have that clarity. Because that's really going to be that long-term future for the organization. And those products will be the ones that we're taking to customers on a regular basis. So we hope by breaking that out, that kind of illuminates exactly what's going on.

Yep. No, extremely helpful. Thank you very much for that. Thanks. Thank you very much.

Our next question is from Adam Tindall with Raymond James. Please unmute to ask your question.

Okay, thanks. Good afternoon. I just wanted to continue on the topic of core versus non-core. And if I was to rewind back, Corey, I know the strategy was to really create a lot of synergy between the platform historically. So I guess, you know, as we fast forward to today and having one piece of the business that's understandably, you know, kind of non-regrettable churner in decline, How are you managing the impact on core while non-core churns? Meaning, you know, I imagine there's some customer overlap. Why would churn in the non-core piece potentially not impact core? What are you doing to mitigate that potential risk?

No, it's exactly the right question. Look, whenever you have dynamics, and just to remind you, like non-core is things that are on the lower on the priority list, but is also, you know, standalone business, some legacy stuff there. You hit the nail, you hit the core point is that as you manage these things, you know what we have to do well. We have to nail how we help customers scale their security operations. And the core of that is the preemptive platform with exposure management and detection response and how we weave that together. Now, as you said, there's a subset, not all the customers are overlapping, let's be clear that we have a healthy amount of standalone customers, but for customers that are actually overlapping, their experience matters deeply. And so our teams are actively working to make sure that we deliver those customers the right experience. But also in the world of rapid innovation at the pace of AI, we're rapidly rolling out new services that are addressed their need and we're expanding their scope and their experience with them. If you look at some of the announcements that we've been making, we've been picking up our pace of innovation and our pace of things that we're actually communicating to the market. And frankly, our pace of what we're actually providing customers as far as their existing subscriptions. And our view is if we do that well, if we keep delivering on that, we're actually adding more strategic value in areas that matter more. And therefore, we can actually really continue to focus in on those areas. But as you know, these type of transitions have to be managed well, and it's something that we're focused on doing.

Okay. Yep. Rafe, maybe just a quick follow-up. You talked about, obviously, you know, silver lining here has been profitability. And I think you mentioned mid-teens operating margin in fiscal 26 and threw in that you expect to continue to improve in fiscal 27. Understandable that, you know, obviously not providing official guidance on 27, but that's helpful. to give us a sense of trajectory of the business. I guess as you think about that, it's uncommon that we see platforms that are undergoing growth pressure that are still able to scale and not experience that lack of leverage on the downside. What are the drivers in terms of your confidence in margins in mid-teens and continuing to improve in fiscal 27? and any parameters that you'd like to set just so we can understand what continue to improve in fiscal 27 might mean. Thanks.

Sure. I think what's given us confidence as we go through 26 is like, first of all, you'll recall that there was a great deal of investments across people and technology last year, opening up the India Center. You know, all of those things happened in 2025. So, you know, especially early parts of the year, the year over year comparisons, you know, you're now bearing the brunt of that cost uptick. But a lot of that work was in place to help build efficiencies in our organizations, giving us locations where we can get great productivity at an affordable rate. It's extremely helpful. Having SOCs that are around the world on a global basis, extremely important to our customers, but also important to our efficient operations. So as we get people ramped up and get that part of the business locked in, that's what really is offering some efficiencies for us. We're also being very careful in 2026 about cost management. Just across the board, we want to deliver on that commitment we've made about our margins. We're being quite cautious about where we spend. Some of this plays out really is when we start talking about core versus non-core, being really clear about where we should invest because we think that'll drive long-term growth versus where we need to be more moderate in how we manage those costs. All of that coming together is giving us what we're planning for 2026 and giving us confidence as we really need to be looking at those run rates as we lead this year into next. Thank you.

Our next question comes from Jonathan Ho with William Blair. Please unmute and ask your question.

Hi, good afternoon. Just wanted to maybe dig a little bit into sort of this emergence of the mythos models. Like, how do we think about the broader opportunity set around MDR and CTEM evolving with that AI landscape? And how does your product specifically maybe need to change to address sort of the emerging landscape?

Yeah, so let's just...

And if you guys can mute on the phone, please. Great question, Jonathan. So I think that you have to first understand what's changing for customers in order to understand, frankly, what the work that we're doing that's valuable and the work that we need to do differently. I think that's a very good question, Jonathan. So the first thing, what's changing for customers? Customers are going to see an influx of zero days. They're going to see a much larger volume of vulnerabilities. They're going to see more exploitable vulnerabilities, but the amount of vulnerabilities that they're going to see are not all going to be exploitable. So their ability to actually figure out what really matters is going to be key. Their ability to actually manage remediation at scale in tighter timeframes. If you could do remediation in months before, then figuring out which stuff matters and managing the remediation in days as appropriate matters and the things that should be weeks and things that should be months. Keep in mind, we have a massive remediation backlog overall. The pace of what you're looking at is being able to exploit vulnerabilities at speed and pace. Dwell time is actually shrinking. So what you're going to see is people going to have to go from detection quickly to actually active response. That's another significant change overall. And so when you put the picture together, customers are going to be dealing with both the speed the scale and the need to respond quickly without breaking things. So now where does that actually go? So let's just break down a couple of things. One, Rapid7 has had a long history of focusing on exploitability and our security researchers are accelerating and moving our models and upgrading those to actually deal with the increasing insertion that we expect in the speed to actually really discern what's exploitable from what's not exploitable. The second thing is we actually, as we built out our overall exposure management framework, we believe that vulnerabilities are not the core thing that matter in and of themselves. It's the intersection of vulnerabilities, how devices and networks and technology is configured, as well as the controls that are in the environment. After all, that's what exploitability is. It's the reachability combined with what controls are in place, what's the configuration combined with what's vulnerable. We understand that better than most organizations in the world. And then the last piece that we just invested in is Kenzo, which is actually to do detections quicker. So the things that we're changing from there is we're upping the visibility and the understanding and the ability to quickly process what's exploited in the environment. We're accelerating the investments in our remediation management to help customers track and manage remediation across the environment. We were already bringing forth the Kenzo for actually instantaneous detection, but we're also investing heavily in leveraging our understanding of both the configuration surface and the control surface to actually help customers understand what the best interdiction or immediate intervention options they have to contain attacks, because they will have to respond in the moment. And sometimes that forward mediation is not available. I know that was a lot of job, but those are the things that are changing for the customer, the things that we're investing in, and frankly, the things that we're accelerating and changing in our environment. in our technology stack.

Thank you. I'll keep it to one.

Thanks. Our next question is from Eric Heath with KeyBank. Please unmute to ask your question.

All right. Thanks for taking the question. Maybe one for Corey, one for Rafe, if I may. So Corey, Glassling's been out for about a month and feels like there is a lot of urgency out there. So just curious what impact you've seen thus far into Q in the pipeline and then For Rafe, very much appreciate the color and the platform growth and the guidance, but any specificity you can give on how net new ARR and 1Q was for core platform, and then just how we should think about maybe the exit rate for the non-core platform products as we exit 2026. Thanks.

Yeah, I mean, I'll hit it before because I've actually hit on it in parts before. With Glasswing, I think, you know, there's two things. There's a small cohort of our customers who've actually seen it and accessed it and they want insights into how we help them deal with the true exploitable ones and also the volume and the noise. So that's very straightforward. And that feedback and that engagement with customers is driving some of the strategies I talked about earlier. And then there's those that are on the outside and trying to figure it out. And frankly, they're looking for a perspective about, how much does this change their technology strategy? You know, do they have to put all new projects on hold and just do remediation for the next six months? And if so, what type of remediation? So I think they're in an assessing mindset, just to be clear. And that's why I say we're still in the early days because lots of organizations don't know what the magnitude of the impact is specifically for them.

Yeah, and then just to add a bit more color on the first quarter, I would say, first of all, we were really pleased with the sales organization and their hard work in Q1. You'll recall that we had a new leader, Alan, joined late last year. He'd made a few changes on the team, even as we started this quarter. And yet the team really executed well, very much hustled. And, you know, we saw an uptick in productivity across the quarter. We saw just, you know, good execution on a lot of operational details that are just really important to running a sales organization. So I think hats off to the sales team on delivering good results there. And that translates into our core platform solutions where you saw, you know, You saw, first of all, within core, the detection and response business, which is, you know, now 55% of total ARR, and I think that's a little bit more color than we've shared in some of the past quarters on that, growing at 7% on a year over year basis, you know, so that's you know, new net of any, any turn we had in the quarter. So that's a really strong leader. And that, you know, combined with exposure management solutions, which, you know, rounds out the, the core solution, that whole total group was growing at 2%. So, you know, good execution on the top line, you know, good work from the product team, helping our customers and just execution all around, made sure that that core numbers were growing in the first quarter.

Our next question is from Srinik Katari with Baird. Please unmute to ask your question.

Yeah, thanks a lot for taking my question. So just a follow-up to Jonathan's question and Corey, thanks a lot for the color with Frontier AI, the value, how it's shifting or will shift towards remediation at scale and the exposure validation. That makes total sense. Just in terms of monetization opportunity and timing-wise, just wanted to get your thoughts in practice. How do you think... That shows up in this post-frontier AI model world in terms of MDR, in terms of the urgency for exposure command upgrades, in terms of runtime validation and just a broader platform and then a quick follow-up.

Yeah, look, our current plan is it is a, you know, it's not even a single, it's probably a double using baseball parlance for just to actually be a catalyst to actually help move the priority of exposure management back to the forefront. which actually helped significantly with the VM upgrade initiative and focus. So that's our focus. We're not looking to actually charge incrementally for it. We think we actually have a modernization plan that's already attached to it. And so seeing the VM to exposure command acceleration in the upgrade program is where we plan to primarily see the modernization. And again, we're accelerating some things along with that strategy where we focus it in tightening, but we were on this path about how you actually manage remediation at scale. How do you actually really assess exposures from both a control and a configuration standpoint? And then the last thing is how you actually do active response overall. So I would just say the focus hasn't changed, but from that perspective, we should see the modernizations there. On the MDR side, you know, it's going to be interesting because I think the thing that I'm talking to most customers about is, you know, how do they customers getting comfortable? They know now that they will have to enable active response and do more automation and more AI driven response across their portfolio. And they're getting comfortable with that. Our goal is to actually lead that discussion with trust. That is an expansion area. That's an investment area. It's a potential modernization area, but it's just a little bit too early there. That's one of the biggest incremental areas, I would just say, of focus that we're recalibrating resources for is how do we actually shift the active response to machine speed while ensuring that we can actually do that safety based on our knowledge of the overall attack surface, the control surface, and the configuration surface.

Very helpful. Thanks a lot, Corey. And just to follow up, Rafe, you talked about, of course, prudence in the non-core guide and more confidence in the core platform growing. Just in terms of the go-to-market changes that have been... put in place, bare fruit, as Corey mentioned, productivity improving. Just can you unpack a little bit, like, what's happening in the plumbing? Like, are you seeing just, again, in your words, Corey, I mean, is there a healthier mix of more singles and doubles now? Is the channel source pipeline becoming more efficient? Is there more better upgrade motion too? Like, which ones are showing up?

The big one is that Alan has really tightened in the focus on making sure that we're actually selling the core, which is, again, the DNR exposure and the command platform integrated capability. So one thing is that when you actually have a strategy, you're not actually selling all over the place. So we actually have a tighter focus there. We're seeing tighter pipeline bills in those areas. and more focused, consistent execution. And the biggest thing is that as we set targets, we actually hit the targets. Now, we all want to actually see acceleration and we want to see the growth go faster. But I will say that we actually have the confidence in the trends of how we're seeing the business performance starting to actually shift. We want everything to go faster, but we're seeing the confidence in both the management and the visibility that gives us a lot of confidence about how we actually see the year spanning out.

Got it. Thanks a lot.

Our next question is from Meeta Marshall with Morgan Stanley. Please unmute to ask your question.

Hi, this is Abhishek Murli on for Meeta Marshall. Thanks for the question and congrats on the quarter. I wanted to touch on Kenzo security and kind of where that product sits in the roadmap in the context of AI-driven investigations. So can you kind of clarify what capabilities have already been incorporated into customer workflows versus like what kind of remains in development. And then there should be think of it as more of a improving of productivity or a customer-facing remediation and kind of any further details on that.

Yeah, well, Kenzo was excellent. Both the data mesh and their model was extraordinarily doing investigations at scale. So it was an alert processing engine that allowed you to come in and process alerts from all over the environment. We're in the act of integrating it in right now, just to be clear. So it's not like a done integration. It's probably the biggest thing, and we all are like, hey, that has to happen fast, and it has to go fast. So the team has come in. We're in the process of integrating in. We'll be rolling it out to customers starting in the next couple months, but rolling out for the rest of this year. But that's the biggest thing. So if you say like, what's the core of what Kinzo does? It is an AI platform for actually processing alerts and doing high quality investigations of scale. To add some context specifically for investors and for people on the call is that typically what a stock analyst who typically does this is they get an alert in and one, they have to make sure it's not deduplicated. I would just say over time, Sims did not do a good job of this. DNR systems like rapid sevens did a good job with the deduplication. So we've already been making advances here, but then you have to go out and actually do all of the knowledge collection and contextualization to actually say, what's all the data I need to gather to actually figure out whether this is real or false. And then once you actually had a sense of whether it was real, then you actually had to actually do another level of investigation to figure out like how bad it was in the environment and what you actually need to contain or mediate there. That took days, just to be clear, hours and days. Kinzo is excellent at doing that in massive volume, massive scale, but in machine speed. And so it's much faster and it has better efficacy rates overall. So we're both taking it in, we're applying the model, and we're extending the model out to actually hit not just alerts, but a much wider range of data sources as we go forward. And then the other part that we're actually adding in to Rapid7 is that because we have so much deep knowledge of the environment, is we have a much wider range of response options that are available. Now, again, that is new development effort that's happening, so I don't want to get too far down the path. But customers do need to know how they can actually respond at speed and scale. Some of that's going to be used in our technology. Some of that's going to be used in third-party technology. But we have the brain to know which type of controls and systems to leverage at scale, whether that's existing controls, whether that's new startups that are actually in the space that actually make changes in the environment. We have that knowledge and that expertise to actually know what's most efficient to apply at scale based on our knowledge of the environment. Thank you.

Our next question is from Adam Borg with Stiefel. Please go ahead.

Awesome. Thanks for fitting me in, and I'll just stick to one. Maybe, Corey, you talked really, I think, at length in a good way about how the frontier models are driving increased vulnerability identification, but that's really where the tailwinds begin for you. And I think you talked about customers understanding how these frontier models fit in, and investors may be a little bit more confused on their role over time. And maybe just to that latter point, if you could help us understand like what's preventing these frontier models from moving just from identification of vulnerabilities more towards the exploitability, the reachability, the prior, the prioritization and the remediation that you talked about, because they seem to be talking that they're moving that direction. And anyway, you could talk about the boats that, you know, a vendor like yourself has to prevent that from occurring would be really helpful. Thanks.

Yeah. To this, um, There's three different modes that matter. And just to be clear, I don't want to say versus the frontier models, because we actually leverage frontier models inside of Rapid7. Anyone who's not leveraging frontier models is just not going to be relevant. So I want to be clear. This is about... where the actually use cases matter and don't matter and not. So I just want to, I want to frame that up and be clear. So there's a couple of things that are actually significant clear modes that you actually have to do. One is just that like, if anyone's actually used frontier models in any environment at any scale, you actually know you have to actually discern what's the cost of the activity you're actually doing. So look, Someone can actually go scan and do exploitability analysis in the environment and do all of that. But just to be clear, they're paying a lot more than what you actually get for the same information in the core vulnerability management system. They're not designed to do that. Now, could they build specialized things and specialized software to actually do that? Potentially, yes. But again, you are then you're just building the product and you can actually say you're actually building the product and you have knowledge. So but that's one is that like cost doesn't matter. And we actually do it efficiently at scale and at cost. As someone who's tested out some of these systems in the environments, trust me, you can run up a fair amount of money doing what you think is a very straightforward scan. And by the way, that's proven out in their own data that they actually go. So I would just say we actually can't miss it. The second thing that you have to say is that like it's not whether it's vulnerable, is it actually exploitable in the environment? And exploitability means you have to understand not just the vulnerability, you have to understand the configuration of the complete environment, and you have to understand the controls in the overall environment and how they intersect. Now, you could make a technology do anything, but that is actually specialized, it's both knowledge and data that we've optimized around to understand the question about what's actually both exploitable, what's reachable, and how is that configurable in the overall environment. The last thing when you actually get to the core one about how do you actually want to actually take action and respond in the environment. And look, I have a high trust, but I don't think anyone wants a frontier model in their environment running rampant in the environment that can actually make configuration changes, do active defense, active response in the environment. For models that are updated all the time without clear visibility and understanding what can change and by many of the authors own admission, it's just like, that's just not the way that most people are gonna have the trust to actually deal with security. So to get to the core things is that, We have deep expertise and understanding of the domain. Yes, AI does a lot, by the way, it's an accelerant for us. The cost of doing these things at scale does matter to customers and it will matter to customers over time. And then when you think about the autonomous response, you both need the knowledge base, but you also need the trust. And this is why I say like we're building active response, but it's built on a system of trust and knowledge. And that's a big deal because you do not want your active response being too smart. and being too clever. Because if you get the keys where these systems can take over and actually have access to make any type of change in the environment overall, you can have very minor errors that actually cause catastrophe for organizations. And again, most CISOs, and frankly, most IT people know that. And so they're looking for things that actually do the mission and do it well and do it cost-effectively. I know that was long-winded. Again, we're adopters of the technology, but it's important to understand the constraints there too.

Incredibly helpful. I really appreciate it.

Our last question comes from Gray Powell with BTIG. Please unmute to ask your question.

Okay, great. Thank you very much. Just want to make sure. Can you hear me?

Yes.

All right. Excellent. Well, thank you for taking the question. I think you hit on this before. But I just want to circle back on sort of the non-core products and how would you think about that trend line stabilizing over the next 12 months? So just if I'm doing math correctly, ballpark terms, I would assume that non-cores may be a little over 150 million-ish in ARR. Q2 guidance implies that it's down about 10 million. Is there a level where we should think about that number stabilizing and then they are existing customers. So why is there not an opportunity to upsell them on the platform? Is there like a conversion opportunity there?

Yeah, no, thank you for the question. I think the best way to think about what we're trying to do is build out robust platforms that are attractive to our customers. And I think, you know, a couple of things. First of all, some people, some of our customers have platform offerings, but may have also bought something standalone that's out there, right? That is part of the equation. And as Corey mentioned, like it's very important that we take care of these customers and that their whole experience with Rapid7 is very important. We do think there is also an opportunity for those who may not have a platform solution, that the best thing for them is to migrate onto one of our platforms, right? And we're looking for technologies that we can integrate in and make that platform more rich. So that's really our number one focus around those customers. I wanted to break that out because this trend has actually been going on behind the scenes for some period of time, for the last few quarters, of where you'll see those standalone non-core offerings. That's actually where we've had more of the challenges on the renewal front. But what we're really calling out here is we're focused, we're building attractive platforms with robust technology, and that creates that upgrade path for many of our customers, but it also allows us to focus on meeting the demands of the market at present.

Understood. Okay. Thank you very much. Thank you very much.

Thank you everyone for joining. This concludes today's call. You may now disconnect.