10-K 1 rp-20231231.htm 10-K rp-20231231
2023FY0001560327FALSEhttp://fasb.org/us-gaap/2023#AccountingStandardsUpdate202006Member12121212http://fasb.org/us-gaap/2023#OtherAssetsNoncurrent http://fasb.org/us-gaap/2023#PrepaidExpenseAndOtherAssetsCurrenthttp://fasb.org/us-gaap/2023#OtherLiabilitiesCurrenthttp://fasb.org/us-gaap/2023#OtherAssetsNoncurrent http://fasb.org/us-gaap/2023#PrepaidExpenseAndOtherAssetsCurrenthttp://fasb.org/us-gaap/2023#OtherLiabilitiesCurrenthttp://fasb.org/us-gaap/2023#ResearchAndDevelopmentExpense0.01542130.01638750.009673P3Y38436636600015603272023-01-012023-12-3100015603272023-06-30iso4217:USD00015603272024-02-21xbrli:shares00015603272023-12-3100015603272022-12-31iso4217:USDxbrli:shares0001560327us-gaap:ProductMember2023-01-012023-12-310001560327us-gaap:ProductMember2022-01-012022-12-310001560327us-gaap:ProductMember2021-01-012021-12-310001560327us-gaap:ServiceMember2023-01-012023-12-310001560327us-gaap:ServiceMember2022-01-012022-12-310001560327us-gaap:ServiceMember2021-01-012021-12-3100015603272022-01-012022-12-3100015603272021-01-012021-12-310001560327us-gaap:RetainedEarningsMember2023-01-012023-12-310001560327us-gaap:CommonStockMember2020-12-310001560327us-gaap:TreasuryStockCommonMember2020-12-310001560327us-gaap:AdditionalPaidInCapitalMember2020-12-310001560327us-gaap:AccumulatedOtherComprehensiveIncomeMember2020-12-310001560327us-gaap:RetainedEarningsMember2020-12-3100015603272020-12-310001560327us-gaap:AdditionalPaidInCapitalMember2021-01-012021-12-310001560327us-gaap:CommonStockMember2021-01-012021-12-3100015603272020-01-012020-12-310001560327srt:CumulativeEffectPeriodOfAdoptionAdjustmentMemberus-gaap:AdditionalPaidInCapitalMember2020-12-310001560327srt:CumulativeEffectPeriodOfAdoptionAdjustmentMemberus-gaap:RetainedEarningsMember2020-12-310001560327srt:CumulativeEffectPeriodOfAdoptionAdjustmentMember2020-12-310001560327us-gaap:AccumulatedOtherComprehensiveIncomeMember2021-01-012021-12-310001560327us-gaap:RetainedEarningsMember2021-01-012021-12-310001560327us-gaap:CommonStockMember2021-12-310001560327us-gaap:TreasuryStockCommonMember2021-12-310001560327us-gaap:AdditionalPaidInCapitalMember2021-12-310001560327us-gaap:AccumulatedOtherComprehensiveIncomeMember2021-12-310001560327us-gaap:RetainedEarningsMember2021-12-3100015603272021-12-310001560327us-gaap:AdditionalPaidInCapitalMember2022-01-012022-12-310001560327us-gaap:CommonStockMember2022-01-012022-12-310001560327us-gaap:AccumulatedOtherComprehensiveIncomeMember2022-01-012022-12-310001560327us-gaap:RetainedEarningsMember2022-01-012022-12-310001560327us-gaap:CommonStockMember2022-12-310001560327us-gaap:TreasuryStockCommonMember2022-12-310001560327us-gaap:AdditionalPaidInCapitalMember2022-12-310001560327us-gaap:AccumulatedOtherComprehensiveIncomeMember2022-12-310001560327us-gaap:RetainedEarningsMember2022-12-310001560327us-gaap:AdditionalPaidInCapitalMember2023-01-012023-12-310001560327us-gaap:CommonStockMember2023-01-012023-12-310001560327us-gaap:TreasuryStockCommonMember2023-01-012023-12-310001560327us-gaap:AccumulatedOtherComprehensiveIncomeMember2023-01-012023-12-310001560327us-gaap:CommonStockMember2023-12-310001560327us-gaap:TreasuryStockCommonMember2023-12-310001560327us-gaap:AdditionalPaidInCapitalMember2023-12-310001560327us-gaap:AccumulatedOtherComprehensiveIncomeMember2023-12-310001560327us-gaap:RetainedEarningsMember2023-12-310001560327us-gaap:ConvertibleDebtMember2023-01-012023-12-310001560327us-gaap:ConvertibleDebtMember2021-01-012021-12-310001560327rp:NewCustomerUpSellOrCrossSellMember2023-12-310001560327rp:ProfessionalServicesArrangementsMember2023-12-310001560327us-gaap:ComputerEquipmentMember2023-12-310001560327srt:MinimumMemberus-gaap:FurnitureAndFixturesMember2023-12-310001560327srt:MaximumMemberus-gaap:FurnitureAndFixturesMember2023-12-310001560327us-gaap:LeaseholdImprovementsMember2023-01-012023-12-310001560327us-gaap:DesignatedAsHedgingInstrumentMemberus-gaap:ForeignExchangeForwardMember2023-01-012023-12-310001560327us-gaap:DesignatedAsHedgingInstrumentMemberus-gaap:ForeignExchangeForwardMember2023-12-310001560327us-gaap:DesignatedAsHedgingInstrumentMemberus-gaap:ForeignExchangeForwardMember2022-12-310001560327us-gaap:SellingAndMarketingExpenseMember2023-01-012023-12-310001560327us-gaap:SellingAndMarketingExpenseMember2022-01-012022-12-310001560327us-gaap:SellingAndMarketingExpenseMember2021-01-012021-12-310001560327rp:ProductSubscriptionRevenueMember2023-01-012023-12-310001560327rp:ProductSubscriptionRevenueMember2022-01-012022-12-310001560327rp:ProductSubscriptionRevenueMember2021-01-012021-12-310001560327rp:TimingOfTransferOfGoodOrServiceOtherMember2023-01-012023-12-310001560327rp:TimingOfTransferOfGoodOrServiceOtherMember2022-01-012022-12-310001560327rp:TimingOfTransferOfGoodOrServiceOtherMember2021-01-012021-12-310001560327country:US2023-01-012023-12-310001560327country:US2022-01-012022-12-310001560327country:US2021-01-012021-12-310001560327us-gaap:NonUsMember2023-01-012023-12-310001560327us-gaap:NonUsMember2022-01-012022-12-310001560327us-gaap:NonUsMember2021-01-012021-12-310001560327rp:SubscriptionRevenueMember2024-01-012023-12-3100015603272025-01-01rp:SubscriptionRevenueMember2023-12-310001560327us-gaap:ServiceMember2024-01-012023-12-3100015603272025-01-01us-gaap:ServiceMember2023-12-310001560327rp:TimingOfTransferOfGoodOrServiceOtherMember2024-01-012023-12-3100015603272025-01-01rp:TimingOfTransferOfGoodOrServiceOtherMember2023-12-3100015603272024-01-012023-12-3100015603272025-01-012023-12-310001560327rp:MinervaLabsMember2023-03-142023-03-140001560327rp:MinervaLabsMember2023-03-140001560327rp:MinervaLabsMemberus-gaap:DevelopedTechnologyRightsMember2023-01-012023-12-310001560327rp:MinervaLabsMemberus-gaap:DevelopedTechnologyRightsMember2023-03-142023-03-1400015603272023-03-142023-03-14rp:reportingUnit0001560327rp:MinervaLabsMember2023-01-012023-12-310001560327rp:IntSightsMember2021-07-162021-07-160001560327rp:IntSightsMember2021-07-1600015603272021-07-162021-07-160001560327rp:VelocidexMember2021-04-122021-04-120001560327us-gaap:DevelopedTechnologyRightsMemberrp:VelocidexMember2021-04-122021-04-120001560327rp:AlcideIOLtdMember2021-01-282021-01-280001560327rp:AlcideIOLtdMember2021-01-280001560327us-gaap:USGovernmentAgenciesDebtSecuritiesMember2023-12-310001560327us-gaap:USTreasurySecuritiesMember2023-12-310001560327us-gaap:USGovernmentAgenciesDebtSecuritiesMember2022-12-310001560327us-gaap:CorporateDebtSecuritiesMember2022-12-310001560327us-gaap:CommercialPaperMember2022-12-310001560327us-gaap:USTreasurySecuritiesMember2022-12-310001560327srt:MinimumMember2023-01-012023-12-310001560327srt:MaximumMember2023-01-012023-12-310001560327srt:MinimumMember2022-01-012022-12-310001560327srt:MaximumMember2022-01-012022-12-310001560327us-gaap:FairValueMeasurementsRecurringMemberus-gaap:MoneyMarketFundsMemberus-gaap:FairValueInputsLevel1Member2023-12-310001560327us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:MoneyMarketFundsMember2023-12-310001560327us-gaap:FairValueInputsLevel3Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:MoneyMarketFundsMember2023-12-310001560327us-gaap:FairValueMeasurementsRecurringMemberus-gaap:MoneyMarketFundsMember2023-12-310001560327us-gaap:FairValueMeasurementsRecurringMemberus-gaap:FairValueInputsLevel1Memberus-gaap:USGovernmentAgenciesDebtSecuritiesMember2023-12-310001560327us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:USGovernmentAgenciesDebtSecuritiesMember2023-12-310001560327us-gaap:FairValueInputsLevel3Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:USGovernmentAgenciesDebtSecuritiesMember2023-12-310001560327us-gaap:FairValueMeasurementsRecurringMemberus-gaap:USGovernmentAgenciesDebtSecuritiesMember2023-12-310001560327us-gaap:FairValueMeasurementsRecurringMemberus-gaap:FairValueInputsLevel1Memberus-gaap:USTreasurySecuritiesMember2023-12-310001560327us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:USTreasurySecuritiesMember2023-12-310001560327us-gaap:FairValueInputsLevel3Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:USTreasurySecuritiesMember2023-12-310001560327us-gaap:FairValueMeasurementsRecurringMemberus-gaap:USTreasurySecuritiesMember2023-12-310001560327us-gaap:FairValueMeasurementsRecurringMemberus-gaap:FairValueInputsLevel1Member2023-12-310001560327us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2023-12-310001560327us-gaap:FairValueInputsLevel3Memberus-gaap:FairValueMeasurementsRecurringMember2023-12-310001560327us-gaap:FairValueMeasurementsRecurringMember2023-12-310001560327us-gaap:FairValueMeasurementsRecurringMemberus-gaap:MoneyMarketFundsMemberus-gaap:FairValueInputsLevel1Member2022-12-310001560327us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:MoneyMarketFundsMember2022-12-310001560327us-gaap:FairValueInputsLevel3Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:MoneyMarketFundsMember2022-12-310001560327us-gaap:FairValueMeasurementsRecurringMemberus-gaap:MoneyMarketFundsMember2022-12-310001560327us-gaap:FairValueMeasurementsRecurringMemberus-gaap:FairValueInputsLevel1Memberus-gaap:USGovernmentAgenciesDebtSecuritiesMember2022-12-310001560327us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:USGovernmentAgenciesDebtSecuritiesMember2022-12-310001560327us-gaap:FairValueInputsLevel3Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:USGovernmentAgenciesDebtSecuritiesMember2022-12-310001560327us-gaap:FairValueMeasurementsRecurringMemberus-gaap:USGovernmentAgenciesDebtSecuritiesMember2022-12-310001560327us-gaap:CorporateDebtSecuritiesMemberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:FairValueInputsLevel1Member2022-12-310001560327us-gaap:CorporateDebtSecuritiesMemberus-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2022-12-310001560327us-gaap:FairValueInputsLevel3Memberus-gaap:CorporateDebtSecuritiesMemberus-gaap:FairValueMeasurementsRecurringMember2022-12-310001560327us-gaap:CorporateDebtSecuritiesMemberus-gaap:FairValueMeasurementsRecurringMember2022-12-310001560327us-gaap:CommercialPaperMemberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:FairValueInputsLevel1Member2022-12-310001560327us-gaap:FairValueInputsLevel2Memberus-gaap:CommercialPaperMemberus-gaap:FairValueMeasurementsRecurringMember2022-12-310001560327us-gaap:FairValueInputsLevel3Memberus-gaap:CommercialPaperMemberus-gaap:FairValueMeasurementsRecurringMember2022-12-310001560327us-gaap:CommercialPaperMemberus-gaap:FairValueMeasurementsRecurringMember2022-12-310001560327us-gaap:FairValueMeasurementsRecurringMemberus-gaap:FairValueInputsLevel1Memberus-gaap:USTreasurySecuritiesMember2022-12-310001560327us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:USTreasurySecuritiesMember2022-12-310001560327us-gaap:FairValueInputsLevel3Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:USTreasurySecuritiesMember2022-12-310001560327us-gaap:FairValueMeasurementsRecurringMemberus-gaap:USTreasurySecuritiesMember2022-12-310001560327us-gaap:FairValueMeasurementsRecurringMemberus-gaap:FairValueInputsLevel1Member2022-12-310001560327us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2022-12-310001560327us-gaap:FairValueInputsLevel3Memberus-gaap:FairValueMeasurementsRecurringMember2022-12-310001560327us-gaap:FairValueMeasurementsRecurringMember2022-12-310001560327us-gaap:ConvertibleDebtMemberrp:TheNotesDue2025Member2023-12-31xbrli:pure0001560327rp:TheNotesDue2027Memberus-gaap:ConvertibleDebtMember2023-12-310001560327us-gaap:ConvertibleDebtMemberrp:TheNotesDue2029Member2023-12-310001560327us-gaap:ComputerEquipmentMember2022-12-310001560327us-gaap:FurnitureAndFixturesMember2023-12-310001560327us-gaap:FurnitureAndFixturesMember2022-12-310001560327us-gaap:LeaseholdImprovementsMember2023-12-310001560327us-gaap:LeaseholdImprovementsMember2022-12-310001560327rp:IntSightsAcquisitionMember2022-01-012022-12-310001560327rp:DevelopedTechnologyMember2023-01-012023-12-310001560327rp:DevelopedTechnologyMember2023-12-310001560327rp:DevelopedTechnologyMember2022-12-310001560327us-gaap:CustomerRelationshipsMember2023-01-012023-12-310001560327us-gaap:CustomerRelationshipsMember2023-12-310001560327us-gaap:CustomerRelationshipsMember2022-12-310001560327us-gaap:TradeNamesMember2023-01-012023-12-310001560327us-gaap:TradeNamesMember2023-12-310001560327us-gaap:TradeNamesMember2022-12-310001560327us-gaap:ComputerSoftwareIntangibleAssetMember2023-01-012023-12-310001560327us-gaap:ComputerSoftwareIntangibleAssetMember2023-12-310001560327us-gaap:ComputerSoftwareIntangibleAssetMember2022-12-310001560327rp:ContractAcquisitionAndFulfillmentCostsMember2022-12-310001560327rp:ContractAcquisitionAndFulfillmentCostsMember2021-12-310001560327rp:ContractAcquisitionAndFulfillmentCostsMember2023-01-012023-12-310001560327rp:ContractAcquisitionAndFulfillmentCostsMember2022-01-012022-12-310001560327rp:ContractAcquisitionAndFulfillmentCostsMember2023-12-310001560327us-gaap:DesignatedAsHedgingInstrumentMemberus-gaap:ForeignExchangeForwardMember2022-01-012022-12-310001560327us-gaap:ConvertibleDebtMemberrp:A2025NotesMember2020-05-310001560327us-gaap:ConvertibleDebtMemberrp:A2027NotesMember2023-03-310001560327rp:A2029NotesMemberus-gaap:ConvertibleDebtMember2023-09-300001560327us-gaap:ConvertibleDebtMemberrp:A2025NotesMember2023-12-310001560327us-gaap:ConvertibleDebtMemberrp:A2025NotesMember2023-01-012023-12-310001560327us-gaap:ConvertibleDebtMemberrp:A2027NotesMember2023-12-310001560327us-gaap:ConvertibleDebtMemberrp:A2027NotesMember2023-01-012023-12-310001560327rp:A2029NotesMemberus-gaap:ConvertibleDebtMember2023-12-310001560327rp:A2029NotesMemberus-gaap:ConvertibleDebtMember2023-01-012023-12-310001560327us-gaap:ConvertibleDebtMemberrp:A2025NotesMember2020-05-012020-05-310001560327us-gaap:ConvertibleDebtMemberrp:A2027NotesMember2021-03-012021-03-310001560327rp:A2029NotesMemberus-gaap:ConvertibleDebtMember2023-09-012023-09-300001560327rp:DebtCovenantOneMemberus-gaap:ConvertibleDebtMember2020-05-012020-05-31rp:day0001560327us-gaap:ConvertibleDebtMemberrp:DebtCovenantTwoMember2020-05-012020-05-310001560327us-gaap:ConvertibleDebtMember2020-05-012020-05-310001560327us-gaap:ConvertibleDebtMemberrp:DebtCovenantThreeMember2020-05-012020-05-310001560327us-gaap:ConvertibleDebtMemberrp:A2027NotesMember2021-03-162021-03-160001560327rp:A2023NotesMemberus-gaap:ConvertibleDebtMember2021-03-160001560327rp:A2023NotesMemberus-gaap:ConvertibleDebtMember2023-01-012023-12-310001560327rp:A2023NotesMemberus-gaap:ConvertibleDebtMember2021-01-012021-03-310001560327rp:A2023NotesMemberus-gaap:ConvertibleDebtMember2021-09-160001560327rp:A2023NotesMemberus-gaap:ConvertibleDebtMember2021-11-302021-11-300001560327rp:A2023NotesMemberus-gaap:ConvertibleDebtMember2021-11-300001560327us-gaap:ConvertibleDebtMemberrp:A2025NotesMember2023-09-012023-09-300001560327us-gaap:ConvertibleDebtMemberrp:A2025NotesMember2023-09-300001560327us-gaap:ConvertibleDebtMemberrp:A2025NotesMember2022-12-310001560327us-gaap:ConvertibleDebtMemberrp:A2027NotesMember2022-12-310001560327rp:A2029NotesMemberus-gaap:ConvertibleDebtMember2022-12-310001560327us-gaap:ConvertibleDebtMemberrp:A2025NotesMember2022-01-012022-12-310001560327us-gaap:ConvertibleDebtMemberrp:A2027NotesMember2022-01-012022-12-310001560327us-gaap:ConvertibleDebtMember2022-01-012022-12-310001560327rp:A2023NotesMemberus-gaap:ConvertibleDebtMember2021-01-012021-12-310001560327us-gaap:ConvertibleDebtMemberrp:A2025NotesMember2021-01-012021-12-310001560327us-gaap:ConvertibleDebtMemberrp:A2027NotesMember2021-01-012021-12-310001560327rp:A2023NotesMemberus-gaap:ConvertibleDebtMember2023-12-310001560327us-gaap:CallOptionMemberrp:A2023NotesMember2023-01-012023-12-310001560327us-gaap:CallOptionMemberrp:A2025NotesMember2023-01-012023-12-310001560327us-gaap:CallOptionMemberrp:A2027NotesMember2023-01-012023-12-310001560327us-gaap:CallOptionMemberrp:A2029NotesMember2023-01-012023-12-310001560327us-gaap:CallOptionMemberrp:A2023NotesMember2023-12-310001560327us-gaap:CallOptionMemberrp:A2023NotesMember2023-05-312023-09-300001560327us-gaap:CallOptionMemberrp:A2023NotesMember2023-08-032023-08-030001560327us-gaap:RevolvingCreditFacilityMemberrp:CreditAgreementMember2020-04-300001560327us-gaap:LetterOfCreditMemberrp:CreditAgreementMember2020-04-300001560327us-gaap:RevolvingCreditFacilityMemberrp:CreditAgreementMember2020-05-310001560327us-gaap:RevolvingCreditFacilityMemberrp:CreditAgreementMember2021-09-300001560327us-gaap:RevolvingCreditFacilityMemberrp:CreditAgreementMember2021-12-310001560327rp:CreditAgreementMember2021-12-310001560327us-gaap:LetterOfCreditMemberrp:CreditAgreementMember2021-12-310001560327us-gaap:RevolvingCreditFacilityMemberrp:CreditAgreementMember2021-12-012021-12-310001560327rp:SecuredOvernightFinancingRateSOFRMemberrp:CreditAgreementMember2021-12-012021-12-310001560327us-gaap:BaseRateMemberrp:CreditAgreementMember2021-12-012021-12-310001560327us-gaap:LetterOfCreditMemberrp:CreditAgreementMember2023-12-310001560327srt:OfficeBuildingMember2023-12-31rp:leaseRenewalOption0001560327rp:TwoThousandAndFifteenPlanMember2015-07-310001560327rp:TwoThousandAndFifteenPlanMember2015-07-012015-07-310001560327rp:TwoThousandAndFifteenPlanMember2015-10-082015-10-080001560327rp:TwoThousandAndFifteenPlanMember2023-12-310001560327rp:TwoThousandAndFifteenPlanMember2023-01-012023-12-310001560327rp:CostOfRevenueMember2023-01-012023-12-310001560327rp:CostOfRevenueMember2022-01-012022-12-310001560327rp:CostOfRevenueMember2021-01-012021-12-310001560327us-gaap:ResearchAndDevelopmentExpenseMember2023-01-012023-12-310001560327us-gaap:ResearchAndDevelopmentExpenseMember2022-01-012022-12-310001560327us-gaap:ResearchAndDevelopmentExpenseMember2021-01-012021-12-310001560327us-gaap:GeneralAndAdministrativeExpenseMember2023-01-012023-12-310001560327us-gaap:GeneralAndAdministrativeExpenseMember2022-01-012022-12-310001560327us-gaap:GeneralAndAdministrativeExpenseMember2021-01-012021-12-310001560327rp:A2023BonusPlanMember2023-01-012023-12-310001560327rp:A2022BonusPlanMember2022-01-012022-12-310001560327rp:A2021BonusPlanMember2021-01-012021-12-310001560327rp:RSUsAndPSUsMember2020-12-310001560327rp:RSUsAndPSUsMember2021-01-012021-12-310001560327rp:RSUsAndPSUsMember2021-12-310001560327rp:RSUsAndPSUsMember2022-01-012022-12-310001560327rp:RSUsAndPSUsMember2022-12-310001560327rp:RSUsAndPSUsMember2023-01-012023-12-310001560327rp:RSUsAndPSUsMember2023-12-310001560327rp:PerformanceStockUnitsMember2023-02-012023-02-2800015603272023-02-012023-02-28rp:installment0001560327rp:EmployeeStockPurchasePlanMember2023-01-012023-12-310001560327rp:EmployeeStockPurchasePlanMember2023-12-310001560327srt:MaximumMemberrp:EmployeeStockPurchasePlanMember2023-01-012023-12-310001560327srt:MinimumMemberrp:EmployeeStockPurchasePlanMember2023-01-012023-12-310001560327srt:MinimumMemberrp:EmployeeStockPurchasePlanMember2022-01-012022-12-310001560327srt:MaximumMemberrp:EmployeeStockPurchasePlanMember2022-01-012022-12-310001560327srt:MinimumMemberrp:EmployeeStockPurchasePlanMember2021-01-012021-12-310001560327srt:MaximumMemberrp:EmployeeStockPurchasePlanMember2021-01-012021-12-310001560327rp:EmployeeStockPurchasePlanMember2022-01-012022-12-310001560327rp:EmployeeStockPurchasePlanMember2021-01-012021-12-3100015603272023-09-152023-09-1500015603272023-03-152023-03-1500015603272022-09-152022-09-1500015603272022-03-152022-03-1500015603272021-09-152021-09-1500015603272021-03-152021-03-1500015603272023-09-1500015603272023-03-1500015603272022-09-150001560327srt:MinimumMember2022-03-150001560327srt:MaximumMember2022-03-150001560327srt:MinimumMember2021-09-150001560327srt:MaximumMember2021-09-150001560327srt:MinimumMember2021-03-150001560327srt:MaximumMember2021-03-150001560327rp:DeferredTaxAssetsOperatingLossCarryforwardsMember2023-01-012023-12-310001560327us-gaap:DomesticCountryMember2023-12-310001560327us-gaap:ForeignCountryMember2023-12-310001560327us-gaap:StateAndLocalJurisdictionMember2023-12-310001560327us-gaap:EmployeeStockOptionMember2023-01-012023-12-310001560327us-gaap:EmployeeStockOptionMember2022-01-012022-12-310001560327us-gaap:EmployeeStockOptionMember2021-01-012021-12-310001560327rp:UnvestedRestrictedStockUnitsMember2023-01-012023-12-310001560327rp:UnvestedRestrictedStockUnitsMember2022-01-012022-12-310001560327rp:UnvestedRestrictedStockUnitsMember2021-01-012021-12-310001560327rp:CommonIssuedInConjunctionWithAcquisitionsMember2023-01-012023-12-310001560327rp:CommonIssuedInConjunctionWithAcquisitionsMember2022-01-012022-12-310001560327rp:CommonIssuedInConjunctionWithAcquisitionsMember2021-01-012021-12-310001560327rp:EmployeeStockPurchasePlanMember2023-01-012023-12-310001560327rp:EmployeeStockPurchasePlanMember2022-01-012022-12-310001560327rp:EmployeeStockPurchasePlanMember2021-01-012021-12-310001560327us-gaap:ConvertibleDebtSecuritiesMember2023-01-012023-12-310001560327us-gaap:ConvertibleDebtSecuritiesMember2022-01-012022-12-310001560327us-gaap:ConvertibleDebtSecuritiesMember2021-01-012021-12-31rp:segment0001560327rp:OtherCountryMember2022-01-012022-12-310001560327rp:OtherCountryMember2021-01-012021-12-310001560327country:US2023-12-310001560327country:US2022-12-310001560327us-gaap:NonUsMember2023-12-310001560327us-gaap:NonUsMember2022-12-3100015603272023-08-072023-08-070001560327us-gaap:FacilityClosingMember2023-10-012023-12-310001560327rp:AndrewBurtonMember2023-10-012023-12-310001560327rp:AndrewBurtonMember2023-12-310001560327rp:TimAdamsMember2023-10-012023-12-310001560327rp:TimAdamsMember2023-12-310001560327rp:CoreyThomasMember2023-10-012023-12-310001560327rp:CoreyThomasMember2023-12-3100015603272023-10-012023-12-31
UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
____________________________________________________
FORM 10-K
____________________________________________________
(Mark One)
ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
For the fiscal year ended December 31, 2023
OR

TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
FOR THE TRANSITION PERIOD FROM                      TO

Commission File Number 001-37496
____________________________________________________
RAPID7, INC.
(Exact name of registrant as specified in its charter)
____________________________________________________
Delaware35-2423994
(State or other jurisdiction of
incorporation or organization)
(I.R.S. Employer
Identification No.)
120 Causeway Street
Boston, MA
02114
(Address of principal executive offices)(Zip Code)
Registrant’s telephone number, including area code: (617247-1717
____________________________________________________
Securities registered pursuant to Section 12(b) of the Act:
Title of each classTrading Symbol(s)Name of each exchange on which registered
Common Stock, par value $0.01 per shareRPDThe Nasdaq Global Market
Securities registered pursuant to Section 12(g) of the Act: None
Indicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act. Yes  No 
Indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or 15(d) of the Act. Yes  No 
Indicate by check mark whether the registrant: (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days. Yes  No 
Indicate by check mark whether the registrant has submitted electronically every Interactive Data File required to be submitted pursuant to Rule 405 of Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit and post such files). Yes  No 
Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, or a smaller reporting company. See the definition of “large accelerated filer”, “accelerated filer”, and “smaller reporting company” in Rule 12b-2 of the Exchange Act. (Check one):
Large Accelerated Filer  Accelerated Filer 
Non-accelerated Filer
  
  Small Reporting Company 
Emerging Growth Company
If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act.
Indicate by check mark whether the registrant has filed a report on and attestation to its management's assessment of the effectiveness of its internal control over financial reporting under Section 404(b) of the Sarbanes-Oxley Act (15 U.S.C 7262(b)) by the registered public accounting firm that prepared or issued its audit report. Yes  No 

If securities are registered pursuant to Section 12(b) of the Act, indicate by check mark whether the financial statements of the registrant included in the filing reflect the correction of an error to previously issued financial statements.

Indicate by check mark whether any of those error corrections are restatements that required a recovery analysis of incentive-based compensation received by any of the registrant’s executive officers during the relevant recovery period pursuant to §240.10D-1(b).
Indicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Exchange Act). Yes  No 
As of June 30, 2023, the aggregate market value of the registrant’s voting common stock held by non-affiliates of the registrant, based on a closing price of $45.28 per share of the registrant’s common stock as reported on The Nasdaq Global Market on June 30, 2023, was approximately $2,716,253,516. For purposes of this computation, all officers, directors and 10% beneficial owners of the registrant are deemed to be affiliates. Such determination should not be deemed to be an admission that such officers, directors or 10% beneficial owners are, in fact, affiliates of the registrant. The number of shares of registrant’s common stock outstanding as of February 21, 2024 was 61,985,870.
DOCUMENTS INCORPORATED BY REFERENCE
Portions of the registrant’s definitive Proxy Statement for its 2024 Annual Meeting of Stockholders to be filed with the Securities and Exchange Commission pursuant to Regulation 14A not later than 120 days after the end of the fiscal year covered by this Annual Report on Form 10-K are incorporated by reference in Part III, Items 10-14 of this Annual Report on Form 10-K.




























Table of Contents
Page
PART I
Item 1.
Item 1A.
Item 1B.
Item 1C.
Item 2.
Item 3.
Item 4.
PART II
Item 5.
Item 6.
Item 7.
Item 7A.
Item 8.
Item 9.
Item 9A.
Item 9B.
Item 9C.
PART III
Item 10.
Item 11.
Item 12.
Item 13.
Item 14.
PART IV
Item 15.
Item 16.
















i

Special Note Regarding Forward-Looking Statements
This Annual Report on Form 10-K, including the sections entitled “Business,” “Risk Factors,” and “Management’s Discussion and Analysis of Financial Condition and Results of Operations,” contains forward-looking statements that involve risks and uncertainties, as well as assumptions that, if they never materialize or prove incorrect, could cause our results to differ materially from those expressed or implied by such forward-looking statements. Statements that are not purely historical are forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended. Forward-looking statements are often identified by the use of words such as, but not limited to, “anticipate,” “believe,” “can,” “continue,” “could,” “estimate,” “expect,” “intend,” “may,” “plan,” “project,” “seek,” “should,” “target,” “will,” “would” and similar expressions or variations intended to identify forward-looking statements. These forward-looking statements include, but are not limited to, statements concerning the following:
• our ability to continue to add new customers, maintain existing customers and sell new products and professional services to new and existing customers;
• uncertain impacts that prolonged economic uncertainty may have on our business, strategy, operating results, financial condition and cash flows, as well as changes in overall level of software spending and volatility in the global economy;
• the effects of increased competition as well as innovations by new and existing competitors in our market;
• our ability to effectively restructure our business in alignment with our strategic priorities;
• our ability to adapt to technological change and effectively enhance, innovate and scale our solutions;
• our ability to effectively manage or sustain our growth and to attain and sustain profitability;
• our ability to diversify our sources of revenue;
• potential acquisitions and integration of complementary business and technologies;
• our expected use of proceeds from future issuances of equity or convertible debt securities;
• our ability to maintain, or strengthen awareness of, our brand;
• perceived or actual security, integrity, reliability, quality or compatibility problems with our solutions, including related to security breaches in our customers; systems, unscheduled downtime or outages;
• statements regarding future revenue, hiring plans, expenses, capital expenditures, capital requirements and stock performance;
• our ability to meet publicly announced guidance or other expectations about our business, key metrics and future operating results;
• our ability to maintain an adequate annualized recurring revenue growth;
• our ability to attract and retain qualified employees and key personnel and further expand our overall headcount;
• our ability to grow, both domestically and internationally;
• our ability to stay abreast of new or modified laws and regulations that currently apply or become applicable to our business both in the United States and internationally;
• our ability to maintain, protect and enhance our intellectual property;
• the outcomes of our initiatives that use artificial intelligence (“AI”);
• costs associated with defending intellectual property infringement and other claims; and
• the future trading prices of our common stock and the impact of securities analysts’ reports on these prices.
These statements represent the beliefs and assumptions of our management based on information currently available to us. Such forward-looking statements are subject to risks, uncertainties and other important factors that could cause actual results and the timing of certain events to differ materially from future results expressed or implied by such forward-looking statements. Factors that could cause or contribute to such differences include, but are not limited to, those identified below, and those discussed in the section titled “Risk Factors” included under Part I, Item 1A. Furthermore, such forward-looking statements speak only as of the date of this report. Except as required by law, we undertake no obligation to update any forward-looking statements to reflect events or circumstances that occur after the date of this report.
As used in this report, the terms “Rapid7,” the “company,” “we,” “us,” and “our” mean Rapid7, Inc. and its subsidiaries unless the context indicates otherwise.


1

Summary of Risk Factors
Our business is subject to numerous risks and uncertainties, including those described in Item 1A “Risk Factors”. These risks include, but are not limited to the following:
Our quarterly operating results may vary from period to period, which could result in our failure to meet expectations with respect to operating results and cause the trading price of our stock to decline.
Our business and operations have experienced significant growth, and if we do not appropriately manage any future growth, or are unable to maintain and scale our infrastructure, systems and processes, our business and results of operations may be negatively affected.
Prolonged economic uncertainties or downturns could adversely affect our business.
Actions that we are taking to restructure our business in alignment with our strategic priorities may not be as effective as anticipated.
Real or perceived failures, errors or defects in our solutions could adversely affect our brand and reputation, which could have an adverse effect on our business and results of operations.
Our brand, reputation and ability to attract, retain and serve our customers are dependent in part upon the reliable performance of our products and network infrastructure.
Our business and growth depend substantially on customers renewing and expanding their subscriptions with us. Any decline in our customer renewals or failure to convince customers to expand their use of our subscription offerings could adversely affect our future operating results.
If we or our third party service providers experience a security breach or unauthorized parties otherwise obtain access to our customers’ data, our reputation may be harmed, demand for our solutions may be reduced and we may incur significant liabilities.
We face intense competition in our market, which could adversely affect our business, financial condition, and results of operations.
If we are unable to successfully hire, train, and retain qualified personnel our business may suffer.
A component of our growth strategy is dependent on our continued international expansion, which adds complexity to our operations.
Because our products collect and store user and related information, domestic and international privacy and cybersecurity concerns, and other laws and regulations, could have a material adverse effect on our business.
If our customers are unable to implement our products successfully or we fail to maintain high quality customer support, customer perceptions of our offerings may be impaired or our reputation and brand may suffer.
We may fail to meet our publicly announced guidance or other expectations about our business and future operating results, which would cause our stock price to decline.
If we are not able to maintain and enhance our brand, our business and operating results may be adversely affected.
We may not be successful in our initiatives that utilize AI, which could adversely affect our business, reputation, or
financial results.
We use third-party software and data to operate certain functions of our business and deliver our offerings that may be difficult to replace or that may cause errors or failures of our solutions, which could lead to lost customers or harm to our reputation and our operating results.
Assertions by third parties of infringement or other violations by us of their intellectual property rights, whether or not correct, could result in significant costs and harm our business and operating results.
Organizations may be reluctant to purchase our cloud-based offerings due to the actual or perceived vulnerability of cloud solutions.
We have a significant amount of debt that may decrease our business flexibility, access to capital, and/or increase our borrowing costs, and we may still incur additional debt in the future, which may adversely affect our operations and financial results. We may not have sufficient cash flow from our business to pay our substantial debt when due.
We may require additional capital to support business growth, and this capital might not be available on acceptable terms, if at all.
2

The summary risk factors described above should be read together with the text of the full risk factors below in the section entitled "Risk Factors" and the other information set forth in this Annual Report on Form 10-K (“Form 10-K”), including our consolidated financial statements and the related notes, as well as in other documents that we file with the U.S. Securities and Exchange Commission (“SEC”). The risks summarized above or described in full below are not the only risks that we face. Additional risks and uncertainties not precisely known to us or that we currently deem to be immaterial may also materially adversely affect our business, financial condition, results of operations, and future growth prospects.
3

PART I
Item 1. Business
Overview
Rapid7 is a global cybersecurity software and services provider on a mission to offer customers greater clarity and control of their attack surface through our comprehensive and consolidated security offerings. For more than twenty years, Rapid7 has partnered with customers across the globe representing a diverse range of industries and sizes to improve the efficacy and productivity of their security operations (“SecOps”). In today's rapidly evolving IT environment, customers are encountering escalating challenges due to the widening spectrum of attackers and techniques, including the proliferation of cyberattacks leveraging artificial intelligence (“AI”) and targeted automation. To fortify their security posture, organizations will require greater visibility, advanced capabilities leveraging increased expertise, and integrated data to effectively anticipate, identify, and respond to threats.
Through our security operations platform, anchored on our cloud security, security information and event management (“SIEM”), advanced detection and response, and vulnerability management offerings, we believe that Rapid7 is poised to expand the capabilities of today's SecOps teams. Rapid7 extends and expands the expertise of the Security Operations Center (“SOC") across information security, cloud operations, development, and IT teams, enabling them to better understand the attacker and leverage that information to take control of their fragmented attack surface. Enriched by years of managed services expertise, our integrated security operations platform enables SecOps teams to move away from a reactive approach, reduce their attack surface, and enhance response efficiency with a deep contextual understanding of their environment.
In the past few years, we have observed the industry undergoing a customer-driven shift to consolidated security platforms. As part of this transition, customers are moving away from cloud security as a specialized function towards cloud security as an integrated capability for SecOps teams. We view this as a demand driver for integrated SecOps, and believe that we have an opportunity to be a leader in delivering integrated risk and threat management across on-premise, cloud, and external attack surfaces. As we have shifted our strategic focus to SecOps consolidation, we are focused on continuing to drive innovation across our core products and capabilities to accelerate customer value and provide a frictionless and integrated cloud security experience.
As the threat landscape continues to grow in complexity, customers are demonstrating demand for integrated expertise to support them in effectively managing their security technologies. The convergence of these key trends – security consolidation, integrated cloud security, and expertise driven outcomes – are the foundation of what we view as the new extended SOC. Our focus is to be the leading provider of integrated security solutions for the extended SOC by providing risk and threat management within the context of overall security.
As of December 31, 2023, we had more than 11,500 customers that rely on Rapid7 technology, services, and research to improve security outcomes and securely advance their organizations. We have experienced strong revenue growth with revenue increasing from $326.9 million in 2019 to $777.7 million in 2023, representing a 24% compound annual growth rate.
In 2023, 2022 and 2021 recurring revenue, defined as revenue from term software licenses, content subscriptions, managed services, cloud-based subscriptions and maintenance and support, was 95%, 94% and 92%, respectively, of total revenue. We incurred net losses of $149.3 million, $124.7 million and $146.3 million in 2023, 2022 and 2021, respectively, as we continued to invest for long-term growth.
Our Platform
Our extended SOC platform provides a high level of scalability and combines integrated technology, managed services, threat intelligence, and threat-aware risk context, enabling us to anticipate, detect, and promptly respond to threats once identified. The platform was built using our extensive experience in collecting and analyzing data from diverse sources, including multi-cloud platforms, applications, endpoints and networks, to enable our customers to create and manage analytics-driven cybersecurity risk management programs. By utilizing our powerful proprietary analytics to assess and understand the context and relationships related to users, IT assets and cyber threats within a customer’s environment, our solutions make it easier for teams to identify and remediate vulnerabilities, monitor for misconfigurations and malicious behavior, investigate and shutdown attacks, and automate operations.




4


Endpoint to Cloud Data Collection and Sharing
In response to our customers’ expanding digital footprints, we have invested in our capacity to gather, standardize, enrich, and correlate diverse telemetry within our platform. Our cloud architecture utilizes a combination of native collection technologies and application programming interfaces, and third-party event sources, to scale in alignment with the digital transformation occurring within our customers’ organizations.
Rapid7 Insight Agent: Our universal endpoint agent, the Insight Agent, is a lightweight, software-based agent which can be installed on assets across on-premises and cloud environments to centralize and monitor data on our platform. This single agent enables a number of impactful use cases across the platform, including next-gen antivirus (“NGAV”), vulnerability scanning, endpoint detections, investigation and forensic search capabilities, and threat containment.
Rapid7 Insight Network Sensor: Our lightweight Insight Network Sensor passively analyzes raw end-to-end network traffic to increase visibility into user activity, pinpoint real threats, and accelerate investigations with granular detail of attacker movement.
Rapid7 Cloud Event Data Harvesting: Given the scale, complexity, and rapid evolution of modern dynamic cloud environments, real-time detection of risks and threats is paramount. Our event-driven harvesting offers visibility into changes made to vital cloud resources.
Third-Party Integrations and Ecosystem: We have integrations for hundreds of different technologies and solutions to deliver visibility across a customer’s attack surface customized to their unique ecosystem.
Orchestration and Automation: The connective tissue of our platform is our ability to orchestrate workflows across both our solutions and the customers’ wider security ecosystem. This connectivity enables our customers to focus on security outcomes, rather than systems integrations, and accelerates both tasks associated with the normal course of business, as well as time-sensitive containment and remediation activities to minimize exposure and eliminate threats.
Our Offerings
Our consolidation offerings combine our compelling platform technology and lean into vendor consolidation as well as the prioritization of security budgets around critical spending areas.
Rapid7 Managed Threat Complete (“MTC”) is our flagship offering and unifies the leading detection and response of Rapid7 Managed Detection and Response (“MDR”) and the robust exposure management of Rapid7 Managed Vulnerability Management (“MVM”) to manage customers’ most imminent risks, pinpoint and eliminate threats as early as possible, and build resiliency for their future. In addition to our MDR solution, customers purchasing MTC receive unlimited vulnerability management to minimize the potential of an attack and unlimited incident response which leverages our deep forensics capabilities. Customers are also able to add NGAV which delivers high-fidelity prevention against both known static threats and suspicious behavior before they execute, or Managed Digital Risk Protection (“MDRP”), which searches for potential threats from stolen or leaked data and phishing attempts.
MDR delivers end-to-end threat detection and response, encompassing 24x7 monitoring to incident containment to breach response.
MVM offloads day-to-day VM operations to experts and extends coverage across the attack surface.
Rapid7 Threat Complete unifies Rapid7 InsightIDR (“InsightIDR”) and Rapid7 InsightVM (“InsightVM”) to provide complete risk and threat coverage in a single offering. Using a shared agent, customers receive clarity and higher-efficacy detection coverage around priority vulnerabilities, enabling them to eliminate risks and threats faster across their environments.
InsightIDR is a next-generation SIEM and extended detection and response (“XDR”) solution that delivers highly efficient, accelerated detection and response.
InsightVM is a vulnerability management solution that provides visibility across on-premise and remote endpoints, enabling security teams to evaluate the business risk of vulnerabilities and configurations and share with their IT counterparts for remediation.
Rapid7 Cloud Risk Complete (“CRC”) combines the power of Rapid7 InsightCloudSec (“InsightCloudSec”), InsightVM, and for CRC advanced customers, Rapid7 InsightAppSec (“InsightAppSec”) to manage risk across hybrid environments. Our “Executive Risk View” dashboard provides extensive visibility, enabling users to clearly understand, communicate, and prioritize risk. With a single subscription, organizations can secure hybrid environments
5

from development to production; detect and address risk across endpoints, cloud workloads, and traditional infrastructure; and perform dynamic application security testing to remediate application risk.
InsightCloudSec is a cloud risk and compliance management solution that provides cloud native application protection platform capabilities and enables organizations to securely accelerate cloud adoption with continuous security and compliance throughout the entire software development lifecycle.
InsightAppSec is a dynamic application security testing tool, delivered via the cloud, that combines powerful application crawling and attack capabilities, flexibility in scan and scheduling, and accuracy in results with a modern user interface, intuitive workflows, and sensible data organization.
In addition to our consolidation offerings, we individually offer each of our platform solutions, including InsightIDR, InsightCloudSec, InsightIVM, InsightsAppSec, InsightConnect and Rapid7 Threat Command. Our platform products are available globally and reduce the need for customers to manage a large, complex, data infrastructure.
To complement our products, we offer a range of standalone managed services, including MDR, MVM, MDRP and Rapid7 Managed Application Security, based on our software solutions, and professional services, including penetration testing services, incident response services, security advisory services, and deployment and training. Our managed services are delivered out of our SOC’s located in the U.S., Ireland, Australia and the Czech Republic. Each of these SOC’s consist of security analysts, threat engineers, incident responders and customer advisors that provide full-lifecycle support for our global managed services customers.
Our Growth Strategy
Our goal is to help customers command their attack surface by helping them anticipate, pinpoint, and act on exposure-led threats from endpoint to the cloud. The main drivers of our growth strategy are:
Continued investments in product development: We intend to continue to invest in our product development to enhance our platform and deliver additional features to meet customer demand and grow our addressable markets.
Expanding Strategic Partnerships: By expanding our strategic partnerships with system integrators we enable our customers to succeed with our technology and platform in their ecosystem and deliver more value from their security operations program. Recent technology alliances that drive this experience include ServiceNow, Microsoft, AWS, GCP and Palo Alto Networks.
Grow our customer base: We believe we have a strong opportunity to address the security needs of resource constrained organizations of any size. We intend to continue to increase investments in our sales and marketing efforts and foster the growth of our channel relationships to enable acquisition of these customers.
Upsell and cross-sell to our existing customer base: We see significant opportunities to deepen our relationship with our existing customers. With a strong focus on customer experience, satisfaction, and the value proposition of our platform, we intend to expand customers' usage of products they own (upsell) and help them adopt additional products (cross-sell). Our platform consolidation offerings are helping our customers maximize their budgets and giving them command of their attack surface, becoming our most dominant customer acquisition and expansion motions.
Further strengthen our customer renewal rate: We intend to continue to drive customer satisfaction and renewals by offering professional services, support, and strong investments in customer success functions. Our customer success teams provide expertise to help our customers realize exceptional value and improve their security outcomes, leading to higher customer satisfaction.
Managed Security Service Providers (“MSSPs”): Our platform products enable MSSPs to expand existing services to include detection and response (XDR/SIEM/MDR), vulnerability management, cloud security, threat intelligence, and application security. These relationships also allow us to leverage MSSP expertise to further expand our customer outreach.
Channel partner ecosystem continued investment: We maintain a global channel partner network that complements our sales organization, particularly in Europe, the Middle East and Africa (“EMEA”); and Asia Pacific (“APAC”). We have established strong co-sell relationships with strategic channel partners, who provide additional leverage through customer acquisition, deal execution and providing value in securing renewals. We are focused on expanding our public cloud marketplace motion to support our customers’ move to those models. We will continue to invest in partner models that enable us to create long term customer value.
International expansion: We continue to make investments to expand our international presence. These include investments in infrastructure, sales and marketing, and strategic partnerships.
6

Strategic M&A: We have and may continue to make acquisitions that enhance the value of our Insight Platform and bolster our ability to solve emerging customer challenges, allowing us to deliver on the vision of becoming the SecOps leader.
Research & Development
We also invest substantial resources in research and development to enhance our core technology platform and products, develop new end market-specific solutions and applications, and conduct product and quality assurance testing. We partner with leading universities near our key centers to propel research and innovation and build a talent pipeline. We employ product, engineering and research professionals with a diverse skill set that includes data collection and analytics, AI, SaaS delivery, cloud-native development, and deep security expertise, and research capabilities.
Our experienced research team regularly reviews trending insights from our Platform and broader open source community to prepare industry reports and resources. This includes regular threat reports, common vulnerabilities and exposures, and skunkworks research to spotlight specific security concerns. This focus and intentionality around understanding the attacker mindset is a big part of our Rapid7 culture and is infused into our product development and engineering ethos.
Our research and development teams are located in Boston, Massachusetts; Austin, Texas; Arlington, Virginia; Dublin and Galway, Ireland; Belfast, Northern Ireland; and Tel Aviv, Israel, providing us with exposure to worldwide engineering talent. We are also establishing a new development and service center in Prague, Czech Republic that we anticipate will continue to grow over the next year.
Rapid7 Labs: Open Source Community
Our industry-leading attack experts analyze vulnerabilities, misconfigurations, and threat data to offer proactive guidance for organizations’ security programs. Leveraging threat intelligence from our free and open-source projects, we continuously enhance our products and services to improve the customer experience.

Metasploit: Our Metasploit framework has an active community of contributors and users, including security researchers who contribute modules to the Metasploit Framework that serve as a resource about real-world attacker techniques. The Metasploit community also provides us with visibility into new cyber attacks as they occur and a deeper understanding of attacker behaviors.
Project Lorelei: Project Lorelei began in 2014 to understand what attackers, researchers, and organizations are doing in, across, and against cloud environments and gain deeper insights into the tactics, techniques, and procedures employed by both bots and human attackers.
Project Sonar: We conduct internet-wide scans across many services and protocols to gain insight into global exposures and vulnerabilities and collect data for platform analytics and preparation of core research reports.
Velociraptor Open Source Digital Forensic and Incident Response ("DFIR"): Velociraptor is an open-source endpoint monitoring, digital forensic and cyber response platform. It was developed by DFIR professionals as an efficient way to hunt for specific artifacts and monitor activities across fleets of endpoints.
Threat Intelligence and Detections Engineering
Rapid7’s threat content library leverages unique raw threat from our open source communities, as well as expertly vetted third party intelligence, and insights from across our platform, to provide customers with a curated repository of detections and emergent threat coverage. With a combination of proprietary AI-driven detections and indicators of compromise mapped to the MITRE framework, our detection content spans both known and unknown threats across the threat life cycle. When analyzed against the diverse telemetry data, this content enables us to pinpoint threats across endpoints, network, users, cloud, and customers’ wider ecosystem. This library is leveraged by our Rapid7 MDR services as well as within our InsightIDR technology, meaning alerts are vetted in the field by our security experts, offering a feedback loop and ensuring strong signal-to-noise alerting.
Professional Services
Our professional services offerings include, but are not limited to, Penetration Testing, Cybersecurity Maturity Assessments, Security & Incident Response Program Development Services, Internet of Things & Internet Embedded Device testing as well as Threat Modeling, TableTop Exercises and Incident Response services. In addition, we offer deployment and training services related to our platform, to further help customers operationalize and customize their platform experience. By accessing our security talent, we help organizations develop an approach and road map to further mature and strengthen their security programs.
7

Our Customers
Our customer base has grown from approximately 10,000 customers at the end of 2021 to more than 11,500 customers as of December 31, 2023, in 151 countries, including 40% of the organizations in the Fortune 100. We define a customer as any entity that has an active Rapid7 recurring revenue contract as of the specified measurement date, excluding only InsightOps and Logentries customers with a contract value less than $2,400 per year.
Our customers span a wide variety of industries including manufacturing, financial services, healthcare and life sciences, retail, technology, government, media and entertainment, energy, education, transportation, real estate, and other professional services, with customers in the manufacturing industry representing our largest industry in 2023 at 15% of our revenue. In 2023, 45% of our revenue was generated from enterprises, which we define as organizations that have either annual revenue greater than $1.0 billion or more than 2,500 employees, and the balance was generated from middle-market and small organizations.
Our revenue is not concentrated with any individual customer, with no customers representing more than 1% of our revenue in 2023, 2022 or 2021.
Our Competition
The markets we operate in are highly competitive, fragmented, and subject to technology change and innovation. We primarily compete with established and emerging security product vendors, including the following:
large companies that incorporate security features into their products;
XDR and SIEM vendors;
cloud security vendors;
vulnerability risk management vendors;
application security vendors;
threat intelligence vendors; and
legacy security, systems management, MSSPs, and other IT vendors.
We compete on the basis of a number of factors, including:
product functionality;
breadth of offerings;
depth and expertise of our security service providers;
performance;
brand name, reputation and customer satisfaction;
ease of implementation, use and maintenance;
total cost of ownership; and
scalability, reliability and security.
Some of our competitors have greater sales, marketing and financial resources, more extensive geographic presence or greater brand awareness than we do. We may face future competition in our markets from other large, established companies, as well as from emerging companies. In addition, we expect that there is likely to be continued consolidation in our industry that could lead to increased price competition and other forms of competition. With the introduction of new technologies, the evolution of our offerings and new market entrants, we expect competition to intensify in the future. Conditions in our market could change rapidly and significantly as a result of technological advancements, including with respect to AI. Our competitors may more successfully incorporate AI into their products, gain or leverage superior access to certain AI technologies, and achieve higher market acceptance of their AI solutions. For further discussion of the risks related to AI, please see below under “Risks Related to Intellectual Property, Litigation and Government Regulation."
Government Regulations
We are subject to various federal, state and international laws and regulations that affect our business, including those relating to the privacy and security of customer and employee personal information and export or import of our products to certain countries, governments or entities. Additional laws in all of these areas are likely to be passed in the future, which could result
8

in significant limitations on or changes to the ways in which we can collect, use, host, store or transmit the personal information and data of our customers or employees, communicate with our customers, and deliver products and services, which may significantly increase our compliance costs.
Intellectual Property
Our future success and competitive position depends in part on our ability to protect our intellectual property and proprietary technologies. To safeguard these rights, we rely on a combination of patents, trademarks, copyrights, trade secrets, employee and third-party nondisclosure agreements, licensing arrangements and other contractual protections to protect our intellectual property in the United States and other jurisdictions.
We have over two hundred issued patents and a number of registered and unregistered trademarks. The standard length of our patents is 20 years and while the grant dates of our patents vary, we believe that the duration of our issued patents is sufficient when considering the expected lives of our products. We file patent applications to protect our intellectual property and have a number of patent applications pending. We require our employees, consultants and other third parties to enter into confidentiality and proprietary rights agreements and control access to software, documentation and other proprietary information. Although we rely on intellectual property rights, including trade secrets, patents, copyrights and trademarks, as well as contractual protections to establish and protect our proprietary rights, we believe that factors such as the technological and creative skills of our personnel, creation of new modules, features and functionality, and frequent enhancements to our solutions are more essential to establishing and maintaining our technology leadership position.
We also license software from third parties for integration into our offerings, including open source software and other software available on commercially reasonable terms. We believe our continuing research and product development are not materially dependent on any single license or other agreement with a third party relating to the development of our products.
Human Capital
Rapid7 is dedicated to making the best in security operations achievable for all, and our employees are critical to achieving this mission. In order to continue to innovate, compete and succeed in our highly competitive and rapidly evolving market, it is crucial that we continue to attract and retain experienced employees. As part of these efforts, we strive to offer a competitive compensation and benefits program and foster a community where everyone feels included and empowered to do their best work.
As of December 31, 2023, we had 2,228 full-time employees, including 418 in product and service delivery and support, 840 in sales and marketing, 692 in research and development and 278 in general and administrative. As of December 31, 2023, we had 1,277 full-time employees in the U.S. and 951 full-time employees internationally. None of our U.S. employees are covered by collective bargaining agreements. We believe our employee relations are good and we have not experienced any work stoppages.
Compensation, Benefits and Well-being
Our compensation program is designed to attract and reward talented individuals who possess the skills necessary to support our business objectives, assist in the achievement of our strategic goals and create long-term value for our stockholders and fit within our company culture. In addition to their base salary, eligible employees are compensated for their contributions to the Company’s goals with short-term incentives and long-term equity awards tied to the value of our stock price. We believe that a compensation program with both short-term and long-term awards provides fair and competitive compensation and aligns employee and stockholder interests, including by incentivizing business and individual performance (pay for performance), motivating based on long-term company performance and integrating compensation with our business plans. In addition to cash and equity compensation, we also offer employees a wide array of benefits such as life and health (medical, dental and vision) insurance, travel benefits, paid time off and retirement benefits for all eligible full-time employees, We also provide emotional well-being services through our Employee Assistance Program.
All high performing employees globally are eligible to receive equity under our 2015 Equity Incentive Plan (the “2015 Plan”). Additionally, all employees in the United States, United Kingdom, Ireland, Canada, Australia, Germany and Israel may participate in our Employee Stock Purchase Plan (“ESPP”). As of December 31, 2023, over 90% of our employees were eligible to participate in the ESPP. Under the ESPP, employees may set aside up to 15% of their gross earnings, on an after-tax basis, to purchase our common shares at a discounted price, which is calculated at 85% of the lesser of: (i) the market value of our common stock at the beginning of each offering period and (ii) the market value of our common stock on the applicable purchase date.
We have evolved to a hybrid-first model, in which our employees who are assigned to an office can divide their time between the office and home. We are often iterating our approach to ensure we are balancing the needs of the business with the desires of our people, but remain committed to our view that offices remain a vital environment for fostering mentorship, career
9

development and collaboration. Additionally, we believe gathering in person allows our people to foster stronger relationships and trust, and helps to contribute to our great work culture.
Talent Development
We believe in investing in the growth and development of all of our employees. “Never Done” is one of our core values, and our employees take advantage of a myriad of opportunities for continuous learning, both through internal training and development experiences, on-demand learning modules, and access to content-specific curriculum based on need and interest. We have designed and implemented learning experiences for our employees at every stage of their careers. including personalized leadership development experiences that build capabilities for both non-technical and technical leaders and managers at each stage of the leadership journey. These experiences align to our core values and promote the leadership skills and behaviors we believe are critical to the success of our mission, customers, and development of our people. As a supporter of internal career growth, we actively mentor and invest in the pipeline of our future leaders. Additionally, new employees engage in our 90-day onboarding experience which is intended to support the embodiment of our core values, and shorten their time to create impact.
To supplement our internal learning experiences, as well as provide opportunities for independent study, employees have access to online education tools, including a digital library, to build the necessary skills to pursue additional certifications related to one’s role. To further invest in the future of cybersecurity and to deliver on our company mission, we created a platform that includes the most recent product training materials, as well as makes certification exams available at zero cost. Electronic certificates can be published to an employee’s LinkedIn professional profile, and the CPEs associated with the exam and learning materials help cybersecurity professionals maintain their minimum “continuing development” points for their professional certifications such as Certified Information Systems Security Professional, Global Information Assurance Certification and Certified Professional Hacker. We believe our investment in these resources, along with flexible working environments, will support our employees in their pursuit of lifelong learning.
We believe we will positively impact the experience of our customers by focusing on the development and engagement of our employees.
Diversity, Equity and Inclusion
Fostering a culture that values the principles of diversity, equity, and inclusion is an essential and fundamental aspect of who we are. We strive to create an environment where every individual, regardless of their background, feels valued and empowered. Diversity, equity and inclusion are key drivers of creativity and innovation, and we know that when teams embrace these drivers, they are able to make better business decisions, which ultimately drive better business outcomes. Our commitment extends beyond just words, it is an ongoing investment that is visible in our partnerships, yearly programming, internal events, training and development and available resources.
Over the past year we have made significant progress on internal programming and support, which in turn allowed us for the first time to be featured on the Human Rights Campaign Equality Index. Our employee resource groups offered roundtables and educational sessions focused on embracing identity, navigating difficult conversations, building a personal brand and reputation, advocating for yourself, celebrating and supporting those who are neurodivergent and more. We welcomed the launch of our newest employee resource group established to create intentional space for those identifying as LatinX and/or Hispanic. We continue to offer our comprehensive e-learning program on diversity, equity, and inclusion, for all new hires. Our efforts also extended to our global talent acquisition teams, holding in-person and virtual training, focused on leveraging the key tenets of cultural competency to support our ongoing efforts to build multidimensional talent pipelines. In addition, all our employees now have access to education geared toward collaborating with supporting neurodivergent team members.
Community Involvement & The Rapid7 Cybersecurity Foundation
We give back to the communities where we live and work, and believe that this commitment helps in our efforts to attract and retain employees. We partner with a variety of STEM and inclusion-focused programs to promote technology education for all. Beyond contributions of cash, we encourage employee volunteerism at all our locations. In 2021, we formed the Rapid7 Cybersecurity Foundation (the “Foundation”). The Foundation’s mission, which aligns closely to that of Rapid7, is to promote a more diverse and inclusive cyber workforce and advance security by supporting cybersecurity programs and solutions that are free and open. These include, among others, Hack.Diversity, the Cyber Peace Institute and its program Cyber Peace Builders and Cyversity. After seeding the Foundation with an initial contribution of $1.0 million in 2021, Rapid7 continued its support of the Foundation with an additional investment of $0.5 million in 2022.
In February 2023, Rapid7 and its Foundation announced a multi-year partnership and a $1.5 million dollar commitment to create the Rapid7 Cyber Threat Intelligence Lab at the University of South Florida (“USF”). The goal of the interdisciplinary lab at USF is to catalyze new collaborative research efforts in cyber threat detection, track malicious threat actors through an extensive sensor network, support an inclusive approach to diverse talent development in cybersecurity, and serve as a hub for thought leadership and community-engaged programming both locally and within the global cybersecurity industry.
10

Corporate Information
Our principal executive offices are located at 120 Causeway Street, Boston, Massachusetts. Our telephone number is +1 617-247-1717. Our website address is www.rapid7.com.
“Rapid7,” the Rapid7 logo, and other trademarks or service marks of Rapid7, Inc. appearing in this Annual Report on Form 10-K are the property of Rapid7, Inc. This Annual Report on Form 10-K contains additional trade names, trademarks and service marks of others, which are the property of their respective owners. Solely for convenience, trademarks and trade names referred to in this Annual Report on Form 10-K may appear without the ® or TM symbols. The information contained on our website or information that may be accessed through links on our website is not incorporated by reference into this Annual Report on Form 10-K.
Available Information
Our Annual Report on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K and amendments to these reports filed pursuant to Sections 13(a) and 15(d) of the Securities Exchange Act of 1934, as amended, are made available free of charge on or through our website at investors.rapid7.com as soon as reasonably practicable after such reports are filed with, or furnished to, the SEC.

11

Item 1A. Risk Factors.
Our operations and financial results are subject to various risks and uncertainties including those described below. You should consider carefully the risks and uncertainties described below, in addition to other information contained in this Annual Report on Form 10-K, including our consolidated financial statements and related notes, as well as our other public filings with the Securities and Exchange Commission (the SEC). The risks and uncertainties described below are not the only ones we face. Additional risks and uncertainties that we are unaware of, or that we currently believe are not material, may also become important factors that adversely affect our business. If any of the following risks or others not specified below materialize, our business, financial condition and results of operations could be materially adversely affected. In that event, the trading price of our common stock could decline. Please also see Special Note Regarding Forward-Looking Statements.
Our quarterly operating results may vary from period to period, which could result in our failure to meet expectations with respect to operating results and cause the trading price of our stock to decline.
Our operating results, including the levels of our revenue, annualized recurring revenue (“ARR”), cash flow, deferred revenue and gross margins, have historically varied from period to period, and we expect that they will continue to do so as a result of a number of factors, many of which are outside of our control, including:
the level of demand for our products and service offerings;
customer renewal rates and ability to attract new customers;
the extent to which customers purchase additional products or service offerings;
the mix of our products, as well as service offerings, sold during a period;
the ability to successfully grow our sales of our cloud-based solutions, including through the shift to a consolidated platform sales approach;
the level of perceived threats to organizations’ cybersecurity;
network outages, security breaches, technical difficulties or interruptions with our products;
changes in the growth rate of the markets in which we compete;
sales of our products and service offerings due to seasonality and customer demand;
the timing and success of new product or service introductions by us or our competitors or any other changes in the competitive landscape of our industry, including consolidation among our competitors and initiatives that use artificial intelligence (“AI”);
the introduction or adoption of new technologies that compete with our offerings;
decisions by potential customers to purchase cybersecurity products or service offerings from other vendors;
the amount and timing of operating costs and capital expenditures related to the operations and expansion of our business;
price competition;
our ability to successfully manage and integrate any acquired businesses, including without limitation, the amount and timing of expenses and potential future charges for impairment of goodwill from acquired companies;
business disruptions in regions affecting our operations, stemming from actual, imminent or perceived outbreak or reemergence of contagious disease;
our ability to increase, retain and incentivize the channel partners that market and sell our products and service offerings;
our continued international expansion and associated exposure to changes in foreign currency exchange rates;
the amount and timing of operating expenses related to the maintenance and expansion of our business, operations and infrastructure;
the announcement or adoption of new regulations and policy mandates or changes to existing regulations and policy mandates that impact our business or industry;
the cost or results of existing or unforeseen litigation and intellectual property infringement;
the strength of regional, national and global economies;
12

the impact of climate change, natural disasters or manmade problems, including terrorism or war (such as the Russia- Ukraine war and the Israel-Hamas conflict); and
future accounting pronouncements or changes in our accounting policies or practices.
Each factor above or discussed elsewhere herein or the cumulative effect of some of these factors may result in fluctuations in our operating results. This variability and unpredictability could result in our failure to meet expectations with respect to operating results, or those of securities analysts or investors, for a particular period. If we fail to meet or exceed expectations for our operating results for these or any other reasons, the market price of our stock could fall and we could face costly lawsuits, including securities class action suits.
Our business and operations have experienced significant growth, and if we do not appropriately manage any future growth, or are unable to maintain and scale our infrastructure, systems and processes, our business and results of operations may be negatively affected.
From the year ended December 31, 2019 to the year ended December 31, 2023, our revenue grew from $326.9 million to $777.7 million and our headcount grew from 1,544 to 2,228 employees. Our future growth is dependent upon our ability to continue to meet the expanding needs of our customers and to attract new customers. Although we have experienced rapid growth historically, we cannot provide any assurance that our business will continue to grow at the same rate or at all.
As existing customers gain more experience with our products, they may broaden their reliance on our products, which will require that we expand our operations infrastructure. We also seek to maintain excess capacity in our operations infrastructure to facilitate the rapid provision of new customer deployments. In addition, we need to properly manage our technological operations infrastructure in order to support changes in hardware and software parameters and the evolution of our products, all of which require significant lead time. If we do not accurately predict our infrastructure requirements, our existing customers may experience service outages that may subject us to financial penalties, financial liabilities and customer losses. If our operations infrastructure fails to keep pace with increased sales, customers may experience delays as we seek to obtain additional capacity, which could adversely affect our reputation and our revenue.
To continue to grow and expand our business while meeting the performance and other requirements of our customers, we intend to continue to make significant financial and operational investments. Our future success will depend in part on our ability to manage our growth effectively, which will require us to, among other things:
maintain and expand our customer base, including through continued investments and strategies to evolve to a consolidated platform sales approach;
increase revenues from existing customers through increased or broader use of our products and professional services within their organizations;
improve the performance and capabilities of our products through research and development;
continue to develop our cloud-based solutions;
maintain the rate at which customers purchase and renew subscriptions to our cloud-based solutions, content subscriptions, maintenance and support and managed services;
continue to successfully expand our business domestically and internationally;
continue to improve our key business applications, processes and IT infrastructure to support our business needs and appropriately documenting such systems and processes;
continue to effectively attract, integrate and retain employees, particularly members of our sales and marketing and research and development teams;
enhance our information and communication systems to ensure that our employees and offices around the world are well coordinated and can effectively communicate with each other and our growing base of customers and partners;
improve our financial, management, and compliance systems and controls; and
successfully compete with other companies.
If we fail to achieve these objectives effectively, our ability to manage our expected growth may be impaired and we may be unable to maintain the quality of our offerings, consistent revenue or revenue growth, our stock price could be volatile, and it may be difficult to achieve and maintain profitability. You should not rely on our prior quarterly or annual periods performance as any indication of our future growth.
13

We have not been profitable historically and may not achieve or maintain profitability in the future.
We have posted a net loss in each year since inception, including net losses of $149.3 million, $124.7 million and $146.3 million in the years ended December 31, 2023, 2022 and 2021, respectively. As of December 31, 2023, we had an accumulated deficit of $1.0 billion. While we have experienced significant revenue growth in recent periods, we may not obtain a high enough volume of sales of our products and service offerings to sustain or increase our growth or achieve or maintain profitability in the future. We also expect our costs to increase in future periods, which could negatively affect our future operating results if our revenue does not increase. In particular, we expect to continue to expend financial and other resources on:
research and development related to our offerings, including investments in our research and development team;
sales and marketing, including a continued expansion of our sales organization, both domestically and internationally;
continued international expansion of our business;
strategic acquisitions and expansion of our partner ecosystem; and
general and administrative expenses as we continue to implement and enhance our administrative, financial and operational systems, procedures and controls.
These investments may not result in increased revenue or growth in our business. If we are unable to increase our revenue at a rate sufficient to offset the expected increase in our costs, our business, financial position and results of operations will be harmed, and we may not be able to achieve or maintain profitability over the long term. Additionally, we may encounter unforeseen operating expenses, difficulties, complications, delays and other unknown factors that may result in losses in future periods. If our revenue growth does not meet our expectations in future periods, our financial performance may be harmed, and we may not achieve or maintain profitability in the future.
Prolonged economic uncertainties or downturns could adversely affect our business.
Prolonged economic uncertainties or downturns could adversely affect our business operations or financial results. Negative conditions in the general economy in either the United States or abroad, including conditions resulting from financial and credit market fluctuations, changes in economic policy, inflation, foreign currency exchange rate fluctuations, trade uncertainty, including changes in tariffs, sanctions, international treaties, and other trade restrictions, the occurrence of a natural disaster, outbreaks of epidemics or pandemics such as COVID-19, political unrest and social strife, including acts of terrorism, armed conflicts, such as the one between Russia and Ukraine and the Israel-Hamas conflict, have caused and could continue to cause a decrease in corporate spending on security offerings or information technology in general and negatively affect the rate of growth of our business.
Our customer base spans a variety of industries, including the business services, energy, financial services, healthcare and pharmaceuticals, technology, manufacturing, media and entertainment, online services, retail, telecommunications and travel and transportation industries. A substantial downturn in any of these industries may cause companies to reduce their capital expenditures in general or by specifically reducing their spending on information technology or security offerings. As a result, our current or prospective customers in these industries may delay or cancel information technology projects or seek to lower their costs by renegotiating vendor contracts. For example, due to economic volatility as a result of inflationary pressures and other global events, we have and may continue to see delays in our sales cycle, failures of customers to renew at all or to renew the anticipated scope their subscriptions with us, requests from customers for payment term deferrals as well as pricing or bundling concessions, which, if significant, could materially and adversely affect our business, results of operations and financial condition. To the extent purchases of our offerings are perceived by customers and potential customers to be discretionary, our revenues may be disproportionately affected by delays or reductions in general information technology spending. Also, customers may choose to develop in-house software as an alternative to using our offerings. Moreover, competitors may respond to market conditions by lowering prices and attempting to lure away our customers. In addition, the increased pace of consolidation in certain industries may result in reduced overall spending on our offerings.
In addition, adverse economic conditions, including inflation, may also increase the costs of operating our business, including vendor, supplier and workforce expenses.
We cannot predict the timing, strength or duration of any economic slowdown, instability or recovery, generally or within any particular industry or geography. Although we expect that our current cash and cash equivalent balances, including the proceeds of our offering of convertible senior notes in September 2023, together with cash flows that are generated from operations and availability under our revolving credit facility, will be sufficient to meet our domestic and international working capital needs and other capital and liquidity requirements for at least the next 12 months, if the economic conditions of the general economy or industries in which we operate worsen from present levels, our business operations and financial results could be adversely affected.
14

Macroeconomic events and conditions, such as those discussed above, may also have the effect of heightening many of the other risks described in this “Risk Factors” section, including risks associated with our guidance, our customers, our potential customers, our market opportunity, renewals and sales cycle, among others.
Actions that we are taking to restructure our business in alignment with our strategic priorities may not be as effective as anticipated.
In August of 2023, our Board approved the Restructuring Plan designed to improve operational efficiencies, reduce operating costs and better align the Company’s workforce with current business needs, top strategic priorities, and key growth opportunities. The Restructuring Plan included the reduction of our workforce by approximately 16%. We may encounter challenges as a result of these restructuring efforts and our reduction in force that could prevent us from recognizing the intended benefits of the Restructuring Plan or otherwise adversely affect our business, results of operations and financial condition. As of February 26, 2024, the execution of the Restructuring Plan has been substantially completed.
As a result of the Restructuring Plan, we have incurred and may continue to incur additional costs in the short-term, including cash expenditures for employee transition, notice period and severance payments, employee benefits, and related facilitation costs as well as non-cash expenditures related to acceleration of vesting of share-based awards. These additional cash and non-cash expenditures could have the effect of reducing our operating margins. Our Restructuring Plan may result in other unintended consequences, including employee attrition beyond our intended reduction in force, which may also be further exacerbated by the actual or perceived declining value of our equity awards; damage to our corporate culture and decreased employee morale among our remaining employees; diversion of management attention; damage to our reputation as an employer, which could make it more difficult for us to hire new employees in the future; and the loss of institutional knowledge and expertise of departing employees. If we experience any of these adverse consequences, our Restructuring Plan may not achieve or sustain its intended benefits, or the benefits, even if achieved, may not be adequate to meet our long-term profitability and operational expectations, which could adversely affect our business, results of operations and financial condition.
In connection with the Restructuring Plan, we permanently closed certain idle office spaces in Plano, Texas, Los Angeles, California and Toronto, Canada, which resulted in an impairment loss of $3.6 million recorded in 2023. Refer to Note 12, Leases, and Note 19, Restructuring, in the Notes to our Consolidated Financial Statements for further details regarding the impairment of long-lived assets. While we believe the assumptions used in determining whether there was impairment and the amount of any resulting impairment were reasonable and commensurate with the views of a market participant, changes in key assumptions in the future, including increasing the discount rate, lowering forecasts for revenue and operating margin, or lowering the long-term growth rate, could result in additional charges; similarly, one or more changes in these assumptions in future periods due to changes in circumstances could result in future impairments in this reporting unit or other reporting units.
In addition, our Restructuring Plan could lead us to fail to meet, or cause delays in meeting, our operational and growth targets. While positions have been eliminated, functions that they performed remain necessary to our operations, and we may be unsuccessful in effectively and efficiently distributing the duties and obligations of departed employees among our remaining employees. The Restructuring Plan could also prevent us from pursuing new opportunities and initiatives or require us to adjust our growth strategy. As we continue to identify areas of cost savings and operating efficiencies, we may consider implementing further measures to reduce operating costs and improve operating margins. We may not be successful in implementing such initiatives, including as a result of factors beyond our control. If we are unable to realize the anticipated savings and efficiencies from our Restructuring Plan and/or accomplish our business and strategic initiatives, our business, results of operations and financial condition could be materially and adversely affected. Refer to Note 19, Restructuring, in the Notes to our Consolidated Financial Statements for further details regarding the Restructuring Plan.
Our business and growth depend substantially on customers renewing and expanding their subscriptions with us. Any decline in our customer renewals or failure to convince customers to expand their use of our subscription offerings could adversely affect our future operating results.
Our subscription offerings are sold on a term basis. In order for us to improve our operating results, it is important that our existing customers renew their subscriptions with us when the existing subscription term expires, and renew on the same or more favorable terms. Our customers have no obligation to renew their subscriptions with us and we may not be able to accurately predict customer renewal rates. Our customers’ renewal rates may decline or fluctuate as a result of a number of factors, including their satisfaction or dissatisfaction with our new or current product offerings, our pricing, the effects of economic conditions, including due to a global economic slowdown, inflation, foreign currency exchange rate fluctuation, the Russia-Ukraine war, the Israel-Hamas conflict and any global economic uncertainty and financial market disruptions, competitive offerings, our customers' perception of their exposure, or alterations or reductions in their spending levels. If our customers do not renew their agreements with us or renew on terms less favorable to us, our revenues and results of operations may be adversely impacted.
15

Our future growth is also affected by our ability to sell additional offerings to our existing customers, which depends on a number of factors, including customers’ satisfaction with our products and services and general economic conditions. If our efforts to cross-sell and upsell to our customers are unsuccessful, the rate at which our business grows might decline.
If our new and existing product offerings and product enhancements do not achieve sufficient market acceptance, our financial results and competitive position will suffer.
Our business substantially depends on, and we expect our business to continue to substantially depend on, sales of our platform solutions. As such, market acceptance of our platform solutions is critical to our continued success. Demand for platform solutions are affected by a number of factors beyond our control, including continued market acceptance of cloud-based offerings, the timing of development and release of new products by our competitors, technological change, and growth or contraction in our market and the economy in general. If we are unable to continue to meet customer demands or to achieve more widespread market acceptance of our platform solutions, including through evolution of our sales model to a consolidated platform sales approach, our business operations, financial results and growth prospects will be materially and adversely affected.
We spend substantial amounts of time and money to research and develop or acquire new offerings and enhanced versions of our existing offerings to incorporate additional features, improve functionality or other enhancements in order to meet our customers’ rapidly evolving demands. In addition, we continue to invest in solutions that can be deployed on top of our platform to target specific use cases and to cultivate our community. When we develop a new or enhanced version of an existing offering, we typically incur expenses and expend resources upfront to market, promote and sell the new offering. Therefore, when we develop or acquire new or enhanced offerings, their introduction must achieve high levels of market acceptance in order to justify the amount of our investment in developing and bringing them to market. For example, if our recent product expansions and offerings, such as our consolidation offerings, do not garner widespread market adoption and implementation, or our consolidated platform sales approach is not successful, our financial results and competitive position could suffer.
Further, we may make changes to our offerings that our customers do not like, find useful or agree with. We may also discontinue certain features, begin to charge for certain features that are currently free or increase fees for any of our features or usage of our offerings.
Our new and existing offerings or product enhancements and changes to our existing offerings could fail to attain sufficient market acceptance for many reasons, including:
our failure to predict market demand accurately in terms of product functionality and to supply offerings that meet this demand in a timely fashion, including declines in demand as a result of the broader macroeconomic environment;
the failure of our consolidated platform sales approach in execution or timing or both;
real or perceived defect, errors or failures;
negative publicity about their performance or effectiveness;
delays in releasing to the market our new offerings or enhancements to our existing offerings;
introduction or anticipated introduction of competing products by our competitors;
inability to scale and perform to meet customer demands;
poor business conditions for our customers, causing them to delay IT purchases, including as a result of the COVID-19 pandemic; and
reluctance of customers to purchase cloud-based offerings.
If our new or existing offerings or enhancements and changes do not achieve adequate acceptance in the market, our competitive position will be impaired, and our revenue, business and financial results will be negatively impacted. The adverse effect on our financial results may be particularly acute because of the significant research, development, marketing, sales and other expenses we will have incurred in connection with the new offerings or enhancements.
16

We face intense competition in our market, which could adversely affect our business, financial condition, and results of operations.
The market for SecOps solutions is highly fragmented, intensely competitive and constantly evolving. We compete with an array of established and emerging security software and services vendors. With the introduction of new technologies and market entrants, we expect the competitive environment to remain intense going forward. The markets we operate in are highly competitive, fragmented, and subject to technology change and innovation. We primarily compete with established and emerging security product vendors, including the large companies that incorporate security products into their products; XDR and SIEM vendors; cloud security vendors; vulnerability risk management vendors; application security vendors; threat intelligence vendors; and legacy security, systems management, MSSP, and other IT vendors.
Some of our actual and potential competitors have advantages over us, such as longer operating histories, significantly greater financial, technical, marketing or other resources, stronger brand and business user recognition, larger and more mature intellectual property portfolios and broader global distribution and presence. In addition, our industry is evolving rapidly and is becoming increasingly competitive. Larger and more established companies may focus on security operations and could directly compete with us. Smaller companies could also launch new products and services that we do not offer and that could gain market acceptance quickly.
Our competitors may be able to respond more quickly and effectively than we can to new or changing opportunities, technologies, standards or customer requirements. With the introduction of new technologies, the evolution of our offerings and new market entrants, we expect competition to intensify in the future. Conditions in our market could change rapidly and significantly as a result of technological advancements, including with respect to AI. Our competitors may more successfully incorporate AI into their products, gain or leverage superior access to certain AI technologies, and achieve higher market acceptance of their AI solutions. For further discussion of the risks related to AI, please see below under “Risks Related to Intellectual Property, Litigation and Government Regulation”.
In addition, some of our larger competitors have substantially broader product offerings and can bundle competing products and services with other software offerings. As a result, customers may choose a bundled product offering from our competitors, even if individual products have more limited functionality than our solutions. These competitors may also offer their products at a lower price as part of this larger sale, which could increase pricing pressure on our offerings and cause the average sales price for our offerings to decline. These larger competitors are also often in a better position to withstand any significant reduction in spending by customers, and will therefore not be as susceptible to economic downturns.
Furthermore, our current and potential competitors may establish cooperative relationships among themselves or with third parties that may further enhance their resources and product and services offerings in the markets we address. In addition, current or potential competitors may be acquired by third parties with greater available resources. As a result of such relationships and acquisitions, our current or potential competitors might be able to adapt more quickly to new technologies and customer needs, devote greater resources to the promotion or sale of their products and services, initiate or withstand substantial price competition, take advantage of other opportunities more readily or develop and expand their product and service offerings more quickly than we do.
These competitive pressures in our market or our failure to compete effectively may result in price reductions, fewer orders, reduced renewals, reduced revenue and gross margins, and loss of market share. Any failure to address these factors could seriously harm our business and operating results.
For all of these reasons, we may not be able to compete successfully against our current or future competitors, or we may be required to expend significant resources in order to remain competitive. If our competitors are more successful than we are in developing new product and service offerings or in attracting and retaining customers, our business, financial condition and results of operations could be adversely affected.
If we are unable to successfully hire, train, and retain qualified personnel our business may suffer.
We continue to be substantially dependent on our sales force to obtain new customers and increase sales with existing customers. Our ability to successfully pursue our growth strategy will also depend on our ability to attract, motivate and retain our personnel, especially those in sales, marketing and research and development. In addition, in recent years, recruiting, hiring and retaining employees with expertise in the cybersecurity industry has become increasingly difficult as the demand for cybersecurity professionals has increased as a result of the recent cybersecurity attacks on global corporations and governments. We face intense competition for these employees from numerous technology, software and other companies, especially in certain geographic areas in which we operate, and we cannot ensure that we will be able to attract, motivate and/or retain sufficient qualified employees in the future particularly in tight labor markets. In addition, the change by us and other companies to offer a remote or hybrid work environment may increase the competition for such employees from employers outside of our traditional office locations. Our workforce has evolved to a hybrid-first model following the COVID-19 pandemic, which requires regular in-office attendance but utilizes a hybrid approach. While we intend to continue iterating our
17

approach to ensure we are balancing the needs of the business with the desires of our people, we may face difficulty in hiring and retaining our workforce as a result of this shift to have greater in-office attendance. If we are unable to attract new employees and retain our current employees, we may not be able to adequately develop and maintain new products or service offerings or market our existing products or service offerings at the same levels as our competitors and we may, therefore, lose customers and market share. Our failure to attract and retain personnel, especially those in sales and marketing and research and development positions for which we have historically had a high turnover rate, could have an adverse effect on our ability to execute our business objectives and, as a result, our ability to compete could decrease, our operating results could suffer and our revenue could decrease. Even if we are able to identify and recruit a sufficient number of new hires, these new hires will require significant training before they achieve full productivity and they may not become productive as quickly as we would like or at all.
We believe that our corporate culture has been a critical component to our success. We have invested substantial time and resources in building our team. As we grow and mature as a public company, we may find it difficult to maintain our corporate culture. Any failure to preserve our culture could negatively affect our future success, including our ability to attract, motivate and retain personnel and effectively focus on and pursue our business strategy.
Our hybrid working model and use of service providers with remote working arrangements also subjects us to heightened operational risks. For example, technologies in our employees’ and service providers’ homes when they are working remotely may not be as robust as in our offices and could cause the networks, information systems, applications, and other tools available to employees and service providers to be more limited or less reliable than in our offices. Further, the security systems in place at our employees’ and service providers’ homes may be less secure than those used in our offices, and while we have implemented technical and administrative safeguards to help protect our systems as our employees and service providers work from home, we may be subject to increased cybersecurity risk, which could expose us to risks of data or financial loss, and could disrupt our business operations. There is no guarantee that the data security and privacy safeguards we have put in place will be completely effective or that we will not encounter risks associated with employees and service providers accessing company data and systems remotely.
Our sales cycle may be unpredictable.
The timing of sales of our offerings is difficult to forecast because of the length and unpredictability of our sales cycle, particularly with large enterprises and with respect to certain of our products. We sell our products primarily to IT departments that are managing a growing set of user and compliance demands, which has increased the complexity of customer requirements to be met and confirmed during the sales cycle and prolonged our sales cycle. Further, the length of time that potential customers devote to their testing and evaluation, contract negotiation and budgeting processes varies significantly, depending on the size of the organization, budgetary constraints, nature of the product or service under consideration and the seniority of the approval required. In addition, we might devote substantial time and effort to a particular unsuccessful sales effort, and as a result, we could lose other sales opportunities or incur expenses that are not offset by an increase in revenue, which could harm our business.
A component of our growth strategy is dependent on our continued international expansion, which adds complexity to our operations.
We market and sell our products and service offerings throughout the world and have personnel in many parts of the world. For the years ended December 31, 2023, 2022 and 2021, operations located outside of North America generated 22%, 21% and 19%, respectively, of our revenue. Our growth strategy is dependent, in part, on our continued international expansion. We expect to conduct a significant amount of our business with organizations that are located outside the United States, particularly in Europe and Asia. We cannot assure you that our expansion efforts into international markets will be successful in creating further demand for our products and service offerings or in effectively selling our products and service offerings in the international markets that we enter. Our current international operations and future initiatives will involve a variety of risks, including:
increased management, infrastructure and legal costs associated with having international operations;
reliance on channel partners;
trade and foreign exchange restrictions;
economic or political instability or uncertainty in foreign markets and around the world;
foreign currency exchange rate fluctuations;
greater difficulty in enforcing contracts, accounts receivable collection and longer collection periods;
changes in regulatory requirements, including, but not limited to data privacy, data protection and data security regulations;
18

difficulties and costs of staffing and managing foreign operations;
the uncertainty and limitation of protection for intellectual property rights in some countries;
costs of compliance with foreign laws and regulations and the risks and costs of non-compliance with such laws and regulations;
costs of compliance with U.S. laws and regulations for foreign operations, including the U.S. Foreign Corrupt Practices Act, import and export control laws, tariffs, trade barriers, economic sanctions and other regulatory or contractual limitations on our ability to sell or provide our solutions in certain foreign markets, and the risks and costs of non-compliance;
heightened risks of unfair or corrupt business practices in certain geographies and of improper or fraudulent sales arrangements that may impact financial results and result in restatements of, and irregularities in, financial statements;
the potential for political unrest, acts of terrorism, hostilities or war;
management communication and integration problems resulting from cultural differences and geographic dispersion;
costs associated with language localization of our products;
increased exposure to climate change, natural disasters, acts of war (including the Russia-Ukraine war and the Israel-Hamas conflict), terrorism, epidemics, or pandemics and other health crises, including the ongoing COVID-19 pandemic; and
costs of compliance with multiple and possibly overlapping tax structures.
Our business, including the sales of our products and service offerings by us and our channel partners, may be subject to foreign governmental regulations, which vary substantially from country to country and change from time to time. Our failure, or the failure by our channel partners, to comply with these regulations could adversely affect our business. Further, in many foreign countries it is common for others to engage in business practices that are prohibited by our internal policies and procedures or U.S. regulations applicable to us. Although we have implemented policies and procedures designed to comply with these laws and policies, there can be no assurance that our employees, contractors, channel partners and agents have complied, or will comply, with these laws and policies. Violations of laws or key control policies by our employees, contractors, channel partners or agents could result in delays in revenue recognition, financial reporting misstatements, fines, penalties or the prohibition of the importation or exportation of our products and could have a material adverse effect on our business and results of operations.
Further, in late February 2022, Russian military forces launched a significant military action against Ukraine. While our business and operations have not been significantly impacted, it is not possible to predict the broader or longer-term consequences of this crisis. Consequences of the crisis could include further sanctions, embargoes, regional instability, geopolitical shifts and adverse effects on macroeconomic conditions, security conditions, currency exchange rates and financial markets. There can be no assurance that the Russia-Ukraine war, including any resulting sanctions, export controls or other restrictive actions, will not have a material adverse impact on our future operations and results.
If we are unable to successfully manage the challenges of international expansion and operations, our business and operating results could be adversely affected.
We recognize a significant percentage of our revenue ratably over the term of our agreements with customers, and as a result, downturns or upturns in sales may not be immediately reflected in our operating results.
We recognize a significant percentage of our revenue ratably over the various terms of our agreements with customers. As a result, a substantial portion of the revenue that we report in each period will be derived from the recognition of deferred revenue relating to agreements entered into during previous periods. Consequently, a decline in new sales or renewals in any one period may not be immediately reflected in our revenue results for that period. This decline, however, will negatively affect our revenue in future periods. Accordingly, the effect of significant downturns in sales and market acceptance of our products and potential changes in our rate of renewals may not be fully reflected in our results of operations until future periods. Our model also makes it difficult for us to rapidly increase our revenue through additional sales in any period, as revenue from new customers generally will be recognized over the applicable term.
We also intend to increase our investment in research and development, sales and marketing, and general and administrative functions and other areas to grow our business. We are likely to recognize the costs associated with these increased investments earlier than some of the anticipated benefits and the return on these investments may be lower, or may develop more slowly, than we expect, which could adversely affect our operating results.
19

We may be unable to rapidly and efficiently adjust our cost structure in response to significant revenue declines, which could adversely affect our operating results.
If our customers are unable to implement our products successfully or we fail to maintain high quality customer support, customer perceptions of our offerings may be impaired or our reputation and brand may suffer.
Our products are deployed in a wide variety of IT environments, including large-scale, complex infrastructures, and we often must assist our customers in achieving successful implementations for such large, complex deployments. In the past, some of our customers have experienced difficulties implementing our products and may experience implementation difficulties in the future. If our customers are unable to implement our products successfully, customer perceptions of our offerings may be impaired or our reputation and brand may suffer.
In addition, in order for our products to achieve their functional potential, our products must effectively integrate into our customers’ IT infrastructures, which have different specifications, utilize varied protocol standards, deploy products from multiple different vendors and contain multiple layers of products that have been added over time. Our customers’ IT infrastructures are also dynamic, with a myriad of devices and endpoints entering and exiting the customers’ IT systems on a regular basis, including remote devices, and our products must be able to effectively adapt to and track these changes. We must be able to interoperate and provide our security offerings to customers with these highly complex and customized networks, which requires significant coordination between our customers, our customer support teams and our channel partners.
Once our products are deployed within our customers’ networks, our customers depend on our technical and other customer support services to resolve any issues relating to the implementation and maintenance of our products. If we do not effectively assist our customers in deploying our products, help our customers quickly resolve post-deployment issues or provide effective ongoing support, our ability to renew or sell additional products or service offerings to existing customers would be adversely affected and our reputation with potential customers could be damaged. Further, to the extent that we are unsuccessful in hiring, training and retaining adequate technical and customer support and success personnel, our ability to provide adequate and timely support to our customers will be negatively impacted, and our customers’ satisfaction with our offerings will be adversely affected.
Any failure by our customers to appropriately implement our products or any failure of our products to effectively integrate and operate within our customers’ IT infrastructures could result in customer dissatisfaction, impact the perceived reliability of our products, result in negative press coverage, negatively affect our reputation and harm our financial results.
Our success in acquiring and integrating other businesses, products or technologies could impact our financial position.
In order to remain competitive, we have in the past and may in the future seek to acquire additional businesses, products or technologies. We also may not find suitable acquisition candidates, and acquisitions we complete may be unsuccessful.
Achieving the anticipated benefits of past or future acquisitions will depend in part upon whether we can integrate acquired operations, products and technology in a timely and cost-effective manner and successfully market and sell these as new product offerings, or as new features within our existing offerings. For example, on March 14, 2023, we acquired Minerva Labs Ltd., a leading provider of anti-evasion and ransomware prevention technology. The integration of any acquisition may prove to be difficult due to the necessity of coordinating geographically separate organizations and integrating personnel with disparate business backgrounds and accustomed to different corporate cultures and business operations and internal systems. We may need to implement or improve controls, procedures, and policies at a business that prior to the acquisition may have lacked sufficiently effective controls, procedures and policies. The acquisition and integration processes are complex, expensive and time consuming, and may cause an interruption of, or loss of momentum in, product development, sales activities and operations of both companies. Further, we may be unable to retain key personnel of an acquired company following the acquisition. If we are unable to effectively execute or integrate acquisitions, the anticipated benefits of such acquisition, including sales or growth opportunities or targeted synergies may not be realized, and our business, financial condition and operating results could be adversely affected.
In addition, we may only be able to conduct limited due diligence on an acquired company’s operations or may discover that the products or technology acquired were not as capable as we thought based upon the initial or limited due diligence. Following an acquisition, we may be subject to unforeseen liabilities arising from an acquired company’s past or present operations and these liabilities may be greater than the warranty and indemnity limitations that we negotiate. Any unforeseen liability that is greater than these warranty and indemnity limitations could have a negative impact on our financial condition.
We may fail to meet our publicly announced guidance or other expectations about our business and future operating results, which would cause our stock price to decline.
We have provided and may continue to provide guidance about our business, future operating results and key metrics, including ARR. In developing this guidance, our management must make certain assumptions and judgments about our future performance. Some of those key assumptions relate to the impact of macroeconomic pressures on our business and the timing
20

and scope of economic recovery globally, which are inherently difficult to predict. While presented with numerical specificity, this guidance is necessarily speculative in nature, and is inherently subject to significant business, economic and competitive uncertainties and contingencies, many of which are beyond our control and are based upon specific assumptions with respect to future business decisions or economic conditions, some of which may change. This guidance, which inherently consists of forward-looking statements, is also qualified by, and subject to, assumptions, estimates and expectations as of the date given. Forward-looking statements are subject to a number of risks, uncertainties, assumptions and other factors that could cause actual results and the timing of certain events to differ materially from future results expressed or implied by the forward-looking statements including the risks described in this Risk Factors section and in the Risk Factors section of our future SEC filings. It can be expected that some or all of the assumptions, estimates and expectations of any guidance we have furnished will not materialize or will vary significantly from actual results. Accordingly, our guidance is only an estimate of what management believes is realizable as of the date of release of such guidance.
Furthermore, analysts and investors may develop and publish their own projections of our business, which may form a consensus about our future performance. Our business results may vary significantly from such projections or that consensus due to a number of factors, many of which are outside of our control, including due to the global economic uncertainty and financial market conditions which could adversely affect our operations and operating results. Furthermore, if we make downward revisions of our previously announced guidance, or if our publicly announced guidance of future operating results fails to meet expectations of securities analysts, investors or other interested parties, the price of our common stock would decline.
If we are unable to maintain successful relationships with our channel partners, our business operations, financial results and growth prospects could be adversely affected.
Our success is dependent in part upon establishing and maintaining relationships with a variety of channel partners that we utilize to extend our geographic reach and market penetration. We anticipate that we will continue to rely on these partners in order to help facilitate sales of our offerings as part of larger purchases in the United States and to grow our business internationally. For the years ended December 31, 2023, 2022 and 2021, we derived approximately 62%, 57% and 52%, respectively, of our revenue from sales of products and service offerings through channel partners, and the percentage of revenue derived from channel partners may increase in future periods. Our agreements with our channel partners are non-exclusive and do not prohibit them from working with our competitors or offering competing solutions, and some of our channel partners may have more established relationships with our competitors. If our channel partners choose to place greater emphasis on products of their own or those offered by our competitors or do not effectively market and sell our products and service offerings, our ability to grow our business and sell our products and service offerings, particularly in key international markets, may be adversely affected. In addition, our failure to recruit additional channel partners, or any reduction or delay in their sales of our products and service offerings or conflicts between channel sales and our direct sales and marketing activities may harm our results of operations. Finally, even if we are successful, our relationships with channel partners may not result in greater customer usage of our products and service offerings or increased revenue.
If we are not able to maintain and enhance our brand, our business and operating results may be adversely affected.
We believe that maintaining and enhancing our brand identity is critical to our relationships with our customers and channel partners and to our ability to attract new customers and channel partners. The successful promotion of our brand will depend largely upon our marketing efforts, our ability to continue to offer high-quality offerings and our ability to successfully differentiate our offerings from those of our competitors. Our brand promotion activities may not be successful or yield increased revenues. In addition, independent industry analysts often provide reviews of our offerings, as well as those of our competitors, and perception of our offerings in the marketplace may be significantly influenced by these reviews. If these reviews are negative, or less positive as compared to those of our competitors’ products and professional services, our brand may be adversely affected.
Moreover, it may be difficult to maintain and enhance our brand in connection with sales through channel or strategic partners. The promotion of our brand requires us to make substantial expenditures, and we anticipate that the expenditures will increase as our market becomes more competitive, as we expand into new markets and as more sales are generated through our channel partners. To the extent that these activities yield increased revenues, these revenues may not offset the increased expenses we incur. If we do not successfully maintain and enhance our brand, our business may not grow, we may have reduced pricing power relative to competitors with stronger brands, and we could lose customers and channel partners, all of which would adversely affect our business operations and financial results.
We are dependent on the continued services and performance of our senior management and other key employees, the loss of any of whom could adversely affect our business, operating results and financial condition.
Our future performance depends on the continued services and contributions of our senior management, particularly Corey Thomas, our Chief Executive Officer, and other key employees to execute on our business plan and to identify and pursue new opportunities and product innovations. From time to time, there may be changes in our senior management team resulting from
21

the termination or departure of our executive officers and key employees. Our senior management and key employees are employed on an at-will basis, which means that they could terminate their employment with us at any time. The temporary or permanent loss of the services of our senior management, particularly Mr. Thomas, or other key employees for any reason could significantly delay or prevent the achievement of our development and strategic objectives and harm our business, financial condition and results of operations.
We use third-party software and data to operate certain functions of our business and deliver our offerings that may be difficult to replace or that may cause errors or failures of our solutions, which could lead to lost customers or harm to our reputation and our operating results.
We use software vendors to operate certain critical functions of our business, including financial management, customer relationship management and human resource management. If we experience difficulties in implementing new software or if these services become unavailable due to extended outages or interruptions or because they are no longer available on commercially reasonable terms or prices, our expenses could increase, our ability to manage our finances could be interrupted and our processes for managing sales of our solutions and supporting our customers could be impaired until equivalent services, if available, are identified, obtained and integrated, all of which could harm our business.
Additionally, we license third-party software and security and compliance data from various third parties to utilize in our solutions to deliver our offerings. In the future, this software or data may not be available to us on commercially reasonable terms, or at all. Any loss of the right to use any of this software or data could result in delays in the provisioning of our offerings until equivalent technology or data is either developed by us, or, if available, is identified, obtained and integrated, which could harm our business. In addition, any errors or defects in or failures of this third-party software could result in errors or defects in our products or cause our products to fail, which could harm our business and be costly to correct. Many of these providers attempt to impose limitations on their liability for such errors, defects or failures, and if enforceable, we may have additional liability to our customers or third-party providers that could harm our reputation and increase our operating costs.
We will need to maintain our relationships with third-party software and data providers, and to obtain software and data from such providers that do not contain errors or defects. Any failure to do so could adversely impact our ability to deliver effective solutions to our customers and could harm our operating results.
Our technology alliance partnerships expose us to a range of business risks and uncertainties that could have a material adverse impact on our business and financial results.
We have entered, and intend to continue to enter, into technology alliance partnerships with third parties to support our future growth plans, including with certain of our actual or potential competitors. For example, through these technology alliance partnerships, we integrate with certain third-party application program interfaces (“APIs”), which enhance our data collection capabilities in our customers’ IT environments. If these third parties no longer allow us to integrate with their APIs, or if we determine not to maintain these integrations, the functionality of our products may be reduced and our products may not be as marketable to certain potential customers. Technology alliance partnerships require significant coordination between the parties involved, particularly if a partner requires that we integrate its products with our products. Further, we have invested and will continue to invest significant time, money and resources to establish and maintain relationships with our technology alliance partners, but we have no assurance that any particular relationship will continue for any specific period of time, result in new offerings that we can effectively commercialize or result in enhancements to our existing offerings. In addition, while we believe that entering into technology alliance partnerships with certain of our actual or potential competitors is currently beneficial to our competitive position in the market, such partnerships may also give our competitors insight into our offerings that they may not otherwise have, thereby allowing them to compete more effectively against us.
If our products fail to help our customers achieve and maintain compliance with regulations and/or industry standards, our revenue and operating results could be harmed.
We generate a portion of our revenue from our vulnerability management offerings that help organizations achieve and maintain compliance with regulations and industry standards both domestically and internationally. For example, many of our customers subscribe to our vulnerability management offerings to help them comply with the security standards developed and maintained by the Payment Card Industry Security Standards Council (the “PCI Council”), which apply to companies that process, transmit or store cardholder data. In addition, our vulnerability management offerings are used by customers in the health care industry to help them comply with numerous federal and state laws and regulations related to patient privacy. In particular, HIPAA, and the 2009 Health Information Technology for Economic and Clinical Health Act include privacy standards that protect individual privacy by limiting the uses and disclosures of individually identifiable health information and implementing data security standards. The foregoing and other state, federal and international legal and regulatory regimes may affect our customers’ requirements for, and demand for, our products and service offerings. Governments and industry organizations, such as the PCI Council, may also adopt new laws, regulations or requirements, or make changes to existing laws or regulations, that could impact the demand for, or value of, our products. If we are unable to adapt our products to changing legal and regulatory standards or other requirements in a timely manner, or if our products fail to assist with, or expedite, our
22

customers’ cybersecurity defense and compliance efforts, our customers may lose confidence in our products and could switch to products offered by our competitors or threaten or bring legal actions against us. In addition, if laws, regulations or standards related to data security, vulnerability management and other IT security and compliance requirements are relaxed or the penalties for non-compliance are changed in a manner that makes them less onerous, our customers may view government and industry regulatory compliance as less critical to their businesses, and our customers may be less willing to purchase our products. In any of these cases, our revenue and operating results could be harmed.
In addition, government and other customers may require our products to comply with certain privacy, security or other certifications and standards. If our products are late in achieving or fail to achieve or maintain compliance with these certifications and standards, or our competitors achieve compliance with these certifications and standards, we may be disqualified from selling our products to such customers, or may otherwise be at a competitive disadvantage, either of which would harm our business, results of operations, and financial condition.
A portion of our revenue is generated by sales to government entities, which are subject to a number of challenges and risks.
Selling to government entities can be highly competitive, expensive and time consuming, and often requires significant upfront time and expense without any assurance that we will win a sale. Government demand and payment for our products and service offerings may also be impacted by public sector budgetary cycles and funding authorizations, with funding reductions or delays adversely affecting public sector demand for our offerings. Government entities also have heightened sensitivity surrounding the purchase of cybersecurity solutions due to the critical importance of their IT infrastructures, the nature of the information contained within those infrastructures and the fact that they are highly-visible targets for cyber attacks. For example, the conflict in Ukraine and associated activities in Ukraine and Russia may increase the risk of cyberattacks on various types of infrastructure and operations, and the United States government has warned companies to be prepared for a significant increase in Russian cyberattacks in response to the sanctions on Russia. Accordingly, increasing sales of our products and service offerings to government entities may be more challenging than selling to commercial organizations. Further, in the course of providing our products and service offerings to government entities, our employees and those of our channel partners may be exposed to sensitive government information. Any failure by us or our channel partners to safeguard and maintain the confidentiality of such information could subject us to liability and reputational harm, which could materially and adversely affect our results of operations and financial performance. Additionally, in the United States, federal government agencies may promulgate regulations, and the President may issue executive orders, requiring federal contractors to adhere to different or additional requirements after a contract is signed. If we do not meet applicable requirements of law or contract, we could be subject to significant liability from our customers or regulators.
We are exposed to fluctuations in currency exchange rates, which could negatively affect our financial condition and results of operations.
Our reporting currency is the U.S. dollar and we generate a majority of our revenue in U.S. dollars. However, for the years ended December 31, 2023, 2022 and 2021 we incurred 17%, 16% and 15%, respectively, of our expenses outside of the United States in foreign currencies, primarily the British pound sterling and euro, principally with respect to salaries and related personnel expenses associated with our sales and research and development operations. Additionally, for the years ended December 31, 2023, 2022 and 2021, 11%, 10% and 10%, respectively, of our revenue was generated in foreign currencies. Accordingly, changes in exchange rates may have an adverse effect on our business, operating results and financial condition. The exchange rate between the U.S. dollar and foreign currencies has fluctuated substantially in recent years and may fluctuate in the future, including as a result of geopolitical factors such as the Israel-Hamas conflict, which has impacted the exchange rate between the U.S. dollar and the Israeli New Shekel. Furthermore, a strengthening of the U.S. dollar could increase the cost in local currency of our products and services to customers outside the United States, which could adversely affect our business, results of operations, financial condition and cash flows. We enter into forward contracts designated as cash flow hedges in order to mitigate our exposure to foreign currency fluctuations resulting from certain operating expenses denominated in certain foreign currencies. These forward contracts and other hedging strategies such as options and foreign exchange swaps related to transaction exposures that we may implement to mitigate this risk in the future may not eliminate our exposure to foreign exchange fluctuations.
Risks Related to Intellectual Property, Litigation and Government Regulation
Failure to protect our proprietary technology and intellectual property rights could substantially harm our business and operating results.
Our success and competitive position depend in part on our ability to protect our intellectual property and proprietary technologies. To safeguard these rights, we rely on a combination of patent, trademark, copyright and trade secret laws and contractual protections in the United States and other jurisdictions, all of which provide only limited protection and may not now or in the future provide us with a competitive advantage.
23

We cannot assure you that any patents will issue from any patent applications, that patents that issue from such applications will give us the protection that we seek or that any such patents will not be challenged, invalidated, or circumvented. Any patents that may issue in the future from our pending or future patent applications may not provide sufficiently broad protection and may not be enforceable in actions against alleged infringers. We have registered the “Rapid7,” “Nexpose” and “Metasploit” names and logos in the United States and certain other countries. We have registrations and/or pending applications for additional marks in the United States and other countries; however, we cannot assure you that any future trademark registrations will be issued for pending or future applications or that any registered trademarks will be enforceable or provide adequate protection of our proprietary rights. While we have copyrights in our software, we do not typically register such copyrights with the United States Copyright Office. This failure to register the copyrights in our software may preclude us from obtaining statutory damages for infringement under certain circumstances. We also license software from third parties for integration into our products, including open source software and other software available on commercially reasonable terms. We cannot assure you that such third parties will maintain such software or continue to make it available.
In order to protect our unpatented proprietary technologies and processes, we rely on trade secret laws and confidentiality agreements with our employees, consultants, channel partners, vendors and others. Despite our efforts to protect our proprietary technology and trade secrets, unauthorized parties may attempt to misappropriate, reverse engineer or otherwise obtain and use them. In addition, others may independently discover our trade secrets, in which case we would not be able to assert trade secret rights, or develop similar technologies and processes. Further, the contractual provisions that we enter into may not prevent unauthorized use or disclosure of our proprietary technology or intellectual property rights and may not provide an adequate remedy in the event of unauthorized use or disclosure of our proprietary technology or intellectual property rights. Moreover, policing unauthorized use of our technologies, trade secrets and intellectual property is difficult, expensive and time-consuming, particularly in foreign countries where the laws may not be as protective of intellectual property rights as those in the United States and where mechanisms for enforcement of intellectual property rights may be weak. We may be unable to determine the extent of any unauthorized use or infringement of our solutions, technologies or intellectual property rights.
From time to time, legal action by us may be necessary to enforce our patents and other intellectual property rights, to protect our trade secrets, to determine the validity and scope of the intellectual property rights of others or to defend against claims of infringement or invalidity. Such litigation could result in substantial costs and diversion of resources and could result in impairment or loss of portions of our intellectual property. Furthermore, our efforts to enforce our intellectual property rights may be met with defenses, counterclaims and countersuits attacking the validity and enforceability of our intellectual property rights. Our failure to secure, protect and enforce our intellectual property rights could negatively affect our brand and adversely impact our business, operating results and financial condition.
Assertions by third parties of infringement or other violations by us of their intellectual property rights, whether or not correct, could result in significant costs and harm our business and operating results.
Patent and other intellectual property disputes are common in our industry. We are periodically involved in disputes brought by non-practicing entities alleging patent infringement and we may, from time to time, be involved in other such disputes in the ordinary course of our business. Some companies, including some of our competitors, own large numbers of patents, copyrights and trademarks, which they may use to assert claims against us. Many of these companies have the capability to dedicate substantially greater resources to enforce their intellectual property rights. Third parties have in the past and may in the future assert claims of infringement, misappropriation or other violations of intellectual property rights against us. Third parties may also assert claims against our customers or channel partners, whom we typically indemnify against claims that our solutions infringe, misappropriate or otherwise violate the intellectual property rights of third parties. As the numbers of products and competitors in our market increase and overlaps occur, claims of infringement, misappropriation and other violations of intellectual property rights may increase. Any claim of infringement, misappropriation or other violation of intellectual property rights by a third party, even those without merit, could cause us to incur substantial costs defending against the claim and could distract our management from our business.
The patent portfolios of our most significant competitors are larger than ours. This disparity may increase the risk that they may sue us for patent infringement and may limit our ability to counterclaim for patent infringement or settle through patent cross-licenses. In addition, future assertions of patent rights by third parties, and any resulting litigation, may involve patent holding companies or other adverse patent owners who have no relevant product revenues and against whom our own patents may therefore provide little or no deterrence or protection. There can be no assurance that we will not be found to infringe or otherwise violate any third-party intellectual property rights or to have done so in the past.
An adverse outcome of a dispute may require us to:
pay substantial damages, including treble damages, if we are found to have willfully infringed a third party’s patents or copyrights;
cease making, licensing or using solutions that are alleged to infringe or misappropriate the intellectual property of others;
24

expend additional development resources to attempt to redesign our solutions or otherwise develop non-infringing technology, which may not be successful;
enter into potentially unfavorable royalty or license agreements in order to obtain the right to use necessary technologies or intellectual property rights; and
indemnify our partners and other third parties.
In addition, royalty or licensing agreements, if required or desirable, may be unavailable on terms acceptable to us, or at all, and may require significant royalty payments and other expenditures. Some licenses may also be non-exclusive, and therefore, our competitors may have access to the same technology licensed to us.
Any of the foregoing events could seriously harm our business, financial condition and results of operations.
We may not be successful in our initiatives that utilize AI, which could adversely affect our business, reputation,
or financial results.
There are significant risks involved in utilizing AI and no assurance can be provided that the usage of such AI will enhance our business or assist our business in being more efficient or profitable. Known risks of AI currently include accuracy, bias, toxicity, intellectual property infringement or misappropriation, data privacy and cybersecurity, and data provenance. In addition, AI may have errors or inadequacies that are not easily detectable. For example, certain AI may utilize historical data in its analytics. To the extent that such historical data is not indicative of the current or future conditions, or the AI fails to filter biases in the underlying data or collection methods, the usage of AI may lead us to make determinations on behalf of our business, recommendations to our clients, or developments to our products and services, in each case, that have an adverse effect on our business and financial results. AI may also be subject to data herding and interconnectedness (i.e., multiple market participants utilizing the same data), which may adversely impact our business. If the AI we utilize is incorrectly designed or utilizes training data that is overbroad, incomplete, inadequate or biased in some way, our use of AI may inadvertently reduce our efficiency or cause unintentional or unexpected outputs that are incorrect, do not match our business goals, do not comply with our policies or interfere with the performance of our products and services, business and reputation.
AI is complex and subject to a rapidly evolving regulatory landscape. The use of AI may increase intellectual property, data privacy and cybersecurity, operational and technological risks, and our AI-related efforts may result in new or enhanced governmental or regulatory scrutiny, litigation, ethical concerns, or other complications that could adversely affect our business, reputation, or financial results or subject us to legal liability. In particular, the technologies underlying AI and their use cases are subject to a variety of laws, including intellectual property, data privacy and cybersecurity, consumer protection and equal opportunity laws. If we do not have sufficient rights to use the data on which AI relies, we may incur liability through the violation of such laws, third-party privacy or other rights or contracts to which we are a party. Changes in laws, rules, directives and regulations governing the use of AI may adversely affect the ability of our business to develop and use AI. Any of these factors could adversely affect our business, reputation, or financial results or subject us to legal liability.
Our products contain third-party open source software components, and our failure to comply with the terms of the underlying open source software licenses could restrict our ability to sell our products.
Our products contain software licensed to us by third parties under so-called “open source” licenses, including the GNU General Public License, the GNU Lesser General Public License, the BSD License, the Apache License and others. From time to time, there have been claims against companies that distribute or use open source software in their products and services, asserting that such open source software infringes the claimants’ intellectual property rights. We could be subject to suits by parties claiming that what we believe to be licensed open source software infringes their intellectual property rights. Use and distribution of open source software may entail greater risks than use of third-party commercial software, as open source licensors generally do not provide warranties or other contractual protections regarding infringement claims or the quality of the code. In addition, certain open source licenses require that source code for software programs that are subject to the license be made available to the public and that any modifications or derivative works to such open source software continue to be licensed under the same terms.
Although we monitor our use of open source software in an effort both to comply with the terms of the applicable open source licenses and to avoid subjecting our products to conditions we do not intend, the terms of many open source licenses have not been interpreted by U.S. courts, and there is a risk that these licenses could be construed in a way that could impose unanticipated conditions or restrictions on our ability to commercialize our products. The terms of certain open source licenses require us to release the source code of our applications and to make our applications available under those open source licenses if we combine or distribute our applications with open source software in a certain manner. In the event that portions of our applications are determined to be subject to an open source license, we could be required to publicly release the affected portions of our source code, re-engineer all, or a portion of, those applications or otherwise be limited in the licensing of our applications. Disclosing our proprietary source code could allow our competitors to create similar products with lower development effort and time and ultimately, could result in a loss of sales for us. Disclosing the source code of our proprietary
25

software could also make it easier for cyber attackers and other third parties to discover vulnerabilities in or to defeat the protections of our products, which could result in our products failing to provide our customers with the security they expect. Likewise, some open source projects have known security and other vulnerabilities and architecture instabilities, or are otherwise subject to security attacks due to their wide availability, and are provided on an “as-is” basis. Any of these events could have a material adverse effect on our business, operating results and financial condition.
We are subject to governmental export and import controls that could impair our ability to compete in international markets and/or subject us to liability if we are not in compliance with applicable laws.
Like other U.S.-based IT security products, our products are subject to U.S. export control and import laws and regulations, including the U.S. Export Administration Regulations and various economic and trade sanctions regulations administered by the U.S. Treasury Department’s Office of Foreign Assets Control. Exports of these products must be made in compliance with these laws and regulations. Although we take precautions to prevent our products from being provided in violation of these laws, our products could be provided inadvertently in violation of such laws, despite the precautions we take. Compliance with these laws and regulations is complex, and if we were to fail to comply with these laws and regulations, we and certain of our employees could be subject to substantial civil and criminal penalties, including fines for our company and responsible employees or managers, and, in extreme cases, incarceration of responsible employees and managers and the possible loss of export privileges. Complying with export control laws and regulations, including obtaining the necessary licenses or authorizations, for a particular sale may be time-consuming, is not guaranteed and may result in the delay or loss of sales opportunities. Changes in export or import laws and regulations, shifts in the enforcement or scope of existing laws and regulations, or changes in the countries, governments, persons, products or services targeted by such laws and regulations, could also result in decreased use of our products by, or in our decreased ability to export or sell our products to, existing or potential customers. For example, in response to the Russia-Ukraine war, countries such as Canada, the United Kingdom, the European Union, the United States and other countries and organizations have implemented new and stricter sanctions and export controls against officials, individuals, regions, and industries in Russia, Ukraine and Belarus. Each country’s potential response to such sanctions, export controls, tensions, and military actions could damage or disrupt international commerce and the global economy and could have a material adverse effect on our business and results of operations or impact our ability to continue to operate in affected regions.
A decreased use of our products or limitation on our ability to export or sell our products could adversely affect our business, financial condition and results of operations.
We also incorporate encryption technology into our products. These encryption products may be exported outside of the United States only with the required export authorizations, including by a license, a license exception or other appropriate government authorizations, including the filing of a product classification request. In addition, various countries regulate the import and domestic use of certain encryption technology, including through import permitting and licensing requirements, and have enacted laws that could limit our ability to distribute our products or could limit our customers’ ability to implement our products in those countries. Governmental regulation of encryption technology and regulation of imports or exports of encryption products, or our failure to obtain required import or export approval for our products, when applicable, could harm our international sales and adversely affect our revenue. Compliance with applicable laws and regulations regarding the export and import of our products, including with respect to new products or changes in existing products, may create delays in the introduction of our products in international markets, prevent our customers with international operations from deploying our products globally or, in some cases, could prevent the export or import of our products to certain countries, governments, entities or persons altogether.
Our ability to use net operating losses to offset future taxable income may be subject to certain limitations.
As of December 31, 2023, we had federal and state net operating loss carryforwards (“NOLs”), of $346.5 million and $293.5 million, respectively, available to offset future taxable income, a portion of which expires in various years beginning in 2024 if not utilized. A lack of future taxable income would adversely affect our ability to utilize these NOLs before they expire. Under the provisions of the Internal Revenue Code (the “IRC”), substantial changes in our ownership may limit the amount of pre-change NOLs that can be utilized annually in the future to offset taxable income. IRC Section 382 imposes limitations on a company’s ability to use NOLs if a company experiences a more-than-50-percentage point ownership change over a three-year testing period. Based upon our historical analysis, we determined that although a limitation on our historical NOLs exists, we do not expect this limitation to impair our ability to use our NOLs prior to expiration. However, if changes in our ownership occur in the future, our ability to use our NOLs may be further limited. For these reasons, we may not be able to utilize a material portion of the NOLs, even if we achieve profitability. If we are limited in our ability to use our NOLs in future years in which we have taxable income, we will pay more taxes than if we were able to fully utilize our NOLs. This could adversely affect our operating results, cash balances and the market price of our common stock.
We may have exposure to greater than anticipated tax liabilities.
26

We are subject to U.S. federal, state, local and sales taxes in the United States and foreign income taxes, withholding taxes and transaction taxes in numerous foreign jurisdictions. We generally conduct our international operations through wholly-owned subsidiaries and report our taxable income in various jurisdictions worldwide based upon our business operations in those jurisdictions. Our intercompany relationships are and will continue to be subject to complex transfer pricing regulations administered by taxing authorities in various jurisdictions. Significant judgment is required in evaluating our tax positions and our worldwide provision for taxes. During the ordinary course of business, there are many activities and transactions for which the ultimate tax determination is uncertain and the relevant taxing authorities may disagree with our determinations as to the income and expenses attributable to specific jurisdictions. In addition, our tax obligations and effective tax rates could be adversely affected by changes in the relevant tax, accounting and other laws, regulations, principles and interpretations by recognizing tax losses or lower than anticipated earnings in jurisdictions where we have lower statutory rates and higher than anticipated earnings in jurisdictions where we have higher statutory rates, by changes in foreign currency exchange rates, or by changes in the valuation of our deferred tax assets and liabilities. We may be audited in various jurisdictions, and such jurisdictions may assess additional taxes, sales taxes, and value-added taxes against us. Although we believe our tax estimates are reasonable, the final determination of any tax audits or litigation could be materially different from our historical tax provisions and accruals, which could have a material adverse effect on our operating results or cash flows in the period for which a determination is made.
Risks Related to Data Privacy and Cybersecurity
Real or perceived failures, errors or defects in our solutions could adversely affect our brand and reputation, which could have an adverse effect on our business and results of operations.
If our products or service offerings fail to detect vulnerabilities in our customers’ cybersecurity infrastructure, or if our products or service offerings fail to identify and respond to new and increasingly complex methods of cyber attacks, our business and reputation may suffer. There is no guarantee that our products or service offerings will detect all vulnerabilities and threats, especially in light of the rapidly changing security landscape to which we must respond, including the constantly evolving techniques used by attackers to access or sabotage data. For example, the conflict in Ukraine and associated activities in Ukraine and Russia may increase the risk of cyberattacks on various types of infrastructure and operations, and the United States government has warned companies to be prepared for a significant increase in Russian cyberattacks in response to the sanctions on Russia. If we fail to update our solutions in a timely or effective manner to respond to these threats, our customers could experience security breaches. Many federal, state and foreign governments have enacted laws requiring companies to notify individuals of data security breaches involving their personal data. These mandatory disclosures regarding a security breach often lead to widespread negative publicity, and any association of us with such publicity may cause our customers to lose confidence in the effectiveness of our solutions. An actual or perceived security breach or theft of sensitive data of one of our customers, regardless of whether the breach is attributable to the failure of our products or service offerings, could adversely affect the market’s perception of our offerings and subject us to legal claims.
Additionally, our products may falsely detect vulnerabilities or threats that do not actually exist. For example, our Metasploit offering relies on information provided by an active community of security researchers who contribute new exploits, attacks and vulnerabilities. We expect that the continued contributions from these third parties will both enhance the robustness of Metasploit and also support our sales and marketing efforts. However, to the extent that the information from these third parties is inaccurate or malicious, the potential for false indications of security vulnerabilities and susceptibility to attack increases. These false positives, while typical in the industry, may impair the perceived reliability of our offerings and may therefore adversely impact market acceptance of our products and service offerings and could result in negative publicity, loss of customers and sales and increased costs to remedy any problem. Further, to the extent that our community of third parties is reduced in size or participants become less active, we may lose valuable insight into the dynamic threat landscape and our ability to quickly respond to new exploits, attacks and vulnerabilities may be reduced.
Our products may also contain undetected errors or defects. Errors or defects may be more likely when a product is first introduced or as new versions are released, or when we introduce an acquired company's products. We have experienced these errors or defects in the past in connection with new products, acquired products and product upgrades and we expect that these errors or defects will be found from time to time in the future in new, acquired or enhanced products after commercial release. Defects may cause our products to be vulnerable to attacks, cause them to fail to detect vulnerabilities or threats, or temporarily interrupt customers’ networking traffic. Any errors, defects, disruptions in service or other performance problems with our products may damage our customers’ businesses and could hurt our reputation. If our products or service offerings fail to detect vulnerabilities or threats for any reason, we may incur significant costs, the attention of our key personnel could be diverted, our customers may delay or withhold payment to us or elect not to renew or other significant customer relations problems may arise. We may also be subject to liability claims for damages related to errors or defects in our products. A material liability claim or other occurrence that harms our reputation or decreases market acceptance of our products may harm our business and operating results. Limitation of liability provisions in our standard terms and conditions and our other agreements may not
27

adequately or effectively protect us from any claims related to errors or defects in our solutions, including as a result of federal, state or local laws or ordinances or unfavorable judicial decisions in the United States or other countries.
Our brand, reputation and ability to attract, retain and serve our customers are dependent in part upon the reliable performance of our products and network infrastructure.
Our brand, reputation and ability to attract, retain and serve our customers are dependent in part upon the reliable performance of our products and network infrastructure. We have experienced, and may in the future experience, disruptions, outages and other performance problems due to a variety of factors, including infrastructure changes, human or software errors, capacity constraints and fraud or security attacks. In some instances, we may not be able to identify the cause or causes of these performance problems within an acceptable period of time.
We utilize third-party data centers located in North America, Europe, Australia and Asia, in addition to operating and maintaining certain elements of our own network infrastructure. Some elements of our complex infrastructure are operated by third parties that we do not control and that could require significant time to replace. We expect this dependence on third parties to continue. More specifically, certain of our products, in particular our cloud-based products, are hosted on cloud providers such as Amazon Web Services, which provides us with computing and storage capacity. Interruptions in our systems or the third-party systems on which we rely, whether due to system failures, computer viruses, physical or electronic break-ins, or other factors, could affect the security or availability of our products, network infrastructure and website.
Prolonged delays or unforeseen difficulties in connection with adding capacity or upgrading our network architecture when required may cause our service quality to suffer. Problems with the reliability or security of our systems or third-party systems on which we rely could harm our reputation. Damage to our reputation and the cost of remedying these problems could negatively affect our business, financial condition, and operating results.
Additionally, our existing data center facilities and third-party hosting providers have no obligations to renew their agreements with us on commercially reasonable terms or at all, and certain of the agreements governing these relationships may be terminated by either party at any time. If we are unable to maintain or renew our agreements with these providers on commercially reasonable terms or if in the future we add additional data center facilities or third-party hosting providers, we may experience additional costs or downtime or delays as we transition our operations.
Any disruptions or other performance problems with our products could harm our reputation and business and may damage our customers’ businesses. Interruptions in our service delivery might reduce our revenue, cause us to issue credits to customers, due to our inability to meet stated service level commitments, subject us to potential liability and cause customers to not renew their purchases or our products.
If we or our third party service providers experience a security breach or unauthorized parties otherwise obtain access to our customers’ data, our reputation may be harmed, demand for our solutions may be reduced and we may incur significant liabilities.
We sell cybersecurity and data analytics products. As a result, we have been and will continue to be a target of cyber attacks designed to impede the performance of our products, penetrate our network security or the security of our cloud platform or our internal systems, or that of our customers, misappropriate proprietary information and/or cause interruptions to our services. For example, because Metasploit serves as an introduction to hacking for many individuals, a successful cyber attack on us may be perceived as a victory for the cyber attacker, thereby increasing the likelihood that we may be a target of cyber attacks, even absent financial motives.
We also process, store and transmit our own data as part of our business and operations, including personal, confidential or proprietary information. As many of our customers and employees will continue to work remotely, we expect there will continue to be an increased amount of such information that is stored in our solutions, which increases the exposure and risk of attempted security breaches, cyberattacks and other malicious internet-based activity. Additionally, we make use of third-party technology and systems for a variety of reasons, including, without limitation, encryption and authentication technology, employee email, content delivery to customers, back-office support, credit card processing, customer relationship management, human resources services and other functions.
Computer malware, ransomware, cyber viruses, social engineering (phishing attacks), supply-chain attacks, denial of service or other attacks, employee theft or misuse and increasingly sophisticated network attacks have become more prevalent in our industry, particularly against cloud services. In particular, ransomware attacks, including by organized criminal threat actors, nation-states, and nation-state-supported actors, are becoming increasingly prevalent and severe and can lead to significant interruptions in our operations, loss of data and income, reputational harm, and diversion of funds. While extortion payments may alleviate the negative impact of a ransomware attack, we may be unwilling or unable to make such payments due to, for example, applicable laws or regulations prohibiting such payments. Similarly, supply-chain attacks have increased in frequency and severity, and we cannot guarantee that third parties and infrastructure in our supply chain or our third-party partners’ supply chains have not been compromised or that they do not contain exploitable defects or bugs that could result in a breach of or
28

disruption to our information technology systems (including our products) or the third-party information technology systems that support us and our services. Such attacks may also include exploitation of vulnerabilities in third party or open source software code that may be incorporated into our own or our customers’ or supplier’s systems. Further, if our systems or those of our third-party service providers are breached as a result of third-party action, employee error or misconduct, attackers could learn critical information about how our products operate to help protect our customers’ IT infrastructures from cyber risk, thereby making our customers more vulnerable to cyber attacks. While we maintain measures designed to protect the integrity, confidentiality and security of our data, our security measures could fail and those of our third-party service providers have failed and could fail, any of which could result in unauthorized access to or disclosure, modification, misuse, loss or destruction of such data or financial loss.
Additionally, the growth in state sponsored cyber activity, including those actions taken in connections with the Russia-Ukraine war, demonstrates the increasing sophistication and evolution of cyber threats. As a result, we may be unable to anticipate the techniques used or implement adequate measures to prevent an electronic intrusion into our customers through our cloud platform or to prevent breaches and other security incidents affecting our cloud platform, internal networks, systems or data. Further, once identified, we may be unable to remediate or otherwise respond to a breach or other incident in a timely manner. Actual or perceived security breaches of our cloud platform could result in actual or perceived breaches of our customers’ networks and systems.
Since our business is focused on providing reliable security solutions to our customers, a security breach or other security incident, or the perception that one has occurred, could result in a loss of customer confidence in the security of our offerings and damage to our brand, reduce the demand for our offerings, disrupt normal business operations, require us to spend material resources to investigate or correct the breach and to prevent future security breaches and incidents, expose us to legal liabilities, including litigation, regulatory enforcement, and indemnity obligations, and adversely affect our revenues and operating results. These risks may increase as we continue to grow the number and scale of our cloud services, and process, store, and transmit increasing amounts of data.
Additionally, we cannot be certain that our insurance coverage will be adequate for data security liabilities actually incurred, that insurance will cover any indemnification claims against us relating to any incident, that insurance will continue to be available to us on economically reasonable terms, or at all, or that any insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could have a material adverse effect on our business, including our financial condition, operating results, and reputation.
If Metasploit were to be used by attackers to exploit vulnerabilities in the cybersecurity infrastructures of third parties, our reputation and business could be harmed.
Although Metasploit is a penetration testing tool that is intended to allow organizations to test the effectiveness of their cybersecurity programs, Metasploit has in the past and may in the future be used to exploit vulnerabilities in the cybersecurity infrastructures of third parties. While we have incorporated certain features into Metasploit to deter misuse, there is no guarantee that these controls will not be circumvented or that Metasploit will only be used defensively or for research purposes. Any actual or perceived security breach, malicious intrusion or theft of sensitive data in which Metasploit is believed to have been used could adversely affect perception of, and demand for, our offerings. Further, the identification of new exploits and vulnerabilities by the Metasploit community may enhance the knowledge base of cyber attackers or enable them to undertake new forms of attacks. If any of the foregoing were to occur, we could suffer negative publicity and loss of customers and sales, as well as possible legal claims.
Because our products collect and store user and related information, domestic and international privacy and cybersecurity concerns, and other laws and regulations, could have a material adverse effect on our business.
We, and our customers, are subject to a number of stringent and changing obligations in domestic and international laws, regulations, guidance, industry standards, external and internal policies and contracts and other obligations that address a range of issues including data privacy and cybersecurity, and restrictions or technological requirements regarding the collection, use, storage, protection, retention or transfer of data. The regulatory framework for online services, data privacy and cybersecurity issues worldwide can vary substantially from jurisdiction to jurisdiction, is rapidly evolving and is likely to remain uncertain for the foreseeable future. This creates some uncertainty as to the effective legal frameworks and our obligations may be subject to differing applications and interpretations, which may be inconsistent or in conflict among jurisdictions. Preparation for and compliance with these obligations requires us to devote significant resources (including, without limitation, financial and time-related resources). These obligations may necessitate changes to our business including our information technologies, systems and practices and to those of any third parties that process personal data on our behalf. Although we strive to comply with all applicable data privacy and security obligations, we may at times fail (or be perceived to have failed) to do so. Moreover, despite our efforts, our personnel or third parties upon whom we rely may fail to comply with such obligations. If we (or third
29

parties upon whom we rely) fail, or are perceived to have failed, to address and comply with data privacy and security obligations, we could face significant consequences. These consequences may include but are not limited to: government enforcement actions (e.g., investigations, fines, penalties, audits, inspections and similar consequences); litigation (including class-related claims); additional reporting requirements and oversight; bans on processing personal data; orders to destroy and not to use personal data; and imprisonment of company officials. Any of these events could have a material adverse effect on our reputation and our business, and financial condition, including but not limited to: loss of customers; interruptions or stoppages in our business or operations; inability to process personal data; inability to operate in specific jurisdictions; limitations in our ability to develop our products and professional services; management's time and other resource expenditures; adverse publicity; and revisions to our operations.
In the United States, federal, state and local governments have enacted numerous data privacy and cybersecurity laws (including data breach notification laws, personal data privacy laws and consumer protection laws). For example, at the federal level, we are subject to the rules and regulations promulgated under the authority of the Federal Trade Commission, which regulates unfair or deceptive acts or practices, including with respect to data privacy and cybersecurity. At the state level, the California Consumer Privacy Act of 2018 (as updated by the California Privacy Rights Act, collectively, “CCPA”) imposes obligations on businesses, service providers, third parties and contractors to which it applies. These obligations include, but are not limited to, providing specific disclosures in privacy notices and affording California residents certain rights related to their personal information. The CCPA allows for statutory fines for non-compliance (up to $7,500 per violation). Other states have enacted, or propose to enact, their own comprehensive data privacy laws and, in addition, laws in all 50 U.S. states generally require businesses to provide notice under certain circumstances to individuals whose personal information has been disclosed as a result of a data breach. If we become subject to new data privacy or security laws, the risk of enforcement action against us could increase because we may become subject to additional obligations, and the number of individuals or entities that can initiate actions against us may increase (including individuals, via a private right of action, and state actors).
Internationally, virtually every jurisdiction in which we operate has established its own data security and cyberprivacy legal frameworks with which we, and/or our customers, must comply, including the European Union's General Data Protection Regulation, 2016/679 (“GDPR”), laws implemented by European Union (“EU”) member states and, following the withdrawal of the United Kingdom (“UK”) from the EU, the UK General Data Protection Regulation (i.e. a version of the GDPR as implemented into UK law) (“UK GDPR,” and collectively, the “European Data Protection Laws”). The UK’s decision to leave the EU and ongoing developments in the UK have created uncertainty with regard to data protection regulation in the UK. Going forward, there may be an increasing scope for divergence in the application, interpretation and enforcement of data protection laws as between the UK and EU. The European Data Protection Laws present significantly greater risks, compliance burdens and costs for companies with users and operations in the European Economic Area (“EEA”) and UK. Under the GDPR, fines of up to 20 million euros or up to 4% of the annual global turnover of the infringer, whichever is greater, could be imposed for significant non-compliance and similar levels of fines could also be imposed under the UK GDPR.
The European Data Protection Laws are broad in their application and apply when we do business with EU- and UK-based customers and when our U.S.-based customers collect, use and otherwise process personal data that originates from individuals residing in the EEA and UK. They also apply to transfers of personal data between us and our EU- and UK-based subsidiaries, including employee information. Further, many U.S. federal and state and other foreign government bodies and agencies have introduced, and are currently considering, additional laws and regulations. Non-compliance with these laws could result in penalties or significant legal liability. We could be adversely affected if legislation or regulations are expanded to require changes in our business practices or if governing jurisdictions interpret or implement their legislation or regulations in ways that negatively affect our business, results of operations or financial condition.
In addition, certain jurisdictions have enacted data localization laws and cross-border personal data transfer laws. For example, the European Data Protection Laws impose strict rules on the transfer of personal data from the EEA, the UK and Switzerland (collectively, “Europe”), to so-called third countries, including the United States, unless the parties to the transfer have implemented specific safeguards to protect the transferred personal data. Although there are legal mechanisms to allow for the transfer of personal data from Europe to the United States, uncertainty remains about compliance and such mechanisms may not be available or applicable with respect to our personal data processing activities. For example, the “Standard Contractual Clauses” (“SCCs”) that are designed to be a valid mechanism by which parties can transfer personal data out of Europe to jurisdictions that are not found to provide an adequate level of protection, must be assessed on a case-by-case basis taking into account the legal regime applicable in the destination country. Specifically, the parties to the cross-border personal data transfer must evaluate the importing jurisdiction’s laws and implement supplemental security measures as necessary to protect the at-issue personal data. Additionally, in July 2023, the European Commission adopted an adequacy decision concluding that the United States ensures an adequate level of protection for personal data transferred from Europe under the EU-U.S. Data Privacy Framework (followed on October 2023 with the adoption of an adequacy decision in the UK for the UK-U.S. Data Bridge). However, such adequacy decisions do not foreclose, and are likely to face, future legal challenges, and it is likely that there will continue to be some uncertainty regarding the mechanisms by which parties transfer personal data out of Europe to jurisdictions such as the United States. If we cannot implement and maintain a valid mechanism for cross-border personal data transfers, we
30

may face increased exposure to regulatory actions, substantial fines and injunctions against processing (including prohibitions on transferring personal data out of the EU and UK). This may also reduce demand for our services from companies subject to European Data Protection Laws. Loss of our ability to import personal data from Europe may also require us to increase our data processing capabilities in Europe at significant expense.
Moreover, while we strive to publish and prominently display privacy policies that are accurate, comprehensive, and compliant with applicable laws, rules regulations and industry standards, we cannot ensure that our privacy policies and other statements regarding our practices will be sufficient to protect us from claims, proceedings, liability or adverse publicity relating to data privacy and security. Although we endeavor to comply with our privacy policies, we may at times fail to do so or be alleged to have failed to do so. If our public statements about our use, collection, disclosure and other processing of personal information, whether made through our privacy policies, information provided on our website, press statements or otherwise, are alleged to be deceptive, unfair or misrepresentative of our actual practices, we may be subject to potential government or legal investigation or action, including by the Federal Trade Commission or applicable state attorneys general.
Our compliance efforts are further complicated by the fact that data privacy and security laws, rules, regulations and standards around the world are rapidly evolving, may be subject to uncertain or inconsistent interpretations and enforcement, and may conflict among various jurisdictions. Any failure or perceived failure by us to comply with our privacy policies, or applicable data privacy and security laws, rules, regulations, standards, certifications or contractual obligations, or any compromise of security that results in unauthorized access to, or unauthorized loss, destruction, use, modification, acquisition, disclosure, release or transfer of personal information, may result in requirements to modify or cease certain operations or practices, the expenditure of substantial costs, time and other resources, proceedings or actions against us, legal liability, governmental investigations, enforcement actions, claims, fines, judgments, awards, penalties, sanctions and costly litigation (including class actions). Further, there are active legislative discussions regarding the implementation of laws or regulations that could restrict the manner in which security research is conducted and that could restrict or possibly bar the conduct of penetration testing and the use of exploits, which are an essential component of our Metasploit product and our business strategy more generally. Any of the foregoing could harm our reputation, distract our management and technical personnel, increase our costs of doing business, adversely affect the demand for our products and services, and ultimately result in the imposition of liability, any of which could have a material adverse effect on our business, financial condition and results of operations.
Organizations may be reluctant to purchase our cloud-based offerings due to the actual or perceived vulnerability of cloud solutions.
Some organizations have been reluctant to use cloud solutions for cybersecurity, such as our InsightVM, InsightIDR, InsightAppSec, InsightConnect, InsightCloudSec and Threat Intelligence, because they have concerns regarding the risks associated with the reliability or security of the technology delivery model associated with this solution. If we or other cloud service providers experience security incidents, breaches of customer data, disruptions in service delivery or other problems, the market for cloud solutions as a whole may be negatively impacted, which could harm our business.
Risks Related to our Common Stock
The market price of our common stock has been and is likely to continue to be volatile.
The market price of our common stock may be highly volatile and may fluctuate substantially as a result of a variety of factors, some of which are related in complex ways. Since shares of our common stock were sold in our initial public offering (“IPO”), in July 2015 at a price of $16.00 per share, our stock price has ranged from an intraday low of $9.05 to an intraday high of $145.00 through February 16, 2024. Factors that may affect the market price of our common stock include:
actual or anticipated fluctuations in our financial condition and operating results;
variance in our financial performance from expectations of securities analysts;
changes in our projected operating and financial results;
changes in the prices of our products and service offerings;
changes in laws or regulations applicable to our products or service offerings;
announcements by us or our competitors of significant business developments, acquisitions or new offerings;
our involvement in any litigation or investigations by regulators;
our sale of our common stock or other securities in the future;
changes in our board of directors, senior management or key personnel;
trading volume of our common stock;
price and volume fluctuations in the overall stock market;
31

effects of inflation and increased interest rates;
changes in the anticipated future size and growth rate of our market;
sales of shares of our common stock by us or our stockholders, including sales and purchases of any common stock issued upon conversion of our convertible senior notes; and
general economic, regulatory and market conditions and/or market speculation or rumors.
Recently, the stock markets, and in particular the market on which our common stock is listed, have experienced price and volume fluctuations that have affected and continue to affect the market prices of equity securities of many companies due to, among other factors, the actions of market participants or other actions outside of our control, including general market volatility. These fluctuations have often been unrelated or disproportionate to the operating performance of those companies. Broad market and industry fluctuations, as well as general economic, political, regulatory and market conditions, may negatively impact the market price of our common stock. In the past, companies that have experienced volatility in the market price of their securities have been subject to securities class action litigation. We may be the target of this type of litigation in the future, which could result in substantial costs and divert our management’s attention.
If securities or industry analysts do not publish research or reports about our business, or publish negative reports about our business, our stock price and trading volume could decline.
The trading market for our common stock depends, in part, on the research and reports that securities or industry analysts publish about us or our business. We do not have any control over these analysts. If our financial performance fails to meet analyst estimates or one or more of the analysts who cover us downgrade our shares or change their opinion of our shares, our share price would likely decline. If one or more of these analysts cease coverage of our company or fail to regularly publish reports on us, we could lose visibility in the financial markets, which could cause our share price or trading volume to decline.
We do not intend to pay dividends for the foreseeable future and, as a result, your ability to achieve a return on your investment will depend on appreciation in the price of our common stock.
We have never declared or paid any cash dividends on our common stock and do not intend to pay any cash dividends in the foreseeable future. We anticipate that we will retain all of our future earnings for use in the development of our business and for general corporate purposes. Any determination to pay dividends in the future will be at the discretion of our board of directors. Accordingly, investors must rely on sales of their common stock after price appreciation, which may never occur, as the only way to realize any future gains on their investments.
Future sales of our common stock or equity-linked securities in the public market could lower the market price for our common stock and adversely impact the trading price of the Notes.
In the future, we may sell additional shares of our common stock or equity-linked securities to raise capital. In addition, a substantial number of shares of our common stock is reserved for issuance upon the exercise of stock options, settlement of other equity incentive awards and upon conversion of the 2025 Notes, 2027 Notes and 2029 Notes (the “Notes”). The indentures for the Notes do not restrict our ability to issue additional common stock or equity-linked securities in the future. We cannot predict the size of future issuances or the effect, if any, that they may have on the market price for our common stock. The issuance and sale of substantial amounts of common stock or equity-linked securities, or the perception that such issuances and sales may occur, could adversely affect the trading price of the Notes and the market price of our common stock and impair our ability to raise capital through the sale of additional equity or equity-linked securities.
Risks Related to our Indebtedness
We have a significant amount of debt that may decrease our business flexibility, access to capital, and/or increase our borrowing costs, and we may still incur additional debt in the future, which may adversely affect our operations and financial results. We may not have sufficient cash flow from our business to pay our substantial debt when due.
In May 2020, we issued $230.0 million aggregate principal amount of 2025 Notes, in March 2021, we issued $600.0 million aggregate principal amount of 2027 Notes and in September 2023, we issued $300.0 million aggregate principal amount of 2029 Notes. In September 2023, concurrently with the issuance of the 2029 Notes, we used $201.0 million of the proceeds from the issuance of the 2029 Notes to repurchase and retire $184.0 million aggregate principal amount of the 2025 Notes. In addition, we may also incur indebtedness under our revolving credit facility. Our indebtedness may:
limit our ability to borrow additional funds for working capital, capital expenditures, acquisitions or other general business purposes;
limit our ability to use our cash flow or obtain additional financing for future working capital, capital expenditures, acquisitions or other general business purposes;
require us to use a substantial portion of our cash flow from operations to make debt service payments;
32

limit our flexibility to plan for, or react to, changes in our business and industry;
place us at a competitive disadvantage compared to our less leveraged competitors; and
increase our vulnerability to the impact of adverse economic and industry conditions.
Further, the indentures governing the Notes do not restrict our ability to incur additional indebtedness, secure existing or future debt, recapitalize our existing or future debt or take a number of other actions that could intensify the risks discussed above and below. Further, we and our subsidiaries may incur substantial additional indebtedness in the future, subject to the restrictions contained in our revolving credit facility and any future debt instruments existing at the time, some of which may be secured indebtedness. While our revolving credit facility restricts our ability to incur additional indebtedness, if our revolving credit facility is terminated, we may not be subject to such restriction under the terms of such indebtedness.
Our ability to pay our debt when due or to refinance our indebtedness, including the Notes, depends on our future performance, which is subject to economic, financial, competitive, and other factors beyond our control. Our business may not generate cash flow from operations in the future sufficient to service our debt and make necessary capital expenditures. In addition, any required repurchase of the Notes for cash as a result of a fundamental change or voluntary redemption (in each case, pursuant to the terms of the Notes) would lower our current cash on hand such that we would not have that cash available to fund operations. If we are unable to generate sufficient cash flow, we may be required to adopt one or more alternatives, such as selling assets, restructuring our debt or obtaining additional equity capital on terms that may be onerous or highly dilutive. Our ability to refinance our indebtedness will depend on the capital markets and our financial condition at such time. We may not be able to engage in any of these activities or engage in these activities on desirable terms, which could result in a default on our debt obligations.
In addition, our revolving credit facility contains, and any future additional indebtedness that we may incur may contain, financial and other restrictive covenants that limit our ability to operate our business, raise capital, pay dividends and/or make payments under our other indebtedness. If we fail to comply with these covenants or to make payments under our indebtedness when due, then we would be in default under that indebtedness, which could, in turn, result in that and our other indebtedness becoming immediately payable in full. Any such event of default under our revolving credit facility would give the lenders the right to terminate their commitments to provide additional loans under our revolving credit facility and to declare any and all borrowings outstanding, together with accrued and unpaid interest and fees, to be immediately due and payable. In addition, the lenders under our revolving credit facility would have the right to proceed against the collateral in which we granted a security interest to them, which consists of substantially all our assets. If the debt under our revolving credit facility were to be accelerated, we may not have sufficient cash or be able to borrow sufficient funds to refinance the debt or sell sufficient assets to repay the debt, which could immediately materially and adversely affect our cash flows, business, results of operations, financial condition and our ability to make payments under our indebtedness, including the Notes, when due. Further, the terms of any new or additional financing may be on terms that are more restrictive or on terms that are less desirable to us.
The conditional conversion feature of the Notes, if triggered, may adversely affect our financial condition and operating results.
In the event the conditional conversion feature of the Notes is triggered, holders of the Notes will be entitled to convert their Notes at any time during specified periods at their option. If one or more holders elect to convert their Notes, unless we elect to satisfy our conversion obligation by delivering solely shares of our common stock (other than paying cash in lieu of delivering any fractional share), we would be required to settle a portion or all of our conversion obligation in cash, which could adversely affect our liquidity. As of December 31, 2023, the 2025 Notes, the 2027 Notes and the 2029 Notes were not convertible at the option of the holder. Whether the Notes will be convertible following the year ended December 31, 2023, will depend on the future satisfaction of a conversion condition. In addition, even if holders of Notes do not elect to convert their Notes, we could be required under applicable accounting rules to reclassify all or a portion of the outstanding principal of the Notes as a current rather than long-term liability, which would result in a material reduction of our net working capital.
The capped call transactions may affect the value of the Notes and our common stock.
In connection with the issuance of the 2023 Notes, the 2025 Notes, the 2027 Notes and the 2029 Notes, we entered into capped call transactions with certain counterparties (the “Capped Calls”). The Capped Calls cover, subject to customary adjustments, the number of shares of our common stock initially underlying each of the 2023 Notes, the 2025 Notes, the 2027 Notes and the 2029 Notes. The Capped Calls are expected to offset the potential dilution as a result of conversion of such Notes. In connection with establishing their initial hedge of the capped call transactions, the counterparties or their respective affiliates entered into various derivative transactions with respect to our common stock concurrently with or shortly after the pricings of the respective Notes, including with certain investors in the applicable Notes. The counterparties and/or or their respective affiliates may modify or unwind their hedge positions by entering into or unwinding various derivatives with respect to our common stock and/or purchasing or selling our common stock or other securities of ours in secondary market transactions prior to the maturity of the applicable Notes (and are likely to do so on each exercise date of the capped call transactions, which are
33

scheduled to occur during the applicable observation period relating to any conversion of the 2025 Notes on or after November 1, 2024, relating to any conversion of the 2027 Notes on or after December 15, 2026 or relating to any conversion of the 2029 Notes on or after December 15, 2028, in each case that is not in connection with a redemption). We redeemed the 2023 Notes in November 2021. As described elsewhere in this Annual Report on Form 10-K, the 2023 Capped Calls were not redeemed with the redemption of the 2023 Notes but were cash-settled via written notice provided to the counterparties on May 31, 2023; see the section entitled “Capped Calls” under Note 11 to our consolidated financial statements and “Management's Discussion and Analysis of Financial Condition and Results of Operations” included elsewhere in this report for information regarding our cash settlement of the 2023 Capped Calls. We cannot make any prediction as to the direction or magnitude of any potential effect that the transactions described above may have on the prices of the Notes or the shares of our common stock. Any of these activities could adversely affect the value of the Notes and our common stock.
We are subject to counterparty risk with respect to the capped call transactions.
The option counterparties are financial institutions, and we will be subject to the risk that one or more of the option counterparties may default or otherwise fail to perform, or may exercise certain rights to terminate, their obligations under the Capped Calls. Our exposure to the credit risk of the option counterparties will not be secured by any collateral. Recent global economic conditions have resulted in the actual or perceived failure or financial difficulties of many financial institutions. If an option counterparty becomes subject to insolvency proceedings, we will become an unsecured creditor in those proceedings with a claim equal to our exposure at the time under such transaction. Our exposure will depend on many factors but, generally, our exposure will increase if the market price or the volatility of our common stock increases. In addition, upon a default or other failure to perform, or a termination of obligations, by an option counterparty, we may suffer adverse tax consequences and more dilution than we currently anticipate with respect to our common stock. We can provide no assurances as to the financial stability or viability of the option counterparties.
Conversion of the Notes will dilute the ownership interest of existing stockholders, including holders who had previously converted their Notes, or may otherwise depress the price of our common stock.
The conversion of some or all of the Notes will dilute the ownership interests of existing stockholders to the extent we deliver shares of our common stock upon conversion of any of the Notes. As disclosed in Note 11, Debt, as of December 31, 2023 the Notes were not convertible at the option of the holder. Any sales in the public market of the common stock issuable upon such conversion could adversely affect prevailing market prices of our common stock. In addition, the existence of the Notes may encourage short selling by market participants because the conversion of the Notes could be used to satisfy short positions, or anticipated conversion of the Notes into shares of our common stock could depress the price of our common stock.
General Risks
Failure to comply with governmental laws and regulations could harm our business.
Our business is subject to regulation by various federal, state, local and foreign governments. In certain jurisdictions, these regulatory requirements may be more stringent than those in the United States. These laws and regulations may also impact our innovation and business drivers in developing new and emerging technologies, including those related to AI and machine learning. Noncompliance with applicable regulations or requirements could subject us to investigations, sanctions, mandatory product recalls, enforcement actions, disgorgement of profits, fines, damages, civil and criminal penalties, injunctions or other collateral consequences. If any governmental sanctions are imposed, or if we do not prevail in any possible civil or criminal litigation, our business, results of operations, and financial condition could be materially adversely affected. In addition, responding to any action will likely result in a significant diversion of management’s attention and resources and an increase in professional fees. Enforcement actions and sanctions could harm our business, reputation, results of operations and financial condition.
Our business is subject to the risks of climate change, pandemics, earthquakes, fire, power outages, floods and other catastrophic events, and to interruption by manmade problems such as terrorism.
A significant public health crisis, epidemic or pandemic, or climate change, or a natural disaster, such as an earthquake, fire or a flood, or a significant power outage could have a material adverse impact on our business, operating results and financial condition. In addition, public health crises, climate change, or natural disasters could affect our channel partners’ ability to perform services for us on a timely basis. In the event we or our channel partners are hindered by any of the events discussed above, our ability to provide our products or service offerings to customers could be delayed.
In addition, our facilities and those of our third-party data centers and hosting providers are vulnerable to damage or interruption from human error, intentional bad acts, pandemics, earthquakes, hurricanes, floods, fires, war (including the Russia-Ukraine war and the Israel-Hamas conflict), terrorist attacks, power losses, hardware failures, systems failures, telecommunications failures and similar events. The occurrence of a public health crisis, climate change, natural disaster, power failure, war (including the Russia-Ukraine war and the Israel-Hamas conflict) or an act of terrorism, vandalism or other misconduct, a decision by a third party to close a facility on which we rely without adequate notice, or other unanticipated
34

problems could result in lengthy interruptions in provision or delivery of our products, potentially leaving our customers vulnerable to cyber attacks. The occurrence of any of the foregoing events could damage our systems and hardware or could cause them to fail completely, and our insurance may not cover such events or may be insufficient to compensate us for the potentially significant losses, including the potential harm to the future growth of our business, that may result from interruptions in our service as a result of system failures.
In addition, while the long-term effects of climate change on the global economy and the technology industry in particular are unclear, we recognize that there are inherent climate related risks wherever business is conducted. Any of our primary locations may be vulnerable to the adverse effects of climate change. Climate-related events, including the increasing frequency of extreme weather events and their impact on critical infrastructure in the United States and elsewhere, have the potential to disrupt our business, our third-party suppliers, and/or the business of our customers, and may cause us to experience higher attrition, losses and additional costs to maintain and resume operations. Transitional climate change risks that result from a shift to a low-carbon economy may subject us to increased regulations, reporting requirements, standards, or expectations regarding the environmental impacts of our business and untimely or inaccurate disclosure could adversely affect our reputation, business or financial performance.
All of the aforementioned risks may be exacerbated if our disaster recovery plans or the disaster recovery plans established for our third-party data centers and hosting providers prove to be inadequate. To the extent that any of the above results in delayed or reduced customer sales, our business, financial condition and results of operations could be adversely affected.
We are obligated to maintain proper and effective internal controls over financial reporting and any failure to maintain the adequacy of these internal controls may adversely affect investor confidence in our company and, as a result, the value of our common stock.
We have been and are required, pursuant to Section 404 of the Sarbanes-Oxley Act (“Section 404”), to furnish a report by management on, among other things, the effectiveness of our internal control over financial reporting on an annual basis. This assessment includes disclosure of any material weaknesses identified by our management in our internal control over financial reporting. During the evaluation and testing process, if we identify one or more material weaknesses in our internal control over financial reporting, we will be unable to assert that our internal controls are effective. While we have established certain procedures and control over our financial reporting processes, we cannot assure you that these efforts will prevent restatements of our financial statements in the future.
Our independent registered public accounting firm is also required, pursuant to Section 404, to report annually on the effectiveness of our internal control over financial reporting. This assessment is required to include disclosure of any material weaknesses identified by our management in our internal control over financial reporting. For future reporting periods, our independent registered public accounting firm may issue a report that is adverse in the event it is not satisfied with the level at which our controls are documented, designed or operating. We may not be able to remediate any future material weaknesses, or to complete our evaluation, testing and any required remediation in a timely fashion.
If we are unable to conclude that our internal control over financial reporting is effective, or if our independent registered public accounting firm is unable to express an opinion that our internal controls over financial reporting are effective, investors could lose confidence in the accuracy and completeness of our financial reports, which could cause the price of our common stock to decline, and we could be subject to sanctions or investigations by regulatory authorities, including the SEC and Nasdaq. Failure to remediate any material weakness in our internal control over financial reporting, or to maintain other effective control systems required of public companies, could also restrict our future access to the capital markets.
Changes in financial accounting standards may adversely impact our reported results of operations.
A change in accounting standards or practices could adversely affect our operating results and may even affect our reporting of transactions completed before the change is effective. New accounting pronouncements and varying interpretations of accounting pronouncements have occurred and may occur in the future. Changes to existing rules or the questioning of current practices may adversely affect our operating results.
We may require additional capital to support business growth, and this capital might not be available on acceptable terms, if at all.
We intend to continue to make investments to support our business growth and may require additional funds to respond to business challenges, including the need to develop new features or enhance our products, improve our operating infrastructure or acquire complementary businesses and technologies. Accordingly, we may need to engage in equity or debt financings to secure additional funds. If we raise additional funds through future issuances of equity or convertible debt securities, our existing stockholders could suffer significant dilution, and any new equity securities we issue could have rights, preferences and privileges superior to those of holders of our common stock. Any debt financing that we may secure in the future could involve restrictive covenants relating to our capital raising activities and other financial and operational matters, which may make it
35

more difficult for us to obtain additional capital and to pursue business opportunities, including potential acquisitions. We may not be able to obtain additional financing on terms favorable to us, if at all.
Market conditions and changing circumstances, some of which may be beyond our control, could impair our ability to access our existing cash, cash equivalents and investments. We regularly maintain domestic cash deposits at FDIC insured banks which exceed the FDIC insured limits, and, as a result, there is a concentration of risk related to amounts on deposit in excess of FDIC insurance coverage. In addition, we maintain cash deposits in foreign banks where we operate, some of which are not insured or are only partially insured by the FDIC or other similar agencies. If banks and financial institutions with whom we have banking relationships enter receivership or become insolvent in the future, we may be unable to access, and we may lose, some or all of our existing cash, cash equivalents and investments to the extent those funds are not insured or otherwise protected by the FDIC. Any delay in our ability to access our cash, cash equivalents and investments (or the loss of some or all of such funds) could have a material adverse effect on our operations and cause us to need to seek additional capital sooner than planned which could only be available at a higher cost or not at all.
Although we expect that current cash and cash equivalent balances and cash flows that are generated from operations will be sufficient to meet our domestic and international working capital needs and other capital and liquidity requirements for at least the next 12 months, if we are unable to obtain adequate financing or financing on terms satisfactory to us if and when we require it, our ability to continue to support our business growth and to respond to business challenges could be significantly impaired, and our business may be adversely affected.
Anti-takeover provisions in our charter documents, our indenture and under Delaware law could make acquiring us more difficult, limit attempts by our stockholders to replace or remove our current management and limit the market price of our common stock.
Provisions in our amended and restated certificate of incorporation and amended and restated bylaws may have the effect of delaying or preventing a change in control or changes in our management. Among other things, our amended and restated certificate of incorporation and amended and restated bylaws include provisions that:
authorize our board of directors to issue preferred stock without further stockholder action and with voting liquidation, dividend and other rights superior to our common stock;
require that any action to be taken by our stockholders be effected at a duly called annual or special meeting and not by written consent, and limit the ability of our stockholders to call special meetings;
establish an advance notice procedure for stockholder proposals to be brought before an annual meeting, including proposed nominations of persons for director nominees;
establish that subsequent to the 2023 annual meeting, each director will hold office for a term of one year;
require the approval of the holders of a majority of the voting power of all of the then-outstanding shares of capital stock of the Company entitled to vote generally at an election of directors, voting together as a single class, to adopt, amend or repeal our amended and restated bylaws or amend or repeal the provisions of our amended and restated certificate of incorporation regarding the election and removal of directors and the ability of stockholders to take action by written consent or call a special meeting;
prohibit cumulative voting in the election of directors; and
provide that vacancies on our board of directors may be filled only by a majority of directors then in office, even though less than a quorum.
These provisions may frustrate or prevent any attempts by our stockholders to replace or remove our current management by making it more difficult for stockholders to replace members of our board of directors, who are responsible for appointing the members of our management.
If a fundamental change occurs prior to the maturity date of the Notes, holders of the Notes will have the right, at their option, to require us to repurchase all or a portion of their Notes. In addition, if a “make-whole fundamental change” (as defined in the indentures) occurs prior the maturity date, we will in some cases be required to increase the conversion rate of the Notes for a holder that elects to convert its Notes in connection with such make-whole fundamental change.
Furthermore, the indentures governing the Notes prohibit us from engaging in certain mergers or acquisitions unless, among other things, the surviving entity assumes our obligations under the Notes. These and other provisions in the indentures could deter or prevent a third party from acquiring us even when the acquisition may be favorable to our stockholders.
In addition, because we are incorporated in Delaware, we are governed by the provisions of Section 203 of the Delaware General Corporation Law, which generally prohibits a Delaware corporation from engaging in any of a broad range of business combinations with any “interested” stockholder for a period of three years following the date on which the stockholder became
36

an “interested” stockholder. Any of the foregoing provisions could limit the opportunity for our stockholders to receive a premium for their shares of our common stock and could also affect the price that some investors are willing to pay for our common stock.
Our amended and restated certificate of incorporation designates the Court of Chancery of the State of Delaware as the exclusive forum for certain litigation that may be initiated by our stockholders, which could limit our stockholders’ ability to obtain a favorable judicial forum for disputes with us.
Pursuant to our amended and restated certificate of incorporation, unless we consent in writing to the selection of an alternative forum, the Court of Chancery of the State of Delaware is the sole and exclusive forum for (1) any derivative action or proceeding brought on our behalf, (2) any action asserting a claim of breach of a fiduciary duty owed by any of our directors, officers or other employees to us or our stockholders, (3) any action asserting a claim arising pursuant to any provision of the Delaware General Corporation Law, our amended and restated certificate of incorporation or our amended and restated bylaws or (4) any action asserting a claim governed by the internal affairs doctrine. Our amended and restated certificate of incorporation further provides that any person or entity purchasing or otherwise acquiring any interest in shares of our common stock is deemed to have notice of and consented to the foregoing provision. The forum selection clause in our amended and restated certificate of incorporation may limit our stockholders’ ability to obtain a favorable judicial forum for disputes with us.
Item 1B. Unresolved Staff Comments.
None.
Item 1C. Cybersecurity.
At Rapid7, cybersecurity risk management is integrated into our overall enterprise risk management program and is one of the pillars of our broader cybersecurity program. Our cybersecurity risk management program is designed based on prevailing security standards and controls, such as NIST-800 and ISO 27001, and to continuously evaluate cybersecurity risks in alignment with our business objectives and operational needs. Our information security team manages a framework for handling both information security risk management and operational cybersecurity threats and incidents, including those associated with the use of products and services provided by third-party service providers, suppliers, and vendors. This framework includes steps for assessing the severity of a cybersecurity threat or incident, identifying the source of such cybersecurity threat or incident (including whether such cybersecurity threat or incident is associated with a third-party service provider, supplier, or vendor), implementing cybersecurity countermeasures and mitigations and an escalation path for informing management, the audit committee of the board of directors (the "Audit Committee"), and our full board of directors (the "Board") of cybersecurity threats, incidents and risks.
Recognizing the complexity and evolving nature of cybersecurity threats, incidents and risks, we engage with a range of third-party experts, including cybersecurity penetration testers, consultants, and auditors in evaluating and supporting our risk management systems. Our collaboration with these third parties includes regular audits, threat assessments, and consultation on security enhancements.
Our cybersecurity program, which is managed by our information security team, includes:
efforts to comply with prevailing cybersecurity standards;
regular risk assessments and annual penetration tests designed to help identify potential cybersecurity risks to our critical systems, networks, products, services, and our broader enterprise information technology environment;
a cybersecurity incident response plan and procedures for responding to cybersecurity threats and incidents;
a security operations team responsible for detection of, and response to, cybersecurity threats and incidents;
a third-party risk management process for third-party service providers, suppliers, and vendors; and
annual cybersecurity awareness training of our employees, including senior management.
Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of cybersecurity risk management. Our Audit Committee consists of Board members with a diversity of expertise in risk management, technology, finance, and cybersecurity, including oversight of security teams. The Audit Committee is responsible for overseeing that management has processes in place designed to identify, assess and manage cybersecurity risks, including mitigation and remediation of cybersecurity threats and incidents. The Audit Committee also reports on the cybersecurity program to our Board.
Management is responsible for identifying, assessing and managing material cybersecurity risks on an ongoing basis, establishing processes designed to ensure that potential cybersecurity risk exposures are monitored, putting in place appropriate mitigation and remediation measures, and maintaining cybersecurity programs. Our cybersecurity programs are under the
37

direction of our Chief Security Officer (“CSO”), who receives reports from our information security team and monitors the prevention, detection, mitigation and remediation of cybersecurity incidents. Our CSO and dedicated personnel are certified and experienced information systems security professionals and information security managers with decades of experience and industry certifications. Management, including the CSO and our information security team, regularly update the Audit Committee on the Company’s cybersecurity program, including cybersecurity vulnerabilities, risk, threats and incidents, and developments in the cybersecurity risk landscape.
Despite our efforts, we cannot eliminate all risks from cybersecurity threats or incidents, or provide assurances that we have not experienced an undetected cybersecurity incident. While we have implemented a risk management process designed to mitigate cybersecurity risks that arise from utilizing third-party service providers, suppliers, and vendors, our control over and ability to monitor the security posture of third parties with whom we do business remains limited and there can be no assurance that we can prevent, mitigate, or remediate the risk of any compromise or failure in the security infrastructure owned or controlled by such third parties. Additionally, any contractual protections with such third parties, including our right to indemnification, if any at all, may be limited or insufficient to prevent a negative impact on our business from such compromise or failure. For additional information about these risks, see Part I, Item 1A, "Risk Factors" in this Annual Report on Form 10-K.
Item 2. Properties.
Our corporate headquarters occupy approximately 147,000 square feet in Boston, Massachusetts under operating leases that expire in November 2029. This excludes approximately 67,000 square feet of certain idle office space that was impaired in 2023. Refer to Note 12, Leases, for further information on the impairment of long-lived assets. We have additional U.S. offices including Arlington, Virginia, Austin, Texas, and Tampa, Florida. We also lease various international offices including in Belfast, Northern Ireland; Czech Republic; Dublin and Galway, Ireland; Germany; Melbourne, Australia; Reading, United Kingdom; Tel Aviv, Israel; and Singapore.
We believe that our current facilities are suitable and adequate to meet our current needs. We intend to add new facilities or expand existing facilities as we add employees, and we believe that suitable additional or substitute space will be available as needed to accommodate any such expansion of our operations.
Item 3. Legal Proceedings.
From time to time, we are a party to litigation or subject to claims incident to the ordinary course of business. Although the results of litigation and claims cannot be predicted with certainty, we currently believe that the final outcome of these ordinary course matters will not have a material adverse effect on our business, financial condition or results of operations. Regardless of the outcome, litigation can have an adverse impact on us because of defense and settlement costs, diversion of management resources and other factors.
Item 4. Mine Safety Disclosures.
Not applicable.
38

PART II
Item 5. Market for Registrant’s Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities.
Market Information
Our common stock is listed on the Nasdaq Global Market under the symbol “RPD.”
As of December 31, 2023, there were 33 holders of record of our common stock, including Cede & Co., a nominee for The Depository Trust Company (“DTC”), which holds shares of our common stock on behalf of an indeterminate number of beneficial owners. All of the shares of common stock held by brokerage firms, banks and other financial institutions as nominees for beneficial owners are deposited into participant accounts at DTC, and are considered to be held of record by Cede & Co. as one stockholder. Because many of our shares are held by brokers and other institutions on behalf of stockholders, we are unable to estimate the total number of stockholders represented by these record holders.
Stock Performance Graph
The following shall not be deemed incorporated by reference into any of our other filings under the Securities Exchange Act of 1934, as amended, or the Securities Act of 1933, as amended, except to the extent we specifically incorporate it by reference into such filings.
The following graph shows a comparison from December 31, 2018 through December 31, 2023 of the cumulative total return for an investment of $100 in our common stock, the Nasdaq Global Market and the Nasdaq Computer Index. Data for the Nasdaq Global Market and the Nasdaq Computer Index assume reinvestment of dividends.
The comparisons in the graph below are based upon historical data and are not indicative of, nor intended to forecast, future performance of our common stock.
Stock Performance Graph 2023 jpg.jpg



39

December 31,
2018
December 31,
2019
December 31,
2020
December 31,
2021
December 31,
2022
December 31,
2023
Rapid7, Inc.$100.00 $179.78 $289.35 $377.70 $109.05 $183.25 
Nasdaq Global Market Composite100.00 133.93 197.79 146.70 69.59 68.16 
Nasdaq Computer100.00 148.27 233.26 296.23 192.48 315.60 
Recent Sales of Unregistered Securities
None.
Use of Proceeds from Initial Public Offering of Common Stock
None.
Purchase of Equity Securities by the Issuer and Affiliated Purchasers
None.
Securities Authorized for Issuance Under Equity Compensation Plans
Information about securities authorized for issuance under our equity compensation plan is incorporated herein by reference to Item 12 of Part III of this Annual Report on Form 10-K.
Item 6. [Reserved].


40

Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations.
The following discussion and analysis of our financial condition and results of operations should be read in conjunction with our consolidated financial statements and related notes appearing elsewhere in this Annual Report on Form 10-K. In addition to historical financial information, the following discussion contains forward-looking statements that reflect our plans, estimates and beliefs. Our actual results could differ materially from those contained in or implied by any forward-looking statements. Factors that could cause or contribute to these differences include those under “Risk Factors” included in Part I, Item 1A or in other parts of this Annual Report on Form 10-K.
Overview
Rapid7 is a global cybersecurity software and services provider on a mission to offer customers greater clarity and control of their attack surface through our comprehensive and consolidated security offerings. For more than twenty years, Rapid7 has partnered with customers across the globe representing a diverse range of industries and sizes to improve the efficacy and productivity of their security operations (“SecOps”). In today's rapidly evolving IT environment, customers are encountering escalating challenges due to the proliferation of cyberattacks leveraging artificial intelligence (“AI”), targeted automation, and a widening spectrum of attackers and techniques. To fortify their security posture, organizations will require greater visibility, advanced capabilities leveraging increased expertise, and integrated data to effectively anticipate, identify, and respond to exposure-led threats.
Through our security operations platform, anchored on our cloud security, security information and event management (“SIEM”), advanced detection and response, and vulnerability management offerings, we believe that Rapid7 is poised to expand the capabilities of today's SecOps teams. Rapid7 extends and expands the expertise of the Security Operations Center (“SOC") across information security, cloud operations, development, and IT teams, enabling them to better understand the attacker and leverage that information to take control of their fragmented attack surface. Enriched by years of managed services expertise, our integrated security operations platform enables SecOps teams to move away from a reactive approach, reduce their attack surface, and enhance response efficiency with a deep contextual understanding of their environment.
In the past few years, we have observed the industry undergoing a customer-driven shift to consolidated security platforms. As part of this transition, customers are moving away from cloud security as a specialized function towards cloud security as an integrated capability for SecOps teams. We view this as a demand driver for integrated SecOps, and believe that we have an opportunity to be a leader in delivering integrated risk and threat management across on-premise, cloud, and external attack surfaces. As we have shifted our strategic focus to SecOps consolidation, we are focused on continuing to drive innovation across our core products and capabilities to accelerate customer value and provide a frictionless and integrated cloud security experience.
As the threat landscape continues to grow in complexity, customers are demonstrating demand for integrated expertise to support them in effectively managing their security technologies. The convergence of these key trends – security consolidation, integrated cloud security, and expertise driven outcomes – are the foundation of what we view as the new extended SOC. Our focus is to be the leading provider of integrated security solutions for the extended SOC by providing risk and threat management within the context of overall security.
We market and sell our products and professional services to organizations of all sizes globally, including mid-market businesses, enterprises, non-profits, educational institutions and government agencies. Our customers span a wide variety of industries such as technology, energy, financial services, healthcare and life sciences, manufacturing, media and entertainment, retail, education, real estate, transportation, government and professional services. As of December 31, 2023, we had over 11,500 customers in 151 countries, including 40% of the Fortune 100. Our revenue was not concentrated with any individual customer and no customer represented more than 1% of our revenue for the years ended December 31, 2023, 2022 or 2021.
Recent Developments
Restructuring Plan
In August 2023, we announced a restructuring plan designed to improve operational efficiencies, reduce operating costs and better align the Company’s workforce with current business needs, top strategic priorities, and key growth opportunities (the “Restructuring Plan”). The Restructuring Plan included a reduction of our workforce and office space reductions within certain markets. The execution of the Restructuring Plan was substantially complete by December 31, 2023. For further information, refer to Note 19, Restructuring, in the Notes to our Consolidated Financial Statements.
Our Business Model
We offer our products through a variety of delivery models to meet the needs of our diverse customer base, including:
41

Cloud-based subscriptions, which provide our software capabilities to our customers through cloud access and on a subscription basis. Our InsightIDR, InsightCloudSec, InsightVM, InsightAppSec, InsightConnect and Threat Command products are offered as cloud-based subscriptions, with an option for a one or multi-year term.
Managed services, through which we operate our products and provide our capabilities on behalf of our customers. Our Managed Vulnerability Management, Managed Detection and Response, and Managed Application Security products are offered on a managed service basis, pursuant to one or multi-year agreements.
Licensed on-premise software consists of term licenses. When licensed on-premise software is purchased, maintenance and support and content subscriptions, as applicable, are bundled with the license for the term period. Our Nexpose and Metasploit products are offered through term software licenses. Our maintenance and support provides our customers with telephone and web-based support and ongoing bug fixes and repairs during the term of the maintenance and support agreement, and our customers who purchase our Nexpose and Metasploit products also purchase content subscriptions, which provide them with real-time access to the latest vulnerabilities and exploits.
Additionally, we offer our products through our consolidation offerings, which unify our products and services to our customers in a single package. Our Threat Complete and Cloud Risk Complete packages are offered as cloud based subscriptions, with an option for a one or multi-year term. Our Managed Threat Complete Offering is offered on a managed service basis, generally pursuant to one or multi-year agreements.
In the years ended December 31, 2023, 2022 and 2021, recurring revenue, defined as revenue from term software licenses, content subscriptions, managed services, cloud-based subscriptions and maintenance and support, was 95%, 94% and 92%, respectively, of total revenue.
Key Metrics
We monitor the following key metrics to help us measure and evaluate the effectiveness of our operations and as a means to evaluate period-to-period comparisons. We believe that both management and investors benefit from referring to these key metrics as supplemental information in assessing our performance and when planning, forecasting, and analyzing future periods. These key metrics also facilitate management's internal comparisons to our historical performance as well as comparisons to certain competitors' operating results. We believe these key metrics are useful to investors both because they allow for greater transparency with respect to key metrics used by management in its financial and operational decision-making and also because they are used by institutional investors and the analyst community to help evaluate the health of our business:
 Year Ended December 31,
 202320222021
 (dollars in thousands)
Total revenue$777,707 $685,083 $535,404 
Year-over-year growth13.5 %28.0 %30.1 %
Non-GAAP income from operations$102,221 $30,386 $7,599 
Non-GAAP operating margin13.1 %4.4 %1.4 %
Free cash flow$84,034 $40,677 $35,053 
 As of December 31,
 20232022
(dollars in thousands)
Annualized recurring revenue (“ARR”)$805,670 $714,231 
Year-over-year growth12.8 %19.2 %
Number of customers11,526 10,929 
Year-over-year growth5.5 %6.3 %
ARR per customer$69.9 $65.4 
Year-over-year growth7.0 %12.2 %
Total Revenue and Growth. We are focused on driving continued revenue growth through increased sales of our products and professional services to new and existing customers. We monitor total revenue and believe it is useful to investors as a measure of the overall success of our business.
Non-GAAP Income from Operations and Non-GAAP Operating Margin. We monitor non-GAAP income from operations and non-GAAP operating margin, non-GAAP financial measures, to analyze our financial results. We believe non-GAAP income from operations and non-GAAP operating margin are useful to investors, as supplements to U.S. GAAP
42

measures, in evaluating our ongoing operational performance and enhancing an overall understanding of our past financial performance and allowing for greater transparency with respect to metrics used by our management in its financial and operational decision-making. See Non-GAAP Financial Results below for further information on non-GAAP income from operations and a reconciliation of non-GAAP income from operations to the comparable GAAP financial measure.
Free Cash Flow. Free cash flow is a non-GAAP measure that we define as cash provided by operating activities less purchases of property and equipment and capitalization of internal-use software costs. We consider free cash flow to be a liquidity measure that provides useful information to management and investors about the amount of cash generated by the business after necessary capital expenditures. See Non-GAAP Financial Results below for a reconciliation of non-GAAP free cash flow to the comparable GAAP financial measure.
Annualized Recurring Revenue and Growth. Annualized Recurring Revenue (“ARR”) is defined as the annual value of all recurring revenue related to contracts in place at the end of the period. ARR should be viewed independently of revenue and deferred revenue, as ARR is an operating metric and is not intended to be combined with or replace these items. ARR is not a forecast of future revenue, which can be impacted by contract start and end dates and renewal rates and does not include revenue reported as perpetual license or professional services revenue in our consolidated statement of operations. We use ARR and believe it is useful to investors as a measure of the overall success of our business.
Number of Customers. We believe that the size of our customer base is an indicator of our global market penetration and that our net customer additions are an indicator of the growth of our business. We define a customer as any entity that has an active Rapid7 recurring revenue contract as of the specified measurement date, excluding only InsightOps and Logentries customers with a contract value less than $2,400 per year.
ARR per Customer. ARR per customer is defined as ARR divided by the number of customers at the end of the period.
Non-GAAP Financial Results
To supplement our consolidated financial statements, which are prepared and presented in accordance with GAAP, we provide investors with certain non-GAAP financial measures, including non-GAAP gross profit, non-GAAP income from operations, non-GAAP operating margin, non-GAAP net income (loss), non-GAAP net income (loss) per share, adjusted EBITDA and free cash flow. The presentation of the non-GAAP financial measures is not intended to be considered in isolation or as a substitute for, or superior to, the financial information prepared and presented in accordance with GAAP. We use these non-GAAP financial measures for financial and operational decision-making purposes and as a means to evaluate period-to-period comparisons, and use certain non-GAAP financial measures as performance measures under our executive bonus plan. We believe that these non-GAAP financial measures provide useful information about our operating results, enhance the overall understanding of past financial performance and future prospects and allow for greater transparency with respect to metrics used by our management in its financial and operational decision-making. While our non-GAAP financial measures are an important tool for financial and operational decision-making and for evaluating our own operating results over different periods of time, you should review the reconciliation of our non-GAAP financial measures to the comparable GAAP financial measures included below, and not rely on any single financial measure to evaluate our business.
We define non-GAAP gross profit, non-GAAP income from operations, non-GAAP operating margin, non-GAAP net income (loss) and non-GAAP net income (loss) per share as the respective GAAP balances excluding the effect of stock-based compensation expense, amortization of acquired intangible assets, amortization of debt issuance costs and certain other items such as acquisition-related expenses, impairment of long-lived assets, Restructuring Expense, induced conversion expense, change in the fair value of derivative assets and litigation-related expenses. Non-GAAP net income (loss) per basic and diluted share is calculated as non-GAAP net income (loss) divided by the weighted average shares used to compute net income (loss) per share, with the number of weighted average shares decreased, when applicable, to reflect the anti-dilutive impact of the capped call transactions entered into in connection with our convertible senior notes.
We believe these non-GAAP financial measures are useful to investors in assessing our operating performance due to the following factors:
Stock-based compensation expense. We exclude stock-based compensation expense because of varying available valuation methodologies, subjective assumptions and the variety of equity instruments that can impact our non-cash expense. We believe that providing non-GAAP financial measures that exclude stock-based compensation expense allows for more meaningful comparisons between our operating results from period to period.
Amortization of acquired intangible assets. We believe that excluding the impact of amortization of acquired intangible assets allows for more meaningful comparisons between operating results from period to period as the intangible assets are valued at the time of acquisition and are amortized over several years after the acquisition.
43

Amortization of debt issuance costs. The expense for the amortization of debt issuance costs related to our convertible senior notes and revolving credit facility is a non-cash item and we believe the exclusion of this interest expense provides a more useful comparison of our operational performance in different periods.
Induced conversion expense. In conjunction with the third quarter of 2023 partial repurchase of our 2025 Notes, we incurred a non-cash induced conversion expense of $53.9 million. We exclude induced conversion expense because this amount is not indicative of the performance of, or trends in, our business and neither is comparable to the prior period nor predictive of future results.
Litigation-related expenses. We exclude non-ordinary course litigation expense because we do not consider legal costs and settlement fees incurred in litigation and litigation-related matters of non-ordinary course lawsuits and other disputes to be indicative of our core operating performance. We do not adjust for ordinary course legal expenses, including legal costs and settlement fees resulting from maintaining and enforcing our intellectual property portfolio and license agreements.
Acquisition-related expenses. We exclude acquisition-related expenses that are unrelated to the current operations and neither are comparable to the prior period nor predictive of future results.
Change in fair value of derivative assets. The change in fair value of derivative assets related to our capped calls settlement is a non-cash item and we believe the exclusion of this other income (expense) provides a more useful comparison of our operational performance in different periods.
Impairment of long-lived assets. Impairment of long-lived assets consists of impairment charges allocated to the carrying amount of certain operating right-of-use assets and the associated leasehold improvements when the carrying amounts exceed their respective fair values and we believe the exclusion of the impairment charges provides a more useful comparison of our operational performance in different periods.
Restructuring Expense. We exclude non-ordinary course restructuring expenses related to the Restructuring Plan because we do not believe these charges are indicative of our core operating performance and we believe the exclusion of the restructuring expense provides a more useful comparison of our performance in different periods.
Anti-dilutive impact of capped call transaction. Our capped calls transactions are intended to offset potential dilution from the conversion features in our convertible senior notes. Although we cannot reflect the anti-dilutive impact of the capped call transactions under GAAP, we do reflect the anti-dilutive impact of the capped call transactions in non-GAAP net income (loss) per diluted share, when applicable, to provide investors with useful information in evaluating our financial performance on a per share basis.
We define adjusted EBITDA as net loss before (1) interest income, (2) interest expense, (3) other income (expense), net, (4) provision for income taxes, (5) depreciation expense, (6) amortization of intangible assets, (7) stock-based compensation expense, (8) acquisition-related expenses, (9) litigation-related expenses, (10) impairment of long-lived assets and (11) restructuring expense. We believe that the use of adjusted EBITDA is useful to investors and other users of our financial statements in evaluating our operating performance because it provides them with an additional tool to compare business performance across companies and across periods.
Our non-GAAP financial measures may not provide information that is directly comparable to that provided by other companies in our industry, as other companies in our industry may calculate non-GAAP financial results differently, particularly related to non-recurring, unusual items. In addition, there are limitations in using non-GAAP financial measures because the non-GAAP financial measures are not prepared in accordance with GAAP, may be different from non-GAAP financial measures used by other companies and exclude expenses that may have a material impact upon our reported financial results. Further, stock-based compensation expense has been and will continue to be for the foreseeable future a significant recurring expense in our business and an important part of the compensation provided to our employees.
44

The following tables reconcile GAAP gross profit to non-GAAP gross profit for the years ended December 31, 2023, 2022 and 2021:
 Year Ended December 31,
 202320222021
 (in thousands)
GAAP total gross profit$545,966 $470,734 $366,456 
Stock-based compensation expense10,700 10,367 6,491 
Amortization of acquired intangible assets18,386 18,493 15,373 
Non-GAAP total gross profit$575,052 $499,594 $388,320 

 Year Ended December 31,
 202320222021
 (in thousands)
GAAP gross profit – products$537,264 $465,323 $360,070 
Stock-based compensation expense8,202 7,562 4,357 
Amortization of acquired intangible assets18,386 18,493 15,373 
Non-GAAP gross profit – products$563,852 $491,378 $379,800 

 Year Ended December 31,
 202320222021
 (in thousands)
GAAP gross profit – professional services$8,702 $5,411 $6,386 
Stock-based compensation expense2,498 2,805 2,134 
Non-GAAP gross profit – professional services$11,200 $8,216 $8,520 
The following table reconciles GAAP loss from operations to non-GAAP income from operations for the years ended December 31, 2023, 2022 and 2021:
 Year Ended December 31,
 202320222021
 (in thousands)
GAAP loss from operations$(80,733)$(111,614)$(120,065)
Stock-based compensation expense108,081 119,902 102,579 
Amortization of acquired intangible assets21,499 21,983 17,305 
Acquisition-related expenses363 — 7,211 
Litigation-related expenses— 115 569 
Impairment of long-lived assets30,784 — — 
Restructuring expense22,227 — — 
Non-GAAP income from operations$102,221 $30,386 $7,599 







45

The following table reconciles GAAP net loss to non-GAAP net (loss) income for the years ended December 31, 2023, 2022 and 2021:
 Year Ended December 31,
 202320222021
 (in thousands, except share and per share data)
GAAP net loss$(149,260)$(124,717)$(146,334)
Stock-based compensation expense108,081 119,902 102,579 
Amortization of acquired intangible assets21,499 21,983 17,305 
Acquisition-related expenses363 — 16,176 
Litigation-related expenses— 115 569 
Amortization of debt issuance costs4,138 4,085 3,982 
Induced conversion expense53,889 — 2,740 
Change in fair value of derivative assets15,511 — — 
Impairment of long-lived assets30,784 — — 
Restructuring expense22,227 — — 
Non-GAAP net (loss) income$107,232 $21,368 $(2,983)
Interest expense of convertible senior notes (1)2,667 1,500 — 
Numerator for non-GAAP earnings per share calculation$109,899 $22,868 $(2,983)
Weighted average shares used in GAAP earnings per share calculation, basic60,756,087 58,552,065 55,270,998 
Dilutive effect of convertible senior notes (1)10,429,891 5,803,831 — 
Dilutive effect of employee equity incentive plans (2)916,134 1,251,725 — 
Weighted average shares used in non-GAAP earnings per share calculation, diluted72,102,112 65,607,621 55,270,998 
Non-GAAP net income (loss) per share:
Basic$1.76 $0.36 $(0.05)
Diluted$1.52 $0.35 $(0.05)
(1) We use the if-converted method to compute diluted earnings per share with respect to our Notes. There was no add-back of interest expense or additional dilutive shares related to the Notes where the effect was anti-dilutive. On an if converted basis, for the year ended December 31, 2023, the 2029 Notes and 2027 Notes were dilutive and the 2025 Notes were anti-dilutive and for the year ended December 31, 2022, the 2025 Notes were dilutive and the 2027 Notes were anti-dilutive.
(2) We use the treasury method to compute the dilutive effect of employee equity incentive plan awards.










46



The following table reconciles GAAP net loss to adjusted EBITDA for the years ended December 31, 2023, 2022 and 2021:
 Year Ended December 31,
 202320222021
 (in thousands)
Net loss$(149,260)$(124,717)$(146,334)
Interest income(10,177)(1,813)(365)
Interest expense64,700 10,982 14,292 
Other (income) expense, net14,522 1,522 1,921 
(Benefit from) provision for income taxes(518)2,412 10,421 
Depreciation expense14,047 13,571 12,342 
Amortization of intangible assets31,892 27,467 21,159 
Stock-based compensation expense108,081 119,902 102,579 
Acquisition-related expenses363 — 7,211 
Litigation-related expenses— 115 569 
Impairment of long-lived assets30,784 — — 
Restructuring expense22,227 — — 
Adjusted EBITDA$126,661 $49,441 $23,795 
The following table reconciles net cash provided by operating activities to free cash flow for the years ended December 31, 2023, 2022 and 2021:
 Year Ended December 31,
 202320222021
 (in thousands)
Net cash provided by operating activities$104,278 $78,204 $53,917 
Less: Purchases of property and equipment(4,366)(20,382)(9,010)
Less: Capitalized internal-use software costs(15,878)(17,145)(9,854)
Free cash flow$84,034 $40,677 $35,053 
Components of Results of Operations
Revenue
We generate revenue primarily from selling products and professional services through a variety of delivery models to meet the needs of our diverse customer base.
Products
We generate products revenue from the sale of (1) cloud-based subscriptions, (2) managed services offerings, which utilize our products and (3) software licenses with related maintenance and support and content subscription, as applicable. Software license revenue consists of revenues from term licenses. When software licenses are purchased, maintenance and support and content subscription, as applicable, is bundled with the license for the term period.
Professional Services
We generate professional service revenue from the sale of deployment and training services related to our products, incident response services and security advisory services.
Cost of Revenue
Our total cost of revenue consists of the costs of products and professional services, as noted below. In addition, cost of revenue includes overhead costs for depreciation, facilities, IT, information security, and recruiting. Our IT overhead costs include IT personnel compensation costs and costs associated with our IT infrastructure. All overhead costs are allocated based on relative headcount.
47

Cost of Products
Cost of products consists of personnel and related costs for our content, support, managed service and cloud operations teams, including salaries and other payroll related costs, bonuses, stock-based compensation and allocated overhead costs. Also included in cost of products are software license fees, cloud computing costs and internet connectivity expenses directly related to delivering our products, amortization of contract fulfillment costs, as well as amortization of certain intangible assets including internally developed software.
Cost of Professional Services
Cost of professional services consists of personnel and related costs for our professional services team, including salaries and other payroll related costs, bonuses, stock-based compensation, costs of contracted third-party vendors, travel and entertainment expenses and allocated overhead costs.
We expect our cost of revenue to increase on an absolute dollar basis as we continue to grow our revenue.
Gross Margin
Gross margin, or gross profit as a percentage of revenue, has been and will continue to be affected by a variety of factors, including the average sales price of our products and services, transaction volume growth, the mix of revenue between software licenses, cloud-based subscriptions, managed services and professional services and changes in cloud computing costs.
We expect our gross margins to fluctuate over time depending on the factors described above.
Operating Expenses
Operating expenses consist of research and development, sales and marketing, general and administrative expenses, impairment of long-lived assets and restructuring. Operating expenses include overhead costs for depreciation, facilities, IT, information security and recruiting. Our IT overhead costs include IT personnel compensation costs and costs associated with our IT infrastructure. All overhead costs are allocated based on relative headcount.
Research and Development Expense
Research and development expense consists of personnel costs for our research and development team, including salaries and other payroll related costs, bonuses and stock-based compensation. Additional expenses include third-party infrastructure costs, travel and entertainment, consulting and professional fees for third-party development resources as well as allocated overhead costs.
We expect research and development expense to decrease as a percentage of total revenue in the near term.
Sales and Marketing Expense
Sales and marketing expense consists of personnel costs for our sales and marketing team, including salaries and other payroll related costs, commissions, including amortization of deferred commissions, bonuses and stock-based compensation. Additional expenses include marketing activities and promotional events, travel and entertainment, training costs, amortization of certain intangible assets and allocated overhead costs.
We expect sales and marketing expense to decrease as a percentage of total revenue in the near term.
General and Administrative Expense
General and administrative expense consists of personnel costs for our executive, legal, human resources, and finance and accounting departments, including salaries and other payroll related costs, bonuses and stock-based compensation. Additional expenses include travel and entertainment, professional fees, litigation-related expenses, insurance, acquisition-related expenses, amortization of certain intangible assets and allocated overhead costs.
We expect general and administrative expense to decrease as a percentage of total revenue in the near term.
48

Impairment of Long-Lived Assets
Impairment of long-lived assets consists of impairment charges allocated to the carrying amount of certain operating right-of-use assets and the associated leasehold improvements when the carrying amounts exceed their respective fair values.
Restructuring Expense
Restructuring expense consist of charges related to the Restructuring Plan such as employee transition, notice period and severance payments and employee benefits and related facilitation costs. For further information, refer to Note 19, Restructuring, in the Notes to our Consolidated Financial Statements.
Interest Income
Interest income consists primarily of interest income on our cash and cash equivalents and our short and long-term investments.
Interest Expense
Interest expense consists primarily of contractual interest expense, amortization of debt issuance costs related to our convertible senior notes and revolving credit facility and induced conversion expense. We expect interest expense in the near term to represent contractual interest expense and amortization of debt issuance costs related to our convertible senior notes and revolving credit facility.
Other Income (Expense), Net
Other income (expense), net consists primarily of the change in fair value of derivative assets and unrealized and realized gains and losses related to changes in foreign currency exchange rates.
Provision for Income Taxes
Provision for income taxes consists of domestic and foreign taxes on income and withholding taxes. We maintain a substantially full valuation allowance for domestic and certain foreign deferred tax assets, including net operating loss carryforwards and tax credits. Based on our history of losses, we expect to maintain this substantially full valuation allowance for the foreseeable future as it is more likely than not that some or all of those deferred tax assets may not be realized.
49

Results of Operations
 Year Ended December 31,
 202320222021
 (in thousands)
Consolidated Statement of Operations Data:
Revenue:
Products$740,168 $647,535 $500,843 
Professional services37,539 37,548 34,561 
Total revenue777,707 685,083 535,404 
Cost of revenue:(1)
Products202,904 182,212 140,773 
Professional services28,837 32,137 28,175 
Total cost of revenue231,741 214,349 168,948 
Operating expenses:(1)
Research and development176,776 189,970 160,779 
Sales and marketing312,636 307,409 247,453 
General and administrative84,276 84,969 78,289 
Impairment of long-lived assets30,784 — — 
Restructuring22,227 — — 
Total operating expenses626,699 582,348 486,521 
Loss from operations(80,733)(111,614)(120,065)
Interest income10,177 1,813 365 
Interest expense(64,700)(10,982)(14,292)
Other income (expense), net(14,522)(1,522)(1,921)
Loss before income taxes(149,778)(122,305)(135,913)
(Benefit from) provision for income taxes(518)2,412 10,421 
Net loss$(149,260)$(124,717)(146,334)
(1)Cost of revenue and operating expenses include stock-based compensation expense and depreciation and amortization expense as follows:
 Year Ended December 31,
 202320222021
 (in thousands)
Stock-based compensation expense:
Cost of revenue$10,700 $10,367 $6,491 
Research and development38,022 49,940 46,622 
Sales and marketing29,325 31,217 23,828 
General and administrative30,034 28,378 25,638 
Total stock-based compensation expense$108,081 $119,902 $102,579 
 Year Ended December 31,
 202320222021
 (in thousands)
Depreciation and amortization expense:
Cost of revenue$31,447 $26,520 $21,484 
Research and development4,217 $4,133 3,566 
Sales and marketing7,801 $7,742 6,277 
General and administrative2,474 $2,643 2,174 
Total depreciation and amortization expense$45,939 $41,038 $33,501 
50

The following table sets forth our consolidated statements of operations data expressed as a percentage of revenue:
 Year Ended December 31,
 202320222021
Consolidated Statement of Operations Data:
Revenue:
Products95.2 %94.5 %93.5 %
Professional services4.8 5.5 6.5 
Total revenue100.0 100.0 100.0 
Cost of revenue:
Products26.1 26.6 26.3 
Professional services3.7 4.7 5.3 
Total cost of revenue29.8 31.3 31.6 
Operating expenses:
Research and development22.7 27.7 30.0 
Sales and marketing40.2 44.9 46.2 
General and administrative10.8 12.4 14.6 
Impairment of long-lived assets4.0 — — 
Restructuring2.9 — — 
Total operating expenses80.6 85.0 90.8 
Loss from operations(10.4)(16.3)(22.4)
Interest income1.3 0.3 0.1 
Interest expense(8.3)(1.6)(2.7)
Other income (expense), net(1.9)(0.2)(0.4)
Loss before income taxes(19.3)(17.8)(25.4)
Provision for income taxes(0.1)0.4 1.9 
Net loss(19.2)%(18.2)%(27.3)%
Comparison of the Year Ended December 31, 2023 and 2022
Revenue
 Year Ended December 31,Change
 20232022$        %      
 (dollars in thousands)
Revenue:
Products$740,168 $647,535 $92,633 14.3 %
Professional services37,539 37,548 (9)— %
Total revenue$777,707 $685,083 $92,624 13.5 %
Total revenue increased by $92.6 million in 2023 compared to 2022 and consisted of a $2.2 million increase in revenue from new customers and a $90.4 million increase in revenue from existing customers. The $90.4 million increase in revenue from existing customers was due to an increase in revenue from renewals, upsells and cross-sells as a result of the continued growth of our existing customer base. Revenue from new customers represents the revenue recognized from the customer's initial purchase.
The increase in total revenue in 2023 compared to 2022 was comprised of $65.6 million generated from sales in North America and $27.0 million generated from sales from the rest of the world.

51

Cost of Revenue
 Year Ended December 31,Change
 20232022$%
 (dollars in thousands)
Cost of revenue:
Products$202,904 $182,212 $20,692 11.4 %
Professional services28,837 32,137 (3,300)(10.3)%
Total cost of revenue$231,741 $214,349 $17,392 8.1 %
Gross margin %:
Products72.6 %71.9 %
Professional services23.2 %14.4 %
Total gross margin %70.2 %68.7 %
Total cost of revenue increased by $17.4 million in 2023 compared to 2022, primarily due to a $10.0 million increase in cloud computing costs related to growing cloud-based subscription and managed services revenue, a $4.9 million increase in amortization expense for capitalized internally-developed software, a $2.3 million increase in personnel costs, inclusive of a $0.3 million increase in stock-based compensation expense, and a $0.1 million increase in other expenses.
Total gross margin percentage increased in 2023 compared to 2022. The increase in products gross margin was driven by our ability to scale as our revenue continues to grow. The increase in professional services gross margin in 2023 compared to 2022 was primarily due to a decrease in personnel costs.
Operating Expenses
Research and Development Expense
Year Ended December 31,Change
20232022$%
(dollars in thousands)
Research and development$176,776 $189,970 $(13,194)(6.9)%
% of revenue22.7 %27.7 %
Research and development expense decreased by $13.2 million in 2023 compared to 2022, primarily due to a $14.2 million decrease in personnel costs, inclusive of a $11.9 million decrease in stock-based compensation expense, resulting from a decrease in headcount primarily due to the Restructuring Plan, and a $2.5 million decrease in other expenses. These decreases were partially offset by a $3.5 million write-off of capitalized internal-use software projects.
Sales and Marketing Expense
 Year Ended December 31,Change
 20232022$        %        
 (dollars in thousands)
Sales and marketing$312,636 $307,409 $5,227 1.7 %
% of revenue40.2 %44.9 %
Sales and marketing expense increased by $5.2 million in 2023 compared to 2022, primarily due to a $7.6 million increase in personnel costs, net of a $1.7 million decrease in stock-based compensation expense, resulting from a decrease in headcount primarily due to the Restructuring Plan. This increase was partially offset by a decrease of $1.7 million in marketing and advertising expenses and a $0.7 million decrease in other expenses.
52

General and Administrative Expense
 Year Ended December 31,Change
 20232022$        %        
 (dollars in thousands)
General and administrative$84,276 $84,969 $(693)(0.8)%
% of revenue10.8 %12.4 %
General and administrative expense decreased by $0.7 million in 2023 compared to 2022, primarily due to a $2.8 million increase in professional fees, partially offset by a $1.9 million decrease in other expenses.
Impairment of Long-Lived Assets
 Year Ended December 31,Change
 20232022$%
 (dollars in thousands)
Impairment of long-lived assets$30,784 $— $30,784 100.0 %
% of revenue4.0 %— %

Impairment of long-lived assets expense increased by $30.8 million in 2023 compared to 2022, due to an impairment charge recorded after a triggering event related to a change in usage of certain idle office space at our corporate headquarters in Boston, Massachusetts as well as idle office spaces located in Plano, Texas, Los Angeles, California and Toronto, Canada indicated that the carrying value of our right of use and other lease-related assets may not be fully recoverable.
Restructuring Expense
 Year Ended December 31,Change
 20232022$%
 (dollars in thousands)
Restructuring $22,227 $— $22,227 100.0 %
% of revenue2.9 %— %
Restructuring expense increased by $22.2 million in 2023 compared to 2022, due to restructuring charges consisting of employee transition, notice period and severance payments and employee benefits and related facilitation costs related to our Restructuring Plan. Refer to Note 19, Restructuring, in the Notes to our Consolidated Financial Statements for further details on our Restructuring Plan.
Interest Income
 Year Ended December 31,Change
 20232022$%
 (dollars in thousands)
Interest income$10,177 $1,813 $8,364 461.3 %
% of revenue1.3 %0.3 %
Interest income increased by $8.4 million in 2023 compared to 2022, primarily due to an increase in interest rates.
Interest Expense
 Year Ended December 31,Change
 20232022$%
 (dollars in thousands)
Interest expense$(64,700)$(10,982)$(53,718)489.1 %
% of revenue(8.3)%(1.6)%
Interest expense increased by $53.7 million in 2023 compared to 2022, primarily due to $53.9 million of induced conversion expense incurred in conjunction with the partial repurchase of the 2025 Notes.
53

Other Income (Expense), Net
 Year Ended December 31,Change
 20232022$        %        
 (dollars in thousands)
Other income (expense), net$(14,522)$(1,522)$(13,000)854.1 %
% of revenue(1.9)%(0.2)%
Other income (expense), net increased by $13.0 million in 2023 compared to 2022, due to a $15.5 million expense for the change in fair value of derivative assets related to our 2023 Capped Calls settlement and a decrease in realized and unrealized foreign currency gains, primarily related to the euro and British pound sterling.
(Benefit From) Provision for Income Taxes
 Year Ended December 31,Change
 20232022$        %        
 (dollars in thousands)
(Benefit from) provision for income taxes$(518)$2,412 $(2,930)(121.5)%
% of revenue(0.1)%0.4 %
In 2023, the benefit from income taxes was $0.5 million, primarily due to changes in valuation allowance related to foreign entity deferred tax assets, compared to a provision for income taxes of $2.4 million in 2022.
Comparison of the Year Ended December 31, 2022 and 2021
We have elected not to include a discussion of our consolidated results for 2022 compared to 2021 in this report in reliance upon Instruction 1 to Item 303(b) of Regulation S-K. This discussion can be found in our Annual Report on Form 10-K for the year ended December 31, 2022, which was filed with the SEC on February 24, 2023.
Liquidity and Capital Resources
As of December 31, 2023, we had $213.6 million in cash and cash equivalents, $225.7 million in investments that have maturities ranging from one to thirteen months and an accumulated deficit of $1.0 billion. Since our inception, we have generated significant losses and we may generate losses for the foreseeable future. Our principal sources of liquidity are cash and cash equivalents, investments and our Credit and Security Agreement (the “Credit Agreement”). To date, we have financed our operations primarily through private and public equity financings, issuance of convertible senior notes and through cash generated by operating activities.
We believe that our existing cash and cash equivalents, our investments, our available borrowings under our Credit Agreement and cash generated by operating activities will be sufficient to meet our operating and capital requirements for at least the next 12 months. Our foreseeable cash needs, in addition to our recurring operating expenses, include our expected capital expenditures to support expansion of our infrastructure and workforce, office facilities lease obligations, purchase commitments, including our cloud infrastructure services (including with Amazon Web Services (“AWS”)), potential future acquisitions of technology businesses and any election we make to redeem our convertible senior notes.
Our future capital requirements will depend on many factors, including our growth rate, the timing and extent of spending to support research and development efforts, the expansion of sales and marketing activities, particularly internationally, the introduction of new and enhanced products and service offerings, the cost of any future acquisitions of technology or businesses and any election we make to redeem our convertible senior notes. In the event that additional financing is required from outside sources, we may be unable to raise the funds on acceptable terms, if at all. If we are unable to raise additional capital on terms satisfactory to us when we require it, our business, operating results and financial condition could be adversely affected.
54

Cash Flows
The following table shows a summary of our cash flows for the years ended December 31, 2023 and 2022:
 Year Ended December 31,
 202320222021
 (in thousands)
Cash, cash equivalents and restricted cash at beginning of period$207,804 $165,017 $173,617 
Net cash provided by operating activities104,278 78,204 53,917 
Net cash used in investing activities(178,754)(39,988)(325,378)
Net cash provided by financing activities79,597 7,416 264,133 
Effects of exchange rates on cash, cash equivalents and restricted cash1,202 (2,845)(1,272)
Cash, cash equivalents and restricted cash at end of period$214,127 $207,804 $165,017 
Uses of Funds
Our historical uses of cash have primarily consisted of cash used for operating activities such as expansion of our sales and marketing operations, research and development activities and other working capital needs, as well as cash used for business acquisitions and purchases of property and equipment, including leasehold improvements for our facilities.
Operating Activities
Operating activities provided $104.3 million of cash and cash equivalents for the year ended December 31, 2023, which reflects continued growth in revenue partially offset by our continued investments in our operations and the timing of working capital adjustments. Cash provided by operating activities reflected our net loss of $149.3 million and an increase in our net operating assets and liabilities of $0.4 million, offset by non-cash charges of $253.2 million related primarily to depreciation and amortization, stock-based compensation expense, deferred income taxes, impairment of long-lived assets, change in fair value of derivative assets, amortization of debt issuance costs and other non-cash charges. The change in our net operating assets and liabilities was primarily due to a $30.5 million increase in deferred revenue due to increased billings and a $5.4 million increase in accounts payable and a $2.4 million increase in accrued expenses, which each had a positive impact on operating cash flow. These factors were offset by an $18.5 million increase in deferred contract acquisition and fulfillment costs, a $14.0 million increase in accounts receivable, a $4.1 million increase in prepaid expenses and a $1.3 million decrease in other liabilities , which each had a negative impact on operating cash flow.
Operating activities provided $78.2 million of cash in 2022, which reflects continued growth in revenue partially offset by our continued investments in our operations and a net benefit from changes in working capital items. Cash provided by operating activities reflected our net loss of $124.7 million, offset by a decrease in our net operating assets of $39.5 million and non-cash charges of $163.4 million related primarily to depreciation and amortization, stock-based compensation expense, deferred income taxes, amortization of debt issuance costs and other non-cash charges. The decrease in our net operating assets was primarily due to a $52.5 million increase in deferred revenue due to increased billings, a $8.0 million increase in accounts payable, an increase in accrued expenses of $3.7 million and a $2.4 million increase in other liabilities, which each had a positive impact on operating cash flow. These factors were partially offset by a $15.9 million increase in deferred contract acquisition and fulfillment costs, a $9.0 million increase in accounts receivable and a $2.2 million increase in prepaid expenses and other assets, which each had a negative impact on operating cash flow.
Investing Activities
Investing activities used $178.8 million of cash for the year ended December 31, 2023, consisting of $126.4 million in purchases of investments, net of sales and maturities, $34.8 million of cash paid for the acquisition of Minerva, $15.9 million for capitalization of internal-use software costs, $4.4 million in capital expenditures to purchase computer equipment and leasehold improvements, partially offset by $2.7 million in proceeds from other investments.
Investing activities used $40.0 million of cash in 2022, consisting of $20.4 million in capital expenditures to purchase computer equipment and leasehold improvements, $17.1 million for capitalization of internal-use software costs, $1.5 million of investment purchases, net of sales and maturities, and $1.0 million of other investments.
Financing Activities
Financing activities provided $79.6 million for the year ended December 31, 2023, which consisted primarily of $292.1 million in proceeds from the issuance of the 2029 Notes, net of issuance costs paid of $7.9 million, $17.5 million in proceeds from the
55

settlement of the 2023 Capped Calls, $11.3 million in proceeds from the issuance of common stock purchased by employees under the Rapid7, Inc. 2015 Employee Stock Purchase Plan (“ESPP”) and $3.1 million in proceeds from the exercise of stock options, partially offset by $200.0 million for the repurchase and conversion of the 2025 Notes, $36.6 million for the purchase of the 2029 Capped Calls, $5.6 million in withholding taxes paid for the net share settlement of equity awards and $2.3 million in payments related to the acquisition of IntSights.
Financing activities provided $7.4 million of cash in 2022, which consisted primarily of $11.9 million in proceeds from the issuance of common stock purchased by employees under the Rapid7, Inc. 2015 Employee Stock Purchase Plan (“ESPP”) and $3.3 million in proceeds from the exercise of stock options, partially offset by $7.5 million in withholding taxes paid for the net share settlement of equity awards and $0.3 million in payments related to the acquisition of Velocidex.
Off-Balance Sheet Arrangements
We do not have any relationships with unconsolidated entities or financial partnerships, including entities sometimes referred to as structured finance or special purpose entities that were established for the purpose of facilitating off-balance sheet arrangements or other contractually narrow or limited purposes. We do not engage in off-balance sheet financing arrangements. In addition, we do not engage in trading activities involving non-exchange traded contracts. We therefore believe that we are not materially exposed to any financing, liquidity, market or credit risk that could arise if we had engaged in these relationships.
Critical Accounting Estimates
Our consolidated financial statements are prepared in accordance with generally accepted accounting principles in the United States (“GAAP”). The preparation of our consolidated financial statements requires us to make estimates and assumptions that affect the reported amounts of assets, liabilities, revenue, expenses and disclosures. We base our estimates and assumptions on historical experience and other factors that we believe to be reasonable under the circumstances. We evaluate our estimates and assumptions on an ongoing basis. Our actual results may differ from these estimates.
Our significant accounting policies, including those considered to be critical accounting estimates are summarized in Note 2, Summary of Significant Accounting Policies, in the Notes to our Consolidated Financial Statements included in this Annual Report on Form 10-K.
Revenue Recognition
We generate revenue primarily from: (1) product subscriptions from the sale of cloud-based subscriptions, managed services, term software licenses, content subscriptions and maintenance and support associated with our software licenses and (2) professional services from the sale of our deployment and training services related to our solutions, incident response services, penetration testing and security advisory services.
The majority of our contracts with customers contain multiple performance obligations. For these contracts, we account for individual performance obligations separately if they are distinct. The transaction price is allocated to the separate performance obligations on a relative standalone selling price (“SSP”) basis. We determine SSP of our products and services based on our overall pricing objectives using all information reasonably available to us, taking into consideration market conditions and other factors, including the geographic locations of our customers, negotiated discounts from price lists and selling method (i.e., partner or direct). When available, we use directly observable stand-alone transactions to determine SSP. When not regularly sold on a stand-alone basis, we estimate SSP for our products and services utilizing historical sales data, including discounts from list price. The historical data is aggregated and analyzed by geographic location and selling method to establish a median or average price. Once SSP is established it is applied consistently to all transactions involving that product or service utilizing a portfolio approach.
Deferred Contract Acquisition Costs
We defer contract costs that are recoverable and incremental to obtaining customer contracts. Contract costs, which primarily consist of sales commissions, are amortized on a systematic basis that is consistent with the transfer to the customer of the goods or services to which the asset relates. Contract costs for a new customer, upsell or cross-sell are amortized on a straight-line basis over an estimated period of benefit of five years as sales commissions on initial sales are not commensurate with sales commissions on contract renewals. We determined the estimated period of benefit by taking into consideration the contractual term and expected renewals of customer contracts, our technology and other factors, including the fact that commissions paid on renewals are not commensurate with commissions paid on initial sales transactions. Contract costs relating to contract renewals are deferred and amortized on a straight-line basis over the weighted average contract length of renewal contracts. Contract costs for professional services arrangements are expensed as incurred in accordance with the practical expedient as the contractual period of our professional services arrangements is one year or less. We periodically review the carrying amount of
56

deferred contract acquisition costs to determine whether events or changes in circumstances have occurred that could impact the period of benefit.
Recent Accounting Pronouncements
See Note 2, Summary of Significant Accounting Policies, in the Notes to our Consolidated Financial Statements in Item 8 of Part II of this Annual Report on Form 10-K for a description of recent accounting pronouncements and our expectation of their impact, if any, on our results of operations and financial conditions.
Item 7A. Quantitative and Qualitative Disclosures About Market Risk.
Foreign Currency Exchange Risk
Our results of operations and cash flows are subject to fluctuations due to changes in foreign currency exchange rates. A majority of our customers enter into contracts that are denominated in U.S. dollars. Our expenses are generally denominated in the currencies of the countries where our operations are located, which is primarily in the United States and to a lesser extent in the United Kingdom, other Euro-zone countries within mainland Europe, Canada, Australia, Israel, Singapore and Japan. Our results of operations and cash flows are, therefore, subject to fluctuations due to changes in foreign currency exchange rates and may be adversely affected in the future due to changes in foreign currency exchange rates. The effect of a hypothetical 10% adverse change in foreign currency exchange rates on monetary assets and liabilities as of December 31, 2023 would not have been material to our financial condition or results of operations. We enter into forward contracts designated as cash flow hedges to manage the foreign currency exchange rate risk associated with certain of our foreign currency denominated expenditures. The effectiveness of our existing hedging transactions and the availability and effectiveness of any hedging transactions we may decide to enter into in the future may be limited, and we may not be able to successfully hedge our exposure, which could adversely affect our financial condition and operating results. For further information, see Note 9, Derivatives and Hedging Activities, in the Notes to our Consolidated Financial Statements included in this Quarterly Report on Form 10-Q. As our international operations grow, we will continue to reassess our approach to manage our risk relating to fluctuations in foreign currency rates.
Interest Rate Risk
As of December 31, 2023, we had cash and cash equivalents of $213.6 million consisting of bank deposits and money market funds and investments of $225.7 million consisting of U.S. government agencies and agency bonds. Our investments are made for capital preservation purposes. We do not enter into investments for trading or speculative purposes.
Our cash and cash equivalents and investments are subject to market risk due to changes in interest rates, which may affect our interest income and the fair value of our investments. Due in part to these factors, our future investment income may fluctuate due to changes in interest rates or we may suffer losses in principal if we are forced to sell securities that decline in market value due to changes in interest rates. However, because we classify our investments as available-for-sale securities, no gains or losses are recognized due to the changes in interest rates unless securities are sold prior to maturity or declines in fair value are determined to be other-than-temporary.
The fair values of our convertible senior notes are subject to interest rate risk, market risk and other factors due to the conversion features of the notes. The fair values of the convertible senior notes may increase or decrease for various reasons, including fluctuations in the market price of our common stock, fluctuations in market interest rates and fluctuations in general economic conditions. The interest and market value changes affect the fair values of the convertible senior notes but do not impact our financial position, cash flows or results of operations due to the fixed nature of the debt obligation. Based upon the quoted market price as of December 31, 2023, the fair values of our 2025 Notes, 2027 Notes and 2029 Notes were $50.5 million, $538.9 million and $333.4 million , respectively.
As of December 31, 2023, the effect of a hypothetical 10% increase or decrease in interest rates would not have had a material impact on our financial statements.
Inflation Risk
We do not believe that inflation had a material effect on our business, financial condition or results of operations. If our costs were to become subject to significant inflationary pressures, we may not be able to fully offset such higher costs through price increases. Our inability or failure to do so could harm our business, financial condition and results of operations.

57

Item 8. Financial Statements and Supplementary Data.


58

REPORT OF INDEPENDENT REGISTERED PUBLIC ACCOUNTING FIRM
To the Stockholders and Board of Directors
Rapid7, Inc.:
Opinions on the Consolidated Financial Statements and Internal Control Over Financial Reporting
We have audited the accompanying consolidated balance sheets of Rapid7, Inc. and subsidiaries (the Company) as of December 31, 2023 and 2022, the related consolidated statements of operations, comprehensive loss, changes in stockholders’ equity (deficit), and cash flows for each of the years in the three-year period ended December 31, 2023, and the related notes (collectively, the consolidated financial statements). We also have audited the Company’s internal control over financial reporting as of December 31, 2023, based on criteria established in Internal Control – Integrated Framework (2013) issued by the Committee of Sponsoring Organizations of the Treadway Commission.
In our opinion, the consolidated financial statements referred to above present fairly, in all material respects, the financial position of the Company as of December 31, 2023 and 2022, and the results of its operations and its cash flows for each of the years in the three-year period ended December 31, 2023, in conformity with U.S. generally accepted accounting principles. Also in our opinion, the Company maintained, in all material respects, effective internal control over financial reporting as of December 31, 2023 based on criteria established in Internal Control – Integrated Framework (2013) issued by the Committee of Sponsoring Organizations of the Treadway Commission.
Basis for Opinions
The Company’s management is responsible for these consolidated financial statements, for maintaining effective internal control over financial reporting, and for its assessment of the effectiveness of internal control over financial reporting, included in the accompanying Management’s Report on Internal Control Over Financial Reporting. Our responsibility is to express an opinion on the Company’s consolidated financial statements and an opinion on the Company’s internal control over financial reporting based on our audits. We are a public accounting firm registered with the Public Company Accounting Oversight Board (United States) (PCAOB) and are required to be independent with respect to the Company in accordance with the U.S. federal securities laws and the applicable rules and regulations of the Securities and Exchange Commission and the PCAOB.
We conducted our audits in accordance with the standards of the PCAOB. Those standards require that we plan and perform the audits to obtain reasonable assurance about whether the consolidated financial statements are free of material misstatement, whether due to error or fraud, and whether effective internal control over financial reporting was maintained in all material respects.
Our audits of the consolidated financial statements included performing procedures to assess the risks of material misstatement of the consolidated financial statements, whether due to error or fraud, and performing procedures that respond to those risks. Such procedures included examining, on a test basis, evidence regarding the amounts and disclosures in the consolidated financial statements. Our audits also included evaluating the accounting principles used and significant estimates made by management, as well as evaluating the overall presentation of the consolidated financial statements. Our audit of internal control over financial reporting included obtaining an understanding of internal control over financial reporting, assessing the risk that a material weakness exists, and testing and evaluating the design and operating effectiveness of internal control based on the assessed risk. Our audits also included performing such other procedures as we considered necessary in the circumstances. We believe that our audits provide a reasonable basis for our opinions.
Definition and Limitations of Internal Control Over Financial Reporting
A company’s internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. A company’s internal control over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and (3) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on the financial statements.
Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.
59

Critical Audit Matter
The critical audit matter communicated below is a matter arising from the current period audit of the consolidated financial statements that was communicated or required to be communicated to the audit committee and that: (1) relates to accounts or disclosures that are material to the consolidated financial statements and (2) involved our especially challenging, subjective, or complex judgments. The communication of a critical audit matter does not alter in any way our opinion on the consolidated financial statements, taken as a whole, and we are not, by communicating the critical audit matter below, providing a separate opinion on the critical audit matter or on the accounts or disclosures to which it relates.
Sufficiency of audit evidence over products revenue
As discussed in Note 2 to the consolidated financial statements, the Company derives revenue primarily from product subscriptions revenue which consists of cloud-based subscriptions, managed services, term software licenses, content subscriptions and maintenance and support associated with its software licenses. For the year ended December 31, 2023, the Company recorded revenue of $778 million, which includes product subscriptions revenue of $739 million. The Company has high volumes of transactions and the processing and recording of the related product subscriptions revenue is reliant upon the Company’s information technology (IT) system.
We identified the evaluation of the sufficiency of audit evidence over product subscriptions revenue as a critical audit matter. Subjective auditor judgment was required to determine the nature and extent of procedures performed over the processing and recording of product subscriptions revenue because the revenue recognition process is highly automated. Additionally, specialized skills and knowledge were required to test the IT system used for the processing and recording of product subscriptions revenue.
The following are the primary procedures we performed to address this critical audit matter. We applied auditor judgment to determine the nature and extent of procedures to be performed over the processing and recording of product subscriptions revenue, including the related IT system. We evaluated the design and tested the operating effectiveness of certain internal controls related to the processing and recording of product subscriptions revenue. We involved IT professionals with specialized skills and knowledge, who assisted in evaluating the design and testing the operating effectiveness of certain general IT and application controls. For a sample of product subscriptions revenue transactions, we determined the revenue to be recorded in the current period based on the underlying contract and compared it to the Company's recorded balances. In addition, we evaluated the sufficiency of audit evidence obtained by assessing the results of procedures performed, including the appropriateness of the nature and extent of such evidence.






/s/ KPMG LLP
We have served as the Company's auditor since 2013.
Boston, Massachusetts
February 26, 2024

60

RAPID7, INC.
CONSOLIDATED BALANCE SHEETS
(in thousands, except share and per share data)
December 31, 2023December 31, 2022
Assets
Current assets:
Cash and cash equivalents$213,629 $207,287 
Short-term investments169,544 84,162 
Accounts receivable, net of allowance for credit losses of $951 and $2,299 at December 31, 2023 and December 31, 2022, respectively
164,862 152,045 
Deferred contract acquisition and fulfillment costs, current portion45,008 34,906 
Prepaid expenses and other current assets41,407 31,907 
Total current assets634,450 510,307 
Long-term investments56,171 9,756 
Property and equipment, net39,642 57,891 
Operating lease right-of-use assets54,693 79,342 
Deferred contract acquisition and fulfillment costs, non-current portion76,601 68,169 
Goodwill536,351 515,631 
Intangible assets, net94,546 101,269 
Other assets12,894 16,626 
Total assets$1,505,348 $1,358,991 
Liabilities and Stockholders’ Equity (Deficit)
Current liabilities:
Accounts payable$15,812 $10,255 
Accrued expenses84,489 80,306 
Operating lease liabilities, current portion13,452 12,444 
Deferred revenue, current portion455,503 426,599 
Other current liabilities536 1,663 
Total current liabilities569,792 531,267 
Convertible senior notes, net929,996 815,948 
Operating lease liabilities, non-current portion81,130 85,946 
Deferred revenue, non-current portion32,577 31,040 
Other long-term liabilities10,032 14,864 
Total liabilities$1,623,527 $1,479,065 
Stockholders’ deficit:
Preferred stock, $0.01 par value per share; 10,000,000 shares authorized at December 31, 2023 and 2022; 0 shares issued and outstanding at December 31, 2023 and 2022
$ $ 
Common stock, $0.01 par value per share; 100,000,000 shares authorized at December 31, 2023 and 2022; 62,283,630 and 60,206,277 shares issued at December 31, 2023 and 2022, respectively; 61,714,051 and 59,719,469 shares outstanding at December 31, 2023 and 2022, respectively
617 597 
Treasury stock, at cost, 569,579 and 486,808 shares at December 31, 2023 and December 31, 2022, respectively
(4,765)(4,764)
Additional paid-in-capital894,630 746,249 
Accumulated other comprehensive (loss) income1,344 (1,411)
Accumulated deficit(1,010,005)(860,745)
Total stockholders’ deficit(118,179)(120,074)
Total liabilities and stockholders’ deficit$1,505,348 $1,358,991 
See accompanying notes to consolidated financial statements.
61

RAPID7, INC.
CONSOLIDATED STATEMENTS OF OPERATIONS
(in thousands, except share and per share data)
 Year Ended December 31,
 202320222021
Revenue:
Products$740,168 $647,535 $500,843 
Professional services37,539 37,548 34,561 
Total revenue777,707 685,083 535,404 
Cost of revenue:
Products202,904 182,212 140,773 
Professional services28,837 32,137 28,175 
Total cost of revenue231,741 214,349 168,948 
Total gross profit545,966 470,734 366,456 
Operating expenses:
Research and development176,776 189,970 160,779 
Sales and marketing312,636 307,409 247,453 
General and administrative84,276 84,969 78,289 
Impairment of long-lived assets30,784   
Restructuring22,227   
Total operating expenses626,699 582,348 486,521 
Loss from operations(80,733)(111,614)(120,065)
Other income (expense), net:
Interest income10,177 1,813 365 
Interest expense(64,700)(10,982)(14,292)
Other income (expense), net(14,522)(1,522)(1,921)
Loss before income taxes(149,778)(122,305)(135,913)
(Benefit from) provision for income taxes(518)2,412 10,421 
Net loss$(149,260)$(124,717)$(146,334)
Net loss per share, basic and diluted$(2.46)$(2.13)$(2.65)
Weighted-average common shares outstanding, basic and diluted60,756,087 58,552,065 55,270,998 
See accompanying notes to consolidated financial statements.
62

RAPID7, INC.
CONSOLIDATED STATEMENTS OF COMPREHENSIVE LOSS
(in thousands)
 Year Ended December 31,
 202320222021
Net loss$(149,260)$(124,717)$(146,334)
Other comprehensive income (loss):
Change in fair value of cash flow hedges797 (3,874)(86)
Adjustment for net losses realized on cash flow hedges and included in net loss, net of taxes724 4,053  
Total change in unrealized gains (losses) on cash flow hedges1,521 179 (86)
Change unrealized gains (losses) on investments1,234 (778)(1,043)
Adjustment for net gains realized and included in net loss  (137)
Total change in unrealized gains (losses) on investments1,234 (778)(1,180)
Total other comprehensive income (loss)2,755 (599)(1,266)
Comprehensive loss$(146,505)$(125,316)$(147,600)
See accompanying notes to consolidated financial statements.
63

RAPID7, INC.CONSOLIDATED STATEMENTS OF CHANGES IN STOCKHOLDERS’ EQUITY (DEFICIT)
(in thousands)
 Common stockTreasury stockAdditional
paid-in-capital
Accumulated
other
comprehensive
income (loss)
Accumulated
deficit
Total
stockholders’
equity (deficit)
 SharesAmountSharesAmount
Balance, December 31, 202052,225 $522 487 $(4,764)$692,603 $454 $(617,279)$71,536 
Stock-based compensation expense— — — — 100,317 — — 100,317 
Issuance of common stock under employee stock purchase plan222 2 — — 9,274 — — 9,276 
Vesting of restricted stock units1,611 16 — — (16)— —  
Shares withheld for employee taxes(157)(2)— — (16,042)— — (16,044)
Issuance of common stock upon exercise of stock options521 6 — — 4,300 — — 4,306 
Purchase of capped calls related to convertible senior notes— — — — (76,020)— — (76,020)
Issuance of common stock in connection with redemption, repurchase and conversion of convertible senior notes2,897 29 — — (3,094)— — (3,065)
Issuance of common stock in connection with inducement of convertible senior notes35 — — — 2,740 — — 2,740 
Issuance of common stock related to acquisition341 4 — — (4)— —  
Cumulative-effect adjustment for the adoption of ASU 2020-06— — — — (99,026)— 27,585 (71,441)
Other comprehensive income— — — — — (1,266)— (1,266)
Net loss— — — — — — (146,334)(146,334)
Balance, December 31, 202157,695 $577 487 $(4,764)$615,032 $(812)$(736,028)$(125,995)
Stock-based compensation expense— — — — 123,441 — — 123,441 
Issuance of common stock under employee stock purchase plan218 2 — — 11,941 — — 11,943 
Vesting of restricted stock units1,482 15 — — (15)— —  
Shares withheld for employee taxes(105)(1)— — (7,461)— — (7,462)
Issuance of common stock upon exercise of stock options480 5 — — 3,313 — — 3,318 
Issuance of common stock in connection with conversion of convertible senior notes— — — — (3)— — (3)
Issuance of common stock related to acquisition33 — — — — — — — 
Repurchase of common stock issued in relation to acquisition(83)(1)1  
Other comprehensive income— — — — — (599)— (599)
Net loss— — — — — — (124,717)(124,717)
Balance, December 31, 202259,720 $597 487 $(4,764)$746,249 $(1,411)$(860,745)$(120,074)
Stock-based compensation expense— — — — 107,254 — — 107,254 
Issuance of common stock under employee stock purchase plan330 3 — — 11,320 — — 11,323 
Vesting of restricted stock units1,454 15 — — (15)— —  
Shares withheld for employee taxes(113)(1)— — (5,569)— — (5,570)
Issuance of common stock upon exercise of stock options216 2 — — 3,051 — — 3,053 
Issuance of common stock related to acquisition107 1 — — (1)— —  
Repurchase of common stock issued in related to acquisition— — 83 (1)1 — —  
Purchase of capped called related to convertible senior notes— — — — (36,570)— — (36,570)
Reclassification of equity to derivative assets related to capped calls— — — — 33,029 — — 33,029 
Repurchase and inducement of convertible senior notes— — — — 35,881 — — 35,881 
Other comprehensive loss— — — — — 2,755 — 2,755 
Net loss— — — — — — (149,260)(149,260)
Balance, December 31, 202361,714 $617 570 $(4,765)$894,630 $1,344 $(1,010,005)$(118,179)
See accompanying notes to consolidated financial statements.
64


RAPID7, INC.
CONSOLIDATED STATEMENTS OF CASH FLOWS
(in thousands)
 Year Ended December 31,
 202320222021
Cash flows from operating activities:
Net loss$(149,260)$(124,717)$(146,334)
Adjustments to reconcile net loss to net cash provided by operating activities:
Depreciation and amortization45,939 41,038 33,501 
Amortization of debt discount and issuance costs4,138 4,085 3,982 
Stock-based compensation expense108,081 119,902 102,579 
Impairment of long-lived assets30,784   
Change in fair value of derivative assets15,511   
Deferred income taxes(5,624)(1,440)466 
Induced conversion expense53,889  2,740 
Other469 (200)1,920 
Changes in assets and liabilities:
Accounts receivable(14,021)(9,050)(25,475)
Deferred contract acquisition and fulfillment costs(18,534)(15,910)(22,526)
Prepaid expenses and other assets(4,125)(2,231)(3,355)
Accounts payable5,449 7,977 (2,077)
Accrued expenses2,422 3,741 19,205 
Deferred revenue30,472 52,516 85,562 
Other liabilities(1,312)2,493 3,729 
Net cash provided by operating activities104,278 78,204 53,917 
Cash flows from investing activities:
Business acquisitions, net of cash acquired(34,841) (358,420)
Purchases of property and equipment(4,366)(20,382)(9,010)
Capitalization of internal-use software(15,878)(17,145)(9,854)
Purchases of investments(276,829)(122,765)(93,092)
Sales and maturities of investments150,450 121,304 147,998 
Other investments2,710 (1,000)(3,000)
Net cash used in investing activities(178,754)(39,988)(325,378)
Cash flows from financing activities:
Proceeds from issuance of convertible senior notes, net of issuance costs of $7,909 and $14,976 for the years ended December 31, 2023 and 2021, respectively
292,091  585,024 
Purchase of capped calls related to convertible senior notes(36,570) (76,020)
Payment of debt issuance costs (71)(300)
Payments for redemption, repurchase and conversion of convertible senior notes(199,998)(12)(230,000)
Payments related to business acquisitions(2,250)(300)(12,118)
Proceeds from capped calls settlement17,518   
Taxes paid related to net share settlement of equity awards(5,570)(7,462)(16,044)
Proceeds from employee stock purchase plan11,323 11,943 9,276 
Proceeds from stock option exercises3,053 3,318 4,315 
Net cash provided by financing activities79,597 7,416 264,133 
Effect of exchange rate changes on cash ,cash equivalents and restricted cash1,202 (2,845)(1,272)
Net increase (decrease) in cash, cash equivalents and restricted cash6,323 42,787 (8,600)
Cash, cash equivalents and restricted cash, beginning of period207,804 165,017 173,617 
Cash, cash equivalents and restricted cash, end of period$214,127 $207,804 $165,017 
Supplemental cash flow information:
Cash paid for interest on convertible senior notes$4,605 $6,675 $7,345 
Cash paid for income taxes, net of refunds$1,624 $1,571 $3,305 
Reconciliation of cash, cash equivalents and restricted cash:
Cash and cash equivalents$213,629 $207,287 $164,582 
Restricted cash included in prepaid expenses and other assets498 517 435 
Total cash, cash equivalents and restricted cash$214,127 $207,804 $165,017 
See accompanying notes to consolidated financial statements.
65

RAPID7, INC.
Notes to Consolidated Financial Statements
(1)    Nature of Business
Rapid7, Inc. and subsidiaries (“we,” “us” or “our”) are advancing security with visibility, analytics, and automation delivered through our platform solutions. Our solutions simplify the complex, allowing security teams to work more effectively with IT and development to reduce vulnerabilities, monitor for malicious behavior, investigate and shut down attacks, and automate routine tasks.
(2)    Summary of Significant Accounting Policies
(a)Basis of Presentation and Consolidation
The accompanying consolidated financial statements have been prepared in accordance with accounting principles generally accepted in the United States of America (“GAAP”). The consolidated financial statements include our results of operations and those of our wholly-owned subsidiaries. All intercompany transactions and balances have been eliminated in consolidation.
(b)Use of Estimates
The preparation of consolidated financial statements in conformity with GAAP requires management to make estimates, judgments and assumptions that affect the amounts reported in the consolidated financial statements and accompanying notes. The management estimates include, but are not limited to the determination of standalone selling prices in revenue transactions with multiple performance obligations, the estimated period of benefit for deferred contract acquisition costs, the useful lives and recoverability of long-lived assets, the valuation for credit losses, the valuation of stock-based compensation, the fair value of assets acquired and liabilities assumed in business combinations, the incremental borrowing rate for operating leases and the valuation for deferred tax assets. We base our estimates on historical experience and on various other assumptions that we believe are reasonable. Actual results could differ from those estimates.
(c)Revenue Recognition
We generate revenue primarily from: (1) product subscriptions from the sale of cloud-based subscriptions, managed services, term software licenses, content subscriptions and maintenance and support associated with our software licenses and (2) professional services from the sale of our deployment and training services related to our solutions, incident response services, penetration testing and security advisory services.
We recognize revenue when a customer obtains control of promised products or services. The amount of revenue recognized reflects the consideration that we expect to be entitled to receive in exchange for these products or services. To achieve the core principle of this standard, we apply the following four steps:
        1) Identify the contract with a customer
We consider the terms and conditions of the contracts and our customary business practices in identifying our contracts. We determine we have a contract with a customer when the contract is approved, we can identify each party’s rights regarding the services to be transferred, we can identify the payment terms for the services, and we have determined the customer has the ability and intent to pay and the contract has commercial substance. We apply judgment in determining the customer’s ability and intent to pay, which is based on a variety of factors, including the customer’s historical payment experience or, in the case of a new customer, credit and financial information pertaining to the customer.
        2) Identify the performance obligations in the contract
Performance obligations promised in a contract are identified based on the products and services that will be transferred to the customer that are both capable of being distinct, whereby the customer can benefit from the product or service either on its own or together with other resources that are readily available from third parties or from us, and are distinct in the context of the contract, whereby the transfer of the products or services is separately identifiable from other promises in the contract.
        3) Determine the transaction price
The transaction price is determined based on the consideration to which we expect to be entitled in exchange for transferring products or services to the customer. Variable consideration is included in the transaction
66

price if, in our judgment, it is probable that no significant future reversal of cumulative revenue under the contract will occur.
In instances where the timing of revenue recognition differs from the timing of invoicing, we have determined our contracts generally do not include a significant financing component. The primary purpose of our invoicing terms is to provide customers with simplified and predictable ways of purchasing our products and services, not to receive financing from our customers or to provide customers with financing. Examples include invoicing at the beginning of a subscription term with revenue recognized ratably over the contract period.
Sales through our channel network of distributors and resellers are generally discounted as compared to the price that we would sell to an end user. Revenue for sales through our channel network is recorded net of any distributor or reseller margin.
If the contract contains a single performance obligation, the entire transaction price is allocated to the single performance obligation. The majority of our contracts with customers contain multiple performance obligations. For these contracts, we account for individual performance obligations separately if they are distinct. The transaction price is allocated to the separate performance obligations on a relative standalone selling price (“SSP”) basis. We determine SSP of our products and services based on our overall pricing objectives using all information reasonably available to us, taking into consideration market conditions and other factors, including the geographic locations of our customers, negotiated discounts from price lists and selling method (i.e., partner or direct). When available, we use directly observable stand-alone transactions to determine SSP. When not regularly sold on a stand-alone basis, we estimate SSP for our products and services utilizing historical sales data, including discounts from list price. The historical data is aggregated and analyzed by geographic location and selling method to establish a median or average price. Once SSP is established it is applied consistently to all transactions including that product or service utilizing a portfolio approach.
        4) Recognize revenue when or as we satisfy a performance obligation
Revenue is recognized at the time the related performance obligation is satisfied by transferring the promised product or service to a customer. Revenue is recognized when control of the products or services is transferred to our customers, in an amount that reflects the consideration that we expect to receive in exchange for those products or services.
Product Subscriptions
Product subscriptions consists of revenue from our cloud-based subscription, term software licenses, managed services offerings, content subscriptions and maintenance and support associated with our software licenses.
We generate cloud-based subscription revenue primarily from sales of subscriptions to access our cloud platform, together with related support services to our customers. These arrangements do not provide the customer with the right to take possession of our software operating on our cloud platform at any time. Instead, customers are granted continuous access to our cloud platform over the contractual period. Revenue is recognized over time on a ratable basis over the contract term beginning on the date that our service is made available to the customer. Our cloud-based subscription contracts generally have annual or multi-year contractual terms which are billed in advance of the annual subscription period and are non-cancellable.
Managed services offerings consist of fees generated when we operate our software and provide our capabilities on behalf of our customers. Revenue is recognized on a ratable basis over the contract term beginning on the date that our service is made available to the customer. Our managed services offerings generally have annual or multi-year contractual terms which are billed in advance of the annual subscription period and are non-cancellable.
For our term software licenses where the utility to the customer is dependent on the continued delivery of content subscriptions, we recognize the license revenue over the contractual term of the content subscription. For our term software licenses which are not dependent on the continued delivery of content subscriptions, the license is considered distinct from the maintenance and support, and we therefore recognize revenue attributable to the license at the time of delivery.
Content subscriptions and our maintenance and support services are sold with our term software licenses. Revenue related to our content subscriptions associated with our software licenses is recognized ratably over the contractual period. Maintenance and support services are distinct from
67

the perpetual and term software license and revenue attributable to maintenance and support services is recognized ratably over the contractual period.
Professional Services
All of our professional services are considered distinct performance obligations when sold stand alone or with other products. These contracts generally have terms of one year or less. For the majority of these arrangements, revenue is recognized over time based upon the proportion of work performed to date.
Contract Balances
Contract liabilities consist of deferred revenue and include payments received in advance of performance under the contract. Such amounts are recognized as revenue over the contractual period consistent with the above methodology. For the year ended December 31, 2023, we recognized revenue of $406.2 million that was included in the corresponding contract liability balance at the beginning of the period presented. Deferred revenue that will be realized during the succeeding 12-month period is recorded as current, and the remaining deferred revenue is recorded as non-current.
We receive payments from customers based upon contractual billing schedules. Accounts receivable are recorded when the right to consideration becomes unconditional. Unbilled receivables include amounts related to our contractual right to consideration for both completed and partially completed performance obligations that have not been invoiced. If the right to consideration is based on satisfaction of another performance obligation in the contract other than the passage of time, we would record a contract asset. As of December 31, 2023 and 2022, unbilled receivables of $2.0 million and $1.1 million are included in prepaid expenses and other current assets in our consolidated balance sheet. As of December 31, 2023 and 2022, we have no contract assets recorded on our consolidated balance sheet.
(d)Cash and Cash Equivalents
We consider all highly liquid instruments with original maturities of three months or less at the date of purchase to be cash equivalents. Cash and cash equivalents are recorded at cost, which approximates fair value.
(e)Investments
Our investments consist of commercial paper, corporate bonds, U.S. Government agencies and agency bonds. We classify our investments as available-for-sale and record these investments at fair value. When the fair value of an investment declines below its amortized cost basis, any portion of that decline attributable to credit losses, to the extent expected to be nonrecoverable before the sale of the security, is recognized in our consolidated statements of operations. When the fair value of the investment declines below its amortized cost basis due to changes in interest rates, such amounts are recorded in accumulated other comprehensive income (loss), and are recognized in our consolidated statement of operations only if we sell or intend to sell the security before recovery of its cost basis. Realized gains and losses are determined based on the specific identification method, and are reflected in our consolidated statements of operations.
Investments with an original maturity of greater than three months at the date of purchase and less than one year from the date of the balance sheet are classified as short-term and those with maturities of more than one year from the date of the balance sheet are classified as long-term in the consolidated balance sheet. We do not invest in any securities with contractual maturities greater than 24 months.
(f)Accounts Receivable and Allowance for Credit Losses
Accounts receivable are recorded at the invoiced amount, net of allowances for credit losses for any potential uncollectible amounts. We maintain an allowance for estimated credit losses resulting from the inability of our customers to make required payments. Management regularly reviews the adequacy of the allowance for credit loss based upon historical collection experience, the age of the receivable, an evaluation of each customer's expected ability to pay and current and future economic and market conditions. Additions to the allowance for credit losses are recorded in general and administrative expense in the consolidated statement of operations. Accounts receivable deemed uncollectible are charged against the allowance for credit losses. We do not have any off-balance sheet credit exposure related to our customers.

68

(g)Concentration of Credit Risk
Financial instruments that potentially expose us to concentrations of credit risk consist primarily of cash and cash equivalents, accounts receivable, investments and derivative financial instruments.
We invest only in high-quality credit instruments and our cash and cash equivalents and available for sale investments consist primarily of fixed income securities. Management believes that the financial institutions that hold our investments are financially sound and, accordingly, are subject to minimal credit risk. Deposits held with banks may exceed the amount of insurance provided on such deposits.
We provide credit to customers in the normal course of business. Collateral is not required for accounts receivable, but ongoing credit evaluations of customers’ financial condition are performed. We maintain reserves for potential credit losses. No single customer, including channel partners, accounted for 10% or more of our total revenues in 2023, 2022 or 2021 or accounts receivable as of December 31, 2023 or 2022.
Our derivative financial instruments expose us to credit risk to the extent that the counterparties may be unable to meet the terms of the arrangement. We mitigate this credit risk by transacting with major financial institutions with high credit ratings.
(h)Deferred Contract Acquisition Costs    
We defer contract costs that are recoverable and incremental to obtaining customer contracts. Contract costs, which primarily consist of sales commissions, are amortized on a systematic basis that is consistent with the transfer to the customer of the goods or services to which the asset relates. Contract costs for a new customer, upsell or cross-sell are amortized on a straight-line basis over an estimated period of benefit of five years as sales commissions on initial sales are not commensurate with sales commissions on contract renewals. We determined the estimated period of benefit by taking into consideration the contractual term and expected renewals of customer contracts, our technology and other factors, including the fact that sales commissions paid on renewals are not commensurate with commissions paid on initial sales transactions. Contract costs relating to contract renewals are deferred and amortized on a straight-line basis over the weighted average contract length of renewal contracts. Contract costs for professional services arrangements are expensed as incurred in accordance with the practical expedient as the contractual period of our professional services arrangements is one year or less.
We classify deferred contract costs as short-term or long-term based on when we expect to recognize the expense. Amortization expense associated with deferred contract acquisition costs is recorded to sales and marketing expense in our consolidated statements of operations. We periodically review the carrying amount of deferred contract acquisition costs to determine whether events or changes in circumstances have occurred that could impact the period of benefit.
(i)Property and Equipment
Property and equipment are recorded at cost and depreciated over their estimated useful lives using the straight-line method. The following table presents the useful lives of our property and equipment:
 Useful Lives
Computer equipment and software3 years
Furniture and fixtures
3 - 5 years
Leasehold improvementsShorter of the useful life of the asset or the lease term
Repairs and maintenance costs are expensed as incurred.
(j)Software Development Costs
Software development costs associated with the development of products for sale are recorded to research and development expense until technological feasibility has been established for the product. Once technological feasibility is established, all software costs are capitalized until the product is available for release to customers. To date, the software development costs have not been capitalized as the cost incurred and time between technological feasibility and product release was insignificant. As such, these costs are expensed as incurred and recognized in research and development expenses in our consolidated statements of operations.
Costs related to software developed, acquired or modified for internal use are capitalized. Costs incurred during the preliminary planning and evaluation stage of the project and during the post implementation stages
69

of the project are expensed as incurred. Costs incurred during the application development stage of the project are capitalized. These capitalized costs consist of internal compensation related costs and external direct costs. Costs related to software developed for internal use are amortized over an estimated useful life of 3 years. We capitalized $15.9 million, $17.1 million and $9.9 million of costs related to software developed for internal use in the years ended December 31, 2023, 2022 and 2021, respectively. Management evaluates the useful lives of these assets on an annual basis and tests for impairment whenever events or changes in circumstances occur that could impact the recoverability of these assets.
(k) Leases
We determine whether an arrangement is or contains a lease at inception. We evaluate the classification of a lease at inception and, as necessary, at modification. Operating leases are recognized on the consolidated balance sheet as right-of-use (“ROU”) assets, lease liabilities and, if applicable, long-term lease liabilities.
Operating lease ROU assets represent our right to use an underlying asset for the lease term. Operating lease liabilities represent our obligation to make payments arising from the lease. Operating lease ROU assets and liabilities are recognized at the present value of future lease payments at the lease commencement date. The implicit rate within our operating leases is generally not determinable and therefore we use the incremental borrowing rate at the lease commencement date to determine the present value of lease payments. We determine our incremental borrowing rate for each lease using our estimated borrowing rate, adjusted for various factors including level of collateralization, term and currency to align with the terms of the lease. The operating lease ROU asset also includes any lease prepayments and initial direct costs, offset by lease incentives. Operating lease cost is recognized on a straight-line basis over the lease term.
Certain of our leases include options to extend or terminate the lease. An option to extend the lease is considered in connection with determining the ROU asset and lease liability when it is reasonably certain we will exercise that option. An option to terminate is considered unless it is reasonably certain we will not exercise the option.
We account for lease and non-lease components as a single lease component and do not recognize operating lease ROU assets and lease liabilities for leases with a term of one year or less.
(l)Impairment of Long-Lived Assets
We evaluate our long-lived assets for impairment whenever events or changes in circumstances indicate that the carrying value of these assets may not be recoverable. When such events or changes in circumstances occur, recoverability of these assets or asset groups is measured by a comparison of the carrying value of the assets to the future net undiscounted cash flows directly associated with the assets. If such assets or asset groups are considered to be impaired, the impairment recognized is the amount by which the carrying value exceeds the fair value of the assets or asset groups. For the year ended December 31, 2023, we determined that triggering events occurred which indicated that the carrying value of our ROU and other lease-related assets related to a change in usage of certain idle office space at our corporate headquarters in Boston, Massachusetts as well as idle office spaces located in Plano, Texas, Los Angeles, California, and Toronto, Canada may not be fully recoverable. As a result, we utilized discounted cash flow models to estimate the fair value of the asset groups taking into consideration the time period it will take to obtain sublessees, the applicable discount rate and the anticipated sublease income and calculated the corresponding impairment loss. We used prices and other relevant information generated by recent market transactions involving similar or comparable assets, as well as our historical experience in real estate transactions. In the year ended December 31, 2023, we recorded impairment losses of $30.8 million related to these idle office spaces, consisting of $22.2 million related to ROU assets and $8.6 million related to leasehold improvements associated with these leased office spaces.
(m)Restructuring Expense
We record restructuring expense when management commits to and approves a restructuring plan, the restructuring plan identifies all significant actions, the period of time to complete the restructuring plan indicates that significant changes to the restructuring plan are not likely to occur, and employees who are impacted have been notified of the pending involuntary termination. A restructuring plan generally includes significant actions involving employee-related severance charges, employee-related benefits, and other charges associated with the restructuring (collectively, “restructuring expense”). Restructuring expense is recorded within restructuring in the condensed consolidated statement of operations. The restructuring
70

liability accrued but not paid at the end of the reporting period is included within accrued expenses in the condensed consolidated balance sheet.
(n)Business Combinations
We allocate the fair value of purchase consideration to the tangible asset acquired, liabilities assumed, and intangible assets acquired based on their estimated fair values. The excess of the fair value of purchase consideration over the fair value these identifiable assets and liabilities is recorded as goodwill. Determining the fair value of the tangible assets acquired, liabilities assumed and intangible assets requires management to make significant estimates and assumptions, especially with respect to intangible assets. Significant estimates in valuing certain intangible assets include, but are not limited to, cash flows that an asset is expected to generate in the future, technology migration curves, discount rates, and useful lives. While we use our best estimates and judgements, our estimates are inherently uncertain and subject to refinement.
During the measurement period, which may be up to one year from the acquisition date, we may record adjustments to the fair value of these assets acquired and liabilities assumed with the corresponding offset to goodwill. Upon the conclusion of the final determination of the fair value of assets acquired or liabilities assumed any subsequent adjustments are recorded to the consolidated statements of operations. Acquisition-related transaction costs are expensed as incurred.
(o)Goodwill
We perform an annual goodwill impairment test on the last day of each fiscal year and whenever events or changes in circumstances indicate that the carrying amount of this asset may exceed its fair value. For our goodwill impairment analysis, we operate with a single reporting unit. To test goodwill impairment, we perform a single-step goodwill impairment test to identify potential goodwill impairment. The single-step impairment test begins with an estimation of the fair value of a reporting unit. Goodwill impairment exists when the net assets of a reporting unit exceed its fair value. In performing the single step of the goodwill impairment testing and measurement process, we estimated the fair value of our single reporting unit using our market capitalization. Based upon our assessment performed as of December 31, 2023, we concluded the fair value of our single reporting unit exceeded its' carrying value and there was no impairment of goodwill.
(p)Foreign Currency
The functional currency of our foreign subsidiaries is the U.S. dollar. We translate all monetary assets and liabilities denominated in foreign currencies into U.S. dollars using the exchange rates in effect at the balance sheet dates and non-monetary assets and liabilities using historical exchange rates. Foreign currency denominated expenses are re-measured using the average exchange rates for the period. Foreign currency transaction and re-measurement gains and losses are included in other income (expense), net in the condensed consolidated statement of operations. In 2023, foreign currency transaction losses and foreign currency re-measurement losses were $1.4 million and $0.4 million, respectively. In 2022, foreign currency transaction gains were $1.4 million and foreign currency re-measurement gains (losses) were not material.
(q)Derivative and Hedging Activities
We are exposed to currency exchange rate risk. Although the majority of our revenue is denominated in U.S. dollars, a portion of our operating expenses are denominated in foreign currencies, making them subject to fluctuations in foreign currency exchange rates. We enter into foreign currency derivative contracts, which we designate as cash flow hedges, to manage the foreign currency exchange risk associated with these expenses.
Our derivative financial instruments are recorded at fair value and reported as either an asset or liability on our consolidated balance sheets. Gains or losses related to our cash flow hedges are recorded as a component of accumulated other comprehensive income (loss) in our consolidated balance sheets and are reclassified into the financial statement line item associated with the underlying hedged transaction in our consolidated statement of operations when the underlying hedged transaction is recognized in our earnings. If it becomes probable that the hedged transaction will not occur, the cumulative unrealized gain or loss is reclassified immediately from accumulated other comprehensive income (loss) into the financial statement line item associated with the underlying hedged transaction in our consolidated statement of operations. Derivatives designated as cash flow hedges are classified in our consolidated statements of cash flow in the same manner as the underlying hedged transaction, primarily within cash flow from operating activities.
71

As of December 31, 2023 and 2022, our cash flow hedges have contractual maturities of eighteen months or less, and as of December 31, 2023 and 2022, outstanding forward contracts had a total notional value of $49.5 million and $44.9 million, respectively. The notional value represents the gross amount of foreign currency that will be bought or sold upon maturity of the forward contract. During the years ended December 31, 2023 and 2022, all cash flow hedges were considered effective. Refer to Note 6, Fair Value Measurements, for the fair values of our outstanding derivative instruments.
(r)Stock-Based Compensation
Stock-based compensation expense related to our stock options, restricted stock units (“RSUs”), performance-based restricted stock units (“PSUs”) and purchase rights issued under our 2015 Employee Stock Purchase Plan (“ESPP”) is calculated based on the estimated fair value of the award on the grant date.
The fair values of RSUs and PSUs are based on the value of our common stock on the date of grant. The fair values of stock options and ESPP purchase rights are estimated on the grant date using the Black-Scholes option pricing model which requires management to make a number of assumptions, including the expected life of the option, the volatility of the underlying stock, the risk-free interest rate and expected dividends. The assumptions used in our Black-Scholes option-pricing model represent management’s best estimates at the time of grant. These estimates involve a number of variables, uncertainties and assumptions and the application of management’s judgment, as they are inherently subjective. If any assumptions change, our stock-based compensation expense could be materially different in the future.
The fair value is recognized as expense on a straight-line basis over the requisite service period, which is generally the vesting period of the respective award. The actual number of PSUs earned and eligible to vest are determined based on the performance conditions defined when the awards are granted. We recognize share-based compensation expense for the PSUs on a straight-line basis over the requisite service period for each separately vesting portion of the award when it is probable that the performance conditions will be achieved. We reassess the probability of vesting at each reporting period for awards with performance conditions and adjust stock-based compensation cost based on its probability assessment. We recognize forfeitures as they occur and do not estimate a forfeiture rate when calculating the stock-based compensation expense.
(s)Advertising
Advertising costs are expensed as incurred, and are recorded in sales and marketing expense in our consolidated statement of operations. We incurred $22.4 million, $22.7 million, and $21.3 million in advertising expense in 2023, 2022, and 2021, respectively.
(t)Income Taxes
Income taxes are accounted for using the asset and liability method. Under this method, deferred tax assets and liabilities are recognized for differences between the consolidated financial statements carrying amounts of assets and liabilities and their respective income tax bases, and operating loss and tax credit carryforwards using enacted tax rates expected to apply to taxable income in the years in which the differences are expected to reverse. Deferred tax assets are reduced by a valuation allowance if it is more likely than not that some or all of the deferred tax assets will not be realized. Significant judgment is required in determining any valuation allowance recorded against deferred tax assets. In assessing the need for a valuation allowance, we consider all available evidence, including past operating results, estimates of future taxable income, and the feasibility of tax planning strategies. In the event that we change our determination as to the amount of deferred tax assets that can be realized, we will adjust our valuation allowance with a corresponding impact to the provision for income taxes in the period in which such determination is made.
We recognize tax provision from uncertain tax positions if it is more likely than not that the tax position will be sustained on examination by the taxing authorities based on the technical merits of the position. Interest and penalties associated with such uncertain tax positions are classified as a component of income tax expense.
(u)Net Income (Loss) per Share
We calculate basic net loss per share by dividing our net loss by the weighted-average number of common shares outstanding during the period. Diluted net income (loss) per share is computed by giving effect to all potentially dilutive securities, including stock options, RSUs, PSUs, the impact of our ESPP, common shares
72

issued in connection with acquisitions and the impact of our convertible senior notes (“Notes”). We intend to settle any conversion of our Notes in cash, shares, or a combination thereof. The dilutive impact of the Notes for our calculation of diluted net income (loss) per share is considered using the if-converted method. For the years ended December 31, 2023, 2022 and 2021, the shares underlying the Notes were not considered in the calculation of diluted net loss per share as the effect would have been anti-dilutive.
(v)Recent Accounting Pronouncements
Accounting Pronouncements Not Yet Effective
In December 2023, the FASB issued ASU 2023-09, Improvements to Income Tax Disclosures (“ASU 2023-09”). This new guidance is designed to enhance the transparency and decision usefulness of income tax disclosures. The amendments of this update are related to the rate reconciliation and income taxes paid, requiring (1) consistent categories and greater disaggregation of information in the rate reconciliation and (2) income taxes paid disaggregated by jurisdiction. ASU 2023-09 is effective for fiscal years beginning after December 15, 2024. Early adoption is permitted. We do not plan to early adopt this standard. We are currently evaluating the effect of adopting this standard on our disclosures.
In November 2023, the Financial Accounting Standards Board (“FASB”) issued Accounting Standards Update (“ASU”) 2023-07, Segment Reporting (Topic 280), Improvements to Reportable Segment Disclosures (“ASU 2023-07”), to improve reportable segment disclosure requirements through enhanced disclosures about significant segment expenses on an interim and annual basis. All disclosure requirements of ASU 2023-07 are required for entities with a single reportable segment. ASU 2023-07 is effective for fiscal years beginning after December 15, 2023, and interim periods for the fiscal years beginning after December 15, 2024, and should be applied on a retrospective basis to all periods presented. Early adoption is permitted. We do not plan to early adopt this standard. We are currently evaluating the effect of adopting this standard on our disclosures.
(3)    Revenue from Contracts with Customers
The following table summarizes revenue from contracts with customers for the years ended December 31, 2023, 2022, and 2021:
Year Ended December 31,
202320222021
(in thousands)
Product subscriptions$738,819 $643,247 $492,608 
Professional services37,539 37,548 34,561 
Other1,349 4,288 8,235 
Total revenue$777,707 $685,083 $535,404 
The following table summarizes the revenue by region based on the shipping address of customers who have contracted to use our product or service for the years ended December 31, 2023, 2022 and 2021:
Year Ended December 31,
202320222021
(in thousands)
United States$579,025 $515,894 $414,856 
All other198,682 169,189 120,548 
Total revenue$777,707 $685,083 $535,404 
Transaction Price Allocated to the Remaining Performance Obligations
The following table includes estimated revenue expected to be recognized in the future related to performance obligations that are unsatisfied or partially unsatisfied as of December 31, 2023. The estimated revenues do not include unexercised contract renewals.
73

Next Twelve MonthsThereafter
 (in thousands)
Product subscriptions$553,807 $285,791 
Professional services17,545 8,066 
Other127 33 
Total$571,479 $293,890 
(4)    Business Combinations
Minerva Labs Ltd.
On March 14, 2023, we acquired Minerva Labs Ltd. (“Minerva”), a leading provider of anti-evasion and ransomware prevention technology, for a purchase price with an aggregate fair value of $34.6 million. The purchase consideration consisted of $35.0 million paid in cash at closing and a $0.4 million receivable for purchase price adjustments. Additionally, we issued an aggregate of 73,846 shares of our common stock to the founders of Minerva with a fair value of $3.6 million. The 73,846 shares of common stock will be accounted for as stock-based compensation expense over a 24-month period as continued service is required for the founders to receive their full amount of common stock. For the year ended December 31, 2023, we recognized stock-based compensation expense related to such shares in the amount of $1.4 million.
The following table summarizes the allocation of purchase price to the estimated fair value of the assets acquired and liabilities assumed at the acquisition date (in thousands):
Consideration:
Cash$34,977 
Estimated purchase price adjustment receivable(365)
Fair value of total consideration transferred$34,612 
Recognized amount of identifiable assets acquired and liabilities assumed:
Cash and cash equivalents$136 
Other current assets1,792 
Other assets43 
Accounts payable and other current liabilities (438)
Other long-term liabilities(441)
Intangible asset12,800 
Total identifiable net assets assumed$13,892 
Goodwill20,720 
Net purchase price$34,612 
These preliminary amounts are subject to subsequent adjustment as we obtain additional information to finalize certain components of working capital and deferred income taxes.
We identified developed technology as the sole acquired intangible asset. The estimated fair value of the developed technology intangible asset was $12.8 million which was based on a valuation using the income approach. The estimated useful life of the developed technology is 8 years.
The excess of the purchase price over the tangible assets acquired, the identifiable intangible asset acquired and assumed liabilities was recorded as goodwill. We believe that the amount of goodwill reflects the expected synergistic benefits of being able to leverage the integration of the technology acquired with our existing product offerings and being able to successfully market and sell these new features to our customer base. The goodwill was allocated to our one reporting unit. The acquired goodwill and intangible asset were not deductible for tax purposes.
For the year ended December 31, 2023, we recorded $0.4 million of acquisition-related transaction costs related to the acquisition of Minerva to general and administrative expense.
Our revenue and net loss attributable to the Minerva business for the year ended December 31, 2023 was not material.
74

Pro forma results of operations have not been included, as the acquisition of Minerva was not material to our results of operations for any periods presented.
IntSights Cyber Intelligence Ltd.
On July 16, 2021, we acquired IntSights Cyber Intelligence Ltd. (“IntSights”), a provider of contextualized external threat intelligence and proactive threat remediation, for a purchase price with an aggregate fair value of $322.3 million. The purchase consideration consisted of $319.2 million in cash paid at closing, $3.4 million in deferred cash payments and a $0.3 million receivable for purchase price adjustments. The deferred cash payments were held by us to satisfy indemnification obligations and certain post-closing purchase price adjustments for a period of eighteen months from the acquisition date and were paid in January 2023.
The assets acquired and liabilities assumed were recorded at their estimated fair values as of the acquisition date. The excess of the purchase price over the assets acquired and liabilities assumed was recorded as goodwill. The fair value of net assets acquired, goodwill and intangible assets were $61.1 million, $260.9 million and $65.2 million, respectively. The goodwill was allocated to our one reporting unit. The acquired goodwill and intangible assets were not deductible for tax purposes.
Velocidex Enterprises Pty Ltd
On April 12, 2021, we acquired Velocidex Enterprises Pty Ltd (“Velocidex”), a leading open-source technology and community used for endpoint monitoring, digital forensics, and incident response. The purchase price consisted of $2.7 million paid in cash and $0.3 million in deferred cash payments paid in April 2022. The purchase price was allocated to developed technology intangible asset which has an estimated useful life of 6 years.
Alcide.IO Ltd.
On January 28, 2021, we acquired Alcide.IO Ltd. (“Alcide”), a leading provider of Kubernetes security, for a purchase price of $50.5 million, which was funded in cash.
The assets acquired and liabilities assumed were recorded at their estimated fair values as of the acquisition date. The excess of the purchase price over the assets acquired and liabilities assumed was recorded as goodwill. The fair value of net assets acquired, goodwill and intangible assets were $(0.7) million, $40.8 million and $10.4 million, respectively. The goodwill was allocated to our one reporting unit. The acquired goodwill and intangible assets were not deductible for tax purposes.
(5)    Investments
Our investments, which are all classified as available-for-sale, consisted of the following:
 As of December 31, 2023
 Amortized
Cost
Gross
Unrealized
Gains
Gross
Unrealized
Losses
Fair Value
 (in thousands)
Description:
U.S government agencies$222,820 $467 $(65)$223,222 
Agency bonds2,500  (7)2,493 
Total$225,320 $467 $(72)$225,715 
 As of December 31, 2022
 Amortized
Cost
Gross
Unrealized
Gains
Gross
Unrealized
Losses
Fair Value
 (in thousands)
Description:
U.S government agencies$66,234 $4 $(545)$65,693 
Corporate bonds14,351  (230)14,121 
Commercial paper7,944   7,944 
Agency bonds6,231  (71)6,160 
Total$94,760 $4 $(846)$93,918 
75

As of December 31, 2023, our available-for-sale investments had maturities ranging from 1 to 18 months. As of December 31, 2022, our available-for-sale investments had maturities ranging from 2 to 19 months.
For all of our investments for which the amortized cost basis was greater than the fair value at December 31, 2023 and December 31, 2022, we have concluded that there is no plan to sell the security nor is it more likely than not that we would be required to sell the security before its anticipated maturity. In making the determination as to whether the unrealized loss is other-than-temporary, we considered the length of time and extent the investment has been in an unrealized loss position, the financial condition and near-term prospects of the issuers, the issuers’ credit rating and the time to maturity.
(6)    Fair Value Measurements
We measure certain financial assets and liabilities at fair value. Fair value is determined based upon the exit price that would be received to sell an asset or paid to transfer a liability in an orderly transaction between market participants, as determined by either the principal market or the most advantageous market. Inputs used in the valuation techniques to derive fair values are classified based on a three-level hierarchy, as follows:
Level 1: Observable inputs that reflect quoted prices (unadjusted) for identical assets or liabilities in active markets.
Level 2: Observable inputs other than Level 1 prices such as quoted prices for similar assets or liabilities; quoted prices in markets with insufficient volume or infrequent transactions (less active markets); or model-derived valuations in which all significant inputs are observable or can be derived principally from or corroborated by observable market data for substantially the full term of the assets or liabilities.
Level 3: Unobservable inputs that are supported by little or no market activity and that are significant to the fair value of the asset or liability.
We consider an active market to be one in which transactions for the asset or liability occur with sufficient frequency and volume to provide pricing information on an ongoing basis, and consider an inactive market to be one in which there are infrequent or few transactions for the asset or liability, the prices are not current, or price quotations vary substantially either over time or among market makers.
76

The following table presents our financial assets measured and recorded at fair value on a recurring basis using the above input categories:
 As of December 31, 2023
 Level 1Level 2Level 3Total
 (in thousands)
Description:
Assets:
Money market funds$124,506 $ $ $124,506 
U.S. government agencies223,222   223,222 
Agency bonds 2,493  2,493 
Foreign currency forward contracts designated as cash flow hedges (prepaid expenses and other current assets and other assets) 1,322  1,322 
Total assets$347,728 $3,815 $ $351,543 
Liabilities:
Foreign currency forward contracts designated as cash flow hedges (other current liabilities) 55  55 
Total liabilities$ $55 $ $55 
 As of December 31, 2022
 Level 1Level 2Level 3Total
 (in thousands)
Description:
Assets:
Money market funds$88,039 $ $ $88,039 
U.S. government agencies65,693   65,693 
Corporate bonds 14,121  14,121 
Commercial paper 7,944  7,944 
Agency bonds 6,160  6,160 
Foreign currency forward contracts designated as cash flow hedges (prepaid expenses and other current assets and other assets) 988  988 
Total assets$153,732 $29,213 $ $182,945 
Liabilities:
Foreign currency forward contracts designated as cash flow hedges (other current liabilities) 1,559  1,559 
Total liabilities$ $1,559 $ $1,559 
As of December 31, 2023, the fair value of our 2.25%, 0.25% and 1.25% convertible senior notes due 2025, 2027 and 2029, as further described in Note 11, Debt, was $50.5 million, $538.9 million and $333.4 million, respectively, based upon quoted market prices. We consider the fair value of the Notes to be a Level 2 measurement due to limited trading activity of the Notes.
77

(7)    Property and Equipment
Property and equipment are recorded at cost and consist of the following:
 December 31,December 31,
 20232022
 (in thousands)
Computer equipment and software$26,442 $24,568 
Furniture and fixtures 10,850 11,823 
Leasehold improvements (1)
56,151 66,180 
Total93,443 102,571 
Less accumulated depreciation(53,801)(44,680)
Property and equipment, net$39,642 $57,891 
(1) As of December 31, 2023, leasehold improvements with a net book value of $8.6 million were recorded as an impairment of long-lived assets related to certain idle office space at our corporate headquarters in Boston, Massachusetts and idle office space in Los Angeles, California, and Toronto, Canada. Refer to Note 12, Leases, for further details on the impairment of long-lived assets.
We recorded depreciation expense of $14.0 million, $13.6 million and $12.3 million in 2023, 2022 and 2021, respectively.
(8)    Goodwill and Intangibles
Goodwill was $536.4 million and $515.6 million as of December 31, 2023 and December 31, 2022, respectively. There were no goodwill impairment charges in 2023, 2022 or 2021. The following table displays the changes in the gross carrying amount of goodwill:
 Amount
 (in thousands)
Balance at December 31, 2021$515,258 
IntSights acquisition adjustments373 
Balance at December 31, 2022$515,631 
Minerva acquisition20,720 
Balance at December 31, 2023$536,351 
The following table presents details of our intangible assets which include acquired identifiable intangible assets and capitalized internal-use software costs:
 Weighted-
Average Estimated Useful Life (years)
As of December 31, 2023As of December 31, 2022
 Gross Carrying
Amount
Accumulated
Amortization
Net Book ValueGross Carrying
Amount
Accumulated
Amortization
Net Book Value
  (in thousands)
Intangible assets subject to amortization:
Developed technology5.4$135,355 $(77,031)$58,324 $122,555 $(58,645)$63,910 
Customer relationships4.512,000 (7,755)4,245 12,000 (5,146)6,854 
Trade names3.12,619 (2,379)240 2,619 (1,874)745 
Total acquired intangible assets$149,974 $(87,164)$62,810 $137,174 $(65,665)$71,509 
Internal-use software3.055,371 (23,635)31,736 43,002 (13,242)29,760 
Total intangible assets$205,345 $(110,799)$94,546 $180,176 $(78,907)$101,269 
Intangible assets are expensed on a straight-line basis over the useful life of the asset. Amortization expense was $31.9 million, $27.5 million and $21.2 million in 2023, 2022 and 2021, respectively.
78

Estimated future amortization expense of the acquired identifiable intangible assets and completed capitalized internal-use software costs as of December 31, 2023 was as follows (in thousands):
2024$30,880 
202526,795 
202617,220 
20276,806 
20281,600 
2029 and thereafter3,531 
Total$86,832 
The table above excludes the impact of $7.7 million of capitalized internal-use software costs for projects that have not been completed as of December 31, 2023, and therefore, we have not determined the useful life of the software, nor have all the costs associated with these projects been incurred. For the year ended December 31, 2023, we recorded a $3.5 million impairment of capitalized internal-use software costs to research and development expense in our consolidated statement of operations for projects that have been discontinued and will not be placed into service.
(9)    Deferred Contract Acquisitions and Fulfillment Costs
The following table summarizes the activity of the deferred contract acquisition and fulfillment costs for the years ended December 31, 2023 and 2022:
Year Ended December 31,
20232022
(in thousands)
Beginning balance$103,075 $87,165 
Capitalization of contract acquisition and fulfillment costs60,528 51,054 
Amortization of deferred contract acquisition and fulfillment costs(41,994)(35,144)
Ending balance$121,609 $103,075 

(10)    Derivative and Hedging Activities
To mitigate our exposure to foreign currency fluctuations resulting from certain expenses denominated in certain foreign currencies, we enter into forward contracts that are designated as cash flow hedging instruments. These forward contracts have contractual maturities of eighteen months or less, and as of December 31, 2023 and December 31, 2022, outstanding forward contracts had a total notional value of $49.5 million and $44.9 million, respectively. The notional value represents the gross amount of foreign currency that will be bought or sold upon maturity of the forward contract. During the years ended December 31, 2023 and 2022, all cash flow hedges were considered effective. Refer to Note 6, Fair Value Measurements, for the fair values of our outstanding derivative instruments.
(11)    Debt
Convertible Senior Notes
In May 2020, we issued $230.0 million aggregate principal amount of convertible senior notes due May 1, 2025 (the “2025 Notes”) and in March 2021, we issued $600.0 million aggregate principal amount of convertible senior notes due March 15, 2027 (the “2027 Notes”) and in September 2023, we issued $300.0 million aggregate principal amount of convertible senior notes due March 15, 2029 (the “2029 Notes”) (collectively, the “Notes”). Further details of the Notes are as follows:
IssuanceMaturity DateInterest RateFirst Interest Payment DateEffective Interest RateSemi-Annual Interest Payment DatesInitial Conversion Rate per $1,000 PrincipalInitial Conversion PriceNumber of Shares (in millions)
2025 NotesMay 1, 20252.25%November 1, 20202.88%May 1 and November 116.3875$61.02 0.8
2027 NotesMarch 15, 20270.25%September 15, 20210.67%March 15 and September 159.6734$103.38 5.8
2029 NotesMarch 15, 20291.25%March 15, 20241.69%March 15 and September 1515.4213$64.85 4.6
79

The 2025 Notes, the 2027 Notes and the 2029 Notes are senior unsecured obligations, do not contain any financial covenants and are governed by indentures between the Company, as issuer, and U.S. Trust Company, Bank National Association, as trustee (the “Indentures”). The total net proceeds from the 2025 Notes, the 2027 Notes and the 2029 Notes offerings, after deducting initial purchase discounts and debt issuance costs, were $222.8 million, $585.0 million and $292.0 million, respectively.
Terms of the Notes
The holders of the Notes may convert their respective Notes at their option at any time prior to the close of business on the business day immediately preceding their respective convertible dates only under the following circumstances:
during any calendar quarter commencing after the calendar quarter ending on September 30, 2020 for the 2025 Notes, March 20, 2024 for the 2027 Notes and September 21, 2026 for the 2029 Notes (and only during such calendar quarter), if the last reported sale price of our common stock for at least 20 trading days (whether or not consecutive) during a period of 30 consecutive trading days ending on, and including, the last trading day of the immediately preceding calendar quarter is greater than or equal to 130% of the conversion price of the respective Notes on each applicable trading day;
during the five business day period after any five consecutive trading day period for the 2025 Notes and any ten consecutive trading day period for the 2027 Notes and the 2029 Notes (the “measurement periods”) in which the trading price (as defined in the Indentures) per $1,000 principal amount of the applicable series of Notes for each trading day of the measurement period was less than 98% of the product of the last reported sale price of our common stock and the conversion rate of the respective Notes on each such trading day;
if we call any or all of the respective Notes for redemption, at any time prior to the close of business on the scheduled trading day immediately preceding the respective redemption date; or
upon the occurrence of specified corporate events (as set forth in the Indentures).
As of December 31, 2023, the 2025 Notes, the 2027 Notes and the 2029 Notes were not convertible at the option of the holders.
The holders may convert the 2025 Notes, the 2027 Notes and the 2029 Notes at any time on or after November 1, 2024, December 15, 2026 and December 15, 2028, respectively, until the close of business on the second scheduled trading day immediately preceding the maturity date, regardless of the circumstances set forth above. Upon conversion, we will pay or deliver, as the case may be, cash, shares of our common stock or a combination of cash and shares of our common stock, at our election, in the manner and subject to the terms and conditions provided in the Indentures.
If we undergo a fundamental change (as set forth in the Indentures) at any time prior to the maturity date, holders of the Notes will have the right, at their option, to require us to repurchase for cash all or any portion of their Notes at a repurchase price equal to 100% of the principal amount of the Notes to be repurchased, plus accrued and unpaid interest to, but excluding, the fundamental change repurchase date. In addition, following certain corporate events that occur prior to the maturity date or following our issuance of a notice of redemption, in each case as described in the Indentures, we will increase the conversion rate for a holder of the Notes who elects to convert its Notes in connection with such a corporate event or during the related redemption period in certain circumstances.
The 2025 Notes, the 2027 Notes and the 2029 Notes are redeemable after May 6, 2023, March 20, 2024 and September 21, 2026 (the “Redemption Dates”), respectively. On or after the respective Redemption Dates, we may redeem for cash all or any portion of the 2025 Notes, the 2027 Notes or the 2029 Notes, at our option, if the last reported sale price of our common stock has been at least 130% of the conversion price then in effect for at least 20 trading days (whether or not consecutive) during any 30 consecutive trading day period (including the last trading day of such period) ending on, and including the trading day immediately preceding, the date on which we provide the redemption notice at a redemption price equal to 100% principal amount of the 2025 Notes, the 2027 Notes or the 2029 Notes to be redeemed, plus accrued and unpaid interest to, but excluding, the redemption date.
Partial Repurchase and Conversion of the 2023 Notes
On March 16, 2021, we used a portion of the proceeds from the issuance of the 2027 Notes, together with 2.2 million shares of our common stock, to repurchase and retire $182.6 million aggregate principal amount of the 2023 Notes, and paid accrued and unpaid interest thereon (the 2023 Notes Repurchase Transaction). The 2023 Notes Repurchase Transaction was accounted for as an induced conversion in accordance with Accounting Standards Codification 470-20, Debt with Conversion and Other Options (ASC 470-20). The total fair value of the additional common stock issued to induce the conversion of $2.7 million was recognized as an inducement expense and classified as a
80

component of interest expense in our consolidated statement of operations. The remaining cash and common stock consideration issued under the original terms of the 2023 Notes was accounted for under the general conversion accounting guidance where the difference between the carrying amount of the 2023 Notes retired, including unamortized debt issuance cost of $2.7 million, and the cash consideration paid and the par amount of the common stock issued, was recorded in additional paid-in capital.
During the first quarter of 2021, holders of the 2023 Notes elected to convert Notes with a principal amount of $2.0 million. Cash was paid for the principal and the excess conversion spread was paid in 23,123 shares of our common stock.
Redemption of the 2023 Notes
On September 16, 2021, we issued a redemption notice for the remaining $45.4 million aggregate principal amount outstanding of the 2023 Notes. Pursuant to the redemption notice, on November 30, 2021 we paid $43.4 million in cash and issued 697,262 shares of our common stock to the holders of the 2023 Notes who submitted conversion notices, and the remaining $2.0 million of 2023 Notes were redeemed in cash, plus accrued and unpaid interest.
Partial Repurchase and Conversion of the 2025 Notes
In September 2023, we used $201.0 million of the proceeds from the issuance of the 2029 Notes to repurchase and retire $184.0 million aggregate principal amount of the 2025 Notes and paid accrued and unpaid interest thereon. As a result of the induced conversion, we recorded $53.9 million in non-cash induced conversion expense which is included in interest expense in our consolidated statement of operations. The induced conversion expense represents the fair value of the consideration issued upon conversion in excess of the fair value of the securities issuable under the original terms of the 2025 Notes.
Accounting for the Notes
In accounting for the issuance of the Notes, the principal less debt issuance costs are recorded as debt on our consolidated balance sheet. The debt issuance costs are amortized to interest expense using the effective interest method over the contractual term of the Notes.
The net carrying amount of the Notes as of December 31, 2023 and December 31, 2022 was as follows (in thousands):
2025 Notes2027 Notes2029 Notes
PrincipalUnamortized debt issuance costsTotalPrincipalUnamortized debt issuance costsTotalPrincipalUnamortized debt issuance costsTotal
Balance at December 31, 2022$229,992 $(3,480)$226,512 $600,000 $(10,564)$589,436 $ $ $ 
Issuance      300,000 (7,909)292,091 
Partial repurchase(184,000)2,010 (181,990)— — — — — — 
Amortization of debt issuance costs— 1,066 1,066 — 2,487 2,487 — 394 394 
Balance at December 31, 2023$45,992 $(404)$45,588 $600,000 $(8,077)$591,923 $300,000 $(7,515)$292,485 
Interest expense related to the Notes was as follows (in thousands):
Year Ended December 31,
202320222021
2025 Notes2027 Notes2029 NotesTotal2025 Notes2027 NotesTotal2023 Notes2025 Notes2027 NotesTotal
Contractual interest expense$3,795 $1,500 $1,167 $6,462 $5,174 $1,502 $6,676 $950 $5,175 $1,164 $7,289 
Amortization of debt issuance costs1,066 2,487 394 3,947 1,425 2,468 3,893 $498 $1,384 $1,948 $3,830 
Induced conversion expense53,889   53,889    2,740   2,740 
Total interest expense$58,750 $3,987 $1,561 $64,298 $6,599 $3,970 $10,569 $4,188 $6,559 $3,112 $13,859 
81

Capped Calls
In connection with the offering of the 1.25% convertible senior notes due 2023 (the “2023 Notes”), the 2025 Notes, the 2027 Notes and the 2029 Notes, we entered into privately negotiated capped call transactions with certain counterparties (the “2023 Capped Calls, “2025 Capped Calls”, “2027 Capped Calls” and “2029 Capped Calls”) (collectively, the “Capped Calls”).
The Capped Calls are expected to reduce potential dilution to our common stock upon conversion of a given series of notes and/or offset any cash payments that we are required to make in excess of the principal amount of converted notes of such series, as the case may be, with such reduction and/or offset subject to a cap. The Capped Calls are subject to adjustment upon the occurrence of certain specified extraordinary events affecting us, including merger events, tender offers and announcement events. In addition, the Capped Calls are subject to certain specified additional disruption events that may give rise to a termination of the Capped Calls, including nationalization, insolvency or delisting, changes in law, failures to deliver, insolvency filings and hedging disruptions.
The following table sets forth other key terms and premiums paid for the Capped Calls related to each series of Notes:
Capped Calls Entered into in Connection with the Issuance of the 2023 NotesCapped Calls Entered into in Connection with the Issuance of the 2025 NotesCapped Calls Entered into in Connection with the Issuance of the 2027 NotesCapped Calls Entered into in Connection with the Issuance of the 2029 Notes
Initial strike price, subject to certain adjustments$41.59 $61.02 $103.38 $64.85 
Cap price, subject to certain adjustments$63.98 $93.88 $159.04 $97.88 
Total premium paid (in thousands)$26,910 $27,255 $76,020 $36,570 
Expiration datesJune 2, 2023 - August 1, 2023March 4, 2025 - April 29, 2025January 1, 2027 - March 11, 2027February 13, 2029 - March 13, 2029
For accounting purposes, the 2023 Capped Calls, the 2025 Capped Calls, the 2027 Capped Calls and the 2029 Capped Calls are separate transactions, and not part of the terms of the 2023 Notes, the 2025 Notes, the 2027 Notes and the 2029 Notes. The 2023 Notes, 2025 Capped Calls, 2027 Capped Calls and 2029 Capped Calls are recorded in stockholders' equity and are not accounted for as derivatives.
The 2025 Capped Calls were not redeemed with the partial repurchase of the 2025 Notes and remain outstanding.
The 2023 Capped Calls were not redeemed with the repayment of the 2023 Notes in 2021. In accordance with the terms of the Capped Calls agreements, we elected to cash-settle the 2023 Capped Calls via written notice provided to the counterparties on May 31, 2023 (the “Notice Date”). The 2023 Capped Calls were settled over a 40-day trading period from June 2, 2023 to August 1, 2023, with a settlement date of August 3, 2023. Since cash settlement was elected, pursuant to ASC 815, the 2023 Capped Calls were deemed to meet the definition of a derivative instrument, requiring reclassification from stockholder's equity to a derivative asset at the fair value on the Notice Date, with subsequent changes in fair value to be recorded to earnings through the settlement date. The fair value on the Notice Date of $33.0 million was reclassified from stockholders' equity (additional paid-in capital) to derivative assets. The change in fair value of the derivative asset from the Notice Date to September 30, 2023 was $15.5 million and recorded to other income (expense) on our consolidated statement of operations. On August 3, 2023, we received $17.5 million in cash from the settlement of the 2023 Capped Calls.
Credit Agreement
In April 2020, we entered into a Credit and Security Agreement (the Credit Agreement), with KeyBank National Association that provided for a $30.0 million revolving credit facility, with a letter of credit sublimit of $15.0 million and an accordion feature under which we could increase the credit facility to up to $70.0 million. In May 2020, we utilized the accordion feature to increase the credit facility to $50.0 million.
In December 2021, we entered into an Amendment Agreement (the Amendment) in respect of our Credit and Security Agreement (as amended, the Credit Agreement), with KeyBank National Association, to, among other things, increase the credit facility from $50.0 million to $100.0 million and extend the maturity date to December 22, 2024. The Credit Agreement provides for a $100.0 million revolving credit facility, with a letter of credit sublimit of $15.0 million, and an accordion feature under which we can increase the credit facility to up to $150.0 million. We incurred fees of $0.4 million in connection with entering into the Credit Agreement. The fees are recorded in other current assets on the consolidated balance sheet and are amortized on a straight-line basis over the contractual term of the arrangement. The
82

commitment fee of 0.2% per annum on the unused portion of the credit facility is expensed as incurred and included within interest expense on the consolidated statement of operations. The Credit Agreement contains certain financial covenants including a requirement that we maintain specified minimum recurring revenue and liquidity amounts.
The borrowings under the Credit Agreement bear interest, at our option, at a rate equal to either (i) term SOFR plus a credit spread adjustment of 0.10% per annum plus a margin of 2.50% per annum or (ii) the alternate base rate (subject to a floor), plus an applicable margin equal to 0% per annum.
As of December 31, 2023, we did not have any outstanding borrowings and we were in compliance with all covenants under the Credit Agreement.
As of December 31, 2023, we had a total of $8.8 million in letters of credit outstanding as collateral for certain office space leases and corporate credit card programs which reduce the amount of borrowing available under our Credit Agreement.
(12)    Leases
Our leases primarily relate to office facilities that have remaining terms of up to 8.3 years, some of which include one or more options to renew with renewal terms of up to 5 years and some of which include options to terminate the leases within 4 years. All of our leases are classified as operating leases.
The components of lease expense were as follows:
Year Ended December 31,
20232022
(in thousands)
Operating lease costs$16,776 $19,829 
Short-term lease costs1,259 1,820 
Variable lease costs8,219 8,941 
Total lease costs$26,254 $30,590 
Supplemental balance sheet information related to the operating leases was as follows:
As of December 31, 2023As of December 31, 2022
Weighted average remaining lease term (in years) - operating leases5.76.6
Weighted average discount rate - operating leases6.4 %6.2 %
Supplemental cash flow information related to leases was as follows:
Year Ended December 31,
20232022
 (in thousands)
Cash paid for amounts included in the measurement of lease liabilities$19,999 $17,572 
ROU assets obtained in exchange for new lease obligations$8,119 $10,327 
83

Maturities of operating lease liabilities as of December 31, 2023 were as follows (in thousands):
2024$18,714 
202520,923 
202618,331 
202717,543 
202818,075 
2029 and thereafter19,938 
Total lease payments$113,524 
Less: imputed interest(18,942)
Total$94,582 
During the year ended December 31, 2023, we determined that triggering events occurred which indicated that the carrying value of our right-of-use (“ROU”) and other lease-related assets related to a change in usage of certain idle office space at our corporate headquarters in Boston, Massachusetts as well as idle office spaces located in Plano, Texas, Los Angeles, California, and Toronto, Canada may not be fully recoverable. As a result, we utilized discounted cash flow models to estimate the fair value of the asset groups taking into consideration the time period it will take to obtain sublessees, the applicable discount rate and the anticipated sublease income and calculated the corresponding impairment loss. We used prices and other relevant information generated by recent market transactions involving similar or comparable assets, as well as our historical experience in real estate transactions. In the year ended December 31, 2023, we recorded impairment losses of $30.8 million, respectively, related to these idle office spaces. consisting of $22.2 million, related to ROU assets and $8.6 million related to leasehold improvements associated with these leased office spaces.
(13)    Stock-Based Compensation
(a)    General
In connection with our IPO, our board of directors resolved not to make future grants under our 2011 Stock Option and Grant Plan (the “2011 Plan”). The 2011 Plan will continue to govern outstanding awards granted thereunder. The 2011 Plan provided for the grant of qualified incentive stock options and nonqualified stock options or other awards such as restricted stock awards (“RSAs”) to our employees, officers, directors and outside consultants.
In July 2015, our board of directors adopted and our stockholders approved our 2015 Equity Incentive Plan (the “2015 Plan”). We initially reserved 800,000 shares of our common stock for the issuance of awards under the 2015 Plan plus the number of shares of common stock reserved for issuance under the 2011 Plan at the time the 2015 Plan became effective. The 2015 Plan also provides that (i) any shares subject to awards granted under the 2011 Plan that would have otherwise returned to the 2011 Plan (such as upon the expiration or termination of a stock award prior to vesting) will be added to, and available for issuance under, the 2015 Plan and (ii) the number of shares reserved and available for issuance under the 2015 Plan automatically increases each January 1, beginning on January 1, 2016, by 4% of the outstanding number of shares of our common stock on the immediately preceding December 31 (known as the “evergreen” provision) or such lesser number of shares as determined by our board of directors. Additionally, on October 8, 2015, our board of directors amended, the 2015 Plan to reserve an additional 1,500,000 shares of our common stock for issuance of inducement awards.
As of December 31, 2023, the shares of common stock authorized to be issued under the 2015 Plan totaled 22,574,131 and there were 5,146,498 shares of common stock available for grant.
We recognize stock-based compensation expense for all awards on a straight-line basis over the applicable vesting period, which is generally four years.
84

Stock-based compensation expense for restricted stock units (“RSUs”), performance-based restricted stock units (“PSUs”), stock options and purchase rights issued under our employee stock purchase plan was classified in the accompanying consolidated statements of operations as follows:
 Year Ended December 31,
 202320222021
 (in thousands)
Stock-based compensation expense:
Cost of revenue$10,700 $10,367 $6,491 
Research and development38,022 49,940 46,622 
Sales and marketing29,325 31,217 23,828 
General and administrative30,034 28,378 25,638 
Total stock-based compensation expense$108,081 $119,902 $102,579 
We recognize compensation cost of all awards on a straight-line basis over the applicable vesting period, which is generally four years.
Our Compensation Committee adopted and approved the performance goals, targets and payout formulas for our 2023, 2022 and 2021 bonus plans, including permitting our executive officers and certain other employees the opportunity to receive payment of their earned bonuses in the form of common stock (in lieu of cash). During the years ended December 31, 2023, 2022, and 2021 we recognized stock-based compensation expense related to such bonuses in the amount of $1.6 million, $1.0 million and $4.7 million, respectively, based on the probable expected performance against the pre-established corporate financial objectives as of December 31, 2023, 2022 and 2021. For employees, including executive officers, who elect to receive their bonuses in the form of common stock (in lieu of cash), the payouts are expected to be made in the form of fully vested stock awards in the first quarter of the following year pursuant to our 2015 Equity Incentive Plan, as amended. The number of shares underlying such awards is determined by dividing the dollar value of the actual bonus award payment by the closing price per share of our common stock on the date of grant.
(b)Restricted Stock, Restricted Stock Units and Performance-Based Restricted Stock Units
RSUs and PSUs activity during 2023, 2022, and 2021 was as follows:
 Shares        Weighted-
Average Grant
Date Fair
Value
Unvested balance as of December 31, 20202,941,914 $32.43 
Granted1,957,794 92.74 
Vested(1,610,517)47.00 
Forfeited(510,314)66.67 
Unvested balance as of December 31, 20212,778,877 74.40 
Granted2,327,216 86.78 
Vested(1,481,333)69.80 
Forfeited(623,317)85.93 
Unvested balance as of December 31, 20223,001,443 83.88 
Granted2,304,140 41.76 
Vested(1,453,713)71.28 
Forfeited(1,137,444)67.81 
Unvested balance as of December 31, 20232,714,426 $61.60 
As of December 31, 2023, the unrecognized compensation expense related to our unvested RSUs and PSUs was $145.1 million. This unrecognized compensation expense will be recognized over an estimated weighted-average amortization period of 2.1 years.
85

In February 2023, our Compensation Committee awarded 173,103 PSUs that required the achievement of an annualized recurring revenue (“ARR”) target for the 2023 full-year to earn any payout and include a non-GAAP operating income margin modifier. In addition, the portion of the PSUs that are earned would be capped at a maximum of 200% of the target level payout and if certain ARR or non-GAAP operating income margin goals were not met, no PSUs will be earned. The PSUs have a performance period of one year and the earned PSUs will vest in three equal installments following each of the first, second and third anniversary of the vesting commencement date, subject to the participant’s continuous service as of each such date. The 2023 targets for these PSUs were not met and therefore no stock-based compensation expense was recorded in 2023 related to these PSUs.
(c)Stock Options
The following tables summarizes information about stock option activity during the reporting periods:
Shares        Weighted
Average
Exercise
Price
Weighted
Average
Remaining
Contractual Life
(in years)
Aggregate
Intrinsic
Value
(in thousands)
Outstanding as of December 31, 20201,933,013 $10.07 $154,816 
Granted  
Exercised(521,326)8.26 $49,522 
Forfeited/cancelled(300)7.73 
Outstanding as of December 31, 20211,411,387 10.74 $150,951 
Granted  
Exercised(479,223)6.92 $20,764 
Forfeited/cancelled(38)21.15 
Outstanding as of December 31, 2022932,126 12.70 $19,837 
Granted  
Exercised(215,856)14.14 $6,519 
Forfeited/cancelled  
Outstanding as of December 31, 2023716,270 12.26 1.97$32,115 
Vested and exercisable as of December 31, 2023716,270 $12.26 1.97$32,115 
The total fair value of stock options vested in 2022 and 2021 was $0.1 million, and $0.6 million, respectively. All outstanding stock options were fully vested as of December 31, 2022.
(d)Employee Stock Purchase Plan
The number of shares reserved and available for issuance under our 2015 Employee Stock Purchase Plan (“ESPP”) automatically increases each January 1, beginning on January 1, 2016, by 1% of the outstanding number of shares of our common stock on the immediately preceding December 31 (known as the “evergreen” provision) or such lesser number of shares as determined by our board of directors. As of December 31, 2023, the shares of common stock authorized to be issued under the ESPP totaled 4,752,999 and there were 2,751,211 shares of common stock available for grant.
Under the ESPP, employees may set aside up to 15% of their gross earnings, on an after-tax basis, to purchase our common shares at a discounted price, which is calculated at 85% of the lesser of: (i) the market value of our common stock at the beginning of each offering period and (ii) the market value of our common stock on the applicable purchase date.
The fair value of shares issued under our ESPP is estimated on the grant date using the Black-Scholes option pricing model. The expected term represents the term from the first day of the offering period to the purchase dates within each offering period. The expected volatility is based on the historical volatilities of our own common stock. The risk-free interest rate is based on U.S. Treasury zero-coupon securities with maturities consistent with the estimated expected term. We have not paid dividends on our common stock nor do we expect to pay dividends in the foreseeable future.
86

The following table reflects the assumptions used in the Black-Scholes option pricing model to calculate the expense related to the ESPP:
 Year Ended December 31,
 202320222021
Expected term (in years)
0.5 - 1.0
0.5 - 1.0
0.5 - 1.0
Expected volatility
47 - 68%
37 - 57%
31 - 48%
Risk-free interest rate
4.5 – 5.5%
0.1 – 4.0%
0.5 – 0.7%
Expected dividend yield
Grant date fair value per share
$11.70 – $20.07
$15.50 – $29.58
$20.32 –$34.98
The following table provides the number of common shares issued to employees, the purchase prices and aggregate proceeds for the purchase dates in the years ended December 31, 2023, 2022 and 2021:
 September 15, 2023March 15, 2023September 15, 2022March 15, 2022September 15, 2021March 15, 2021
 
Common shares issued152,419177,886218,31480,74773,676147,837
Purchase prices$33.78$34.71$45.31
$67.59 and $81.37
$52.60 and $67.59
$28.39 and $52.60
Aggregate proceeds$5.1 million$6.1 million$6.2 million$5.7 million$4.8 million$4.5 million

(14)    Income Taxes
Loss before income taxes included in the consolidated statements of operations was as follows:
 Year Ended December 31,
 202320222021
 (in thousands)
United States$(136,637)$(109,381)$(106,281)
Foreign(13,141)(12,924)(29,632)
Loss before income taxes$(149,778)$(122,305)$(135,913)
Income tax expense included in the consolidated statements of operations was as follows:
 Year Ended December 31,
 202320222021
 (in thousands)
Current:
Federal$428 $1 $124 
State and local1,361 243 177 
Foreign3,317 3,608 9,690 
Total current tax expense5,106 3,852 9,991 
Deferred:
Federal9 10 10 
State and local2 2 2 
Foreign(5,635)(1,452)418 
Total deferred tax (benefit) expense(5,624)(1,440)430 
Income tax expense$(518)$2,412 $10,421 
The reconciliation of the federal statutory rate of 21% to the effective income tax rate for the years ended December 31, 2023, 2022 and 2021 was as follows:
87

 Year Ended December 31,
 202320222021
Federal statutory rate21.0 %21.0 %21.0 %
State taxes, net of federal benefit(0.5)(0.1)(0.1)
Permanent differences(0.9)(0.2)(0.2)
Stock-based compensation(7.0)(2.4)14.2 
Federal research and development credit0.9 1.4 1.4 
Foreign rate differential0.3 0.1 (0.5)
Change in valuation allowance(3.2)(24.8)(36.0)
Excess officers' compensation(1.7)(3.1)(5.9)
Tax rate change(3.4)7.8 11.2 
Induced conversion expense(9.5) (0.6)
Tax reserves(0.1)(0.2)(3.8)
Prior year true-ups5.2 (0.3)(0.1)
Capital gain on sale  (7.0)
Other(0.8)(1.1)(1.2)
Effective income tax rate0.3 %(1.9)%(7.6)%
Net deferred tax assets and liabilities, as set forth in the table below, reflect the impact of temporary differences between the amounts of assets and liabilities recorded for financial statement purposes and such amounts measured in accordance with tax laws:
 As of December 31,
 20232022
 (in thousands)
Deferred tax assets:
Accruals and reserves$335 $109 
Net operating loss carryforwards137,706 166,173 
Deferred revenue15,726 9,597 
Depreciation836 3,258 
Research and development credits14,116 11,047 
Capitalized research and development63,234 40,253 
Operating lease liabilities24,012 25,134 
Stock-based compensation9,113 9,072 
Tax credits1,148 1,148 
Other1,170 1,918 
Gross deferred tax assets$267,396 $267,709 
Valuation allowance(231,661)(230,205)
Total deferred tax assets$35,735 $37,504 
Deferred tax liabilities:
Intangible assets$ $ 
Operating lease ROU assets(11,307)(20,159)
Convertible senior notes  
Deferred contract acquisition and fulfillment costs(24,251)(22,664)
Other(65)(55)
Total deferred tax liabilities$(35,623)$(42,878)
Net deferred tax liabilities$112 $(5,374)
Beginning January 1, 2022, the Tax Cuts and Jobs Act (the "Tax Act”) eliminated the option to deduct research and development expenditures in the current year and requires taxpayers to capitalize such expenses pursuant to Internal Revenue Code (“IRC”) Section 174. The capitalized expenses are amortized over a 5-year period for domestic expenses and a 15-year period for foreign expenses. We have included the impact of this provision, which results in
88

additional deferred tax assets of approximately $63.2 million and $37.1 million as of December 31, 2023 and 2022, respectively.
As of December 31, 2023, we have evaluated the need for a valuation allowance on our deferred tax assets. In making this determination, management considered whether it is more likely than not that some portion or all of the deferred tax assets will not be realized.
The valuation allowance increased by $1.5 million for the year ended December 31, 2023. Due to our history of generating losses, we continue to record a valuation allowance against our net deferred tax assets in the United States and U.K. In addition to the United States, we have recognized valuation allowance against a net deferred tax asset in Israel. Based on our assessment of future profitability in Ireland, we have released a portion of valuation allowance in respect of our deferred tax assets.
As of December 31, 2023, we had federal and state net operating loss (“NOL”) carryforwards in the United States of $346.5 million and $293.5 million, respectively. Of these amounts, $332.7 million of federal and a portion of state NOLs can be carried forward indefinitely. The remaining NOLs expire at various dates beginning in 2024. We had foreign NOL carryforwards of $241.6 million that can be carried forward indefinitely. We also had federal, state and foreign research and development credit carryforwards of $7.2 million, $3.1 million and $3.8 million as of December 31, 2023, respectively. These credit carryforwards expire at various dates beginning in 2024.
As of December 31, 2023, our ability to utilize NOLs remains limited under IRC Sections 382 and 383 due to an ownership change we experienced in January 2018. We will not be precluded from realizing the NOL carryforwards and tax credits but may be limited in the amount we could utilize in any given tax year in the event that the federal and state taxable income exceeds the limitation imposed by Section 382. The amount of the annual limitation is determined based on our value immediately prior to the ownership change. Subsequent ownership changes may further affect the limitation in future years.
We file income tax returns in all jurisdictions in which we operate. In the normal course of business, we are subject to examination by federal, state, and foreign tax authorities, where applicable. The statute of limitations for these jurisdictions is generally three to seven years. However, to the extent we utilize net operating losses or other similar carryforward attributes such as credits, the statute remains open to the extent of the net operating losses or credits that are utilized. We are currently under tax examination in the state of Massachusetts for tax years 2021 through 2022 and in Israel for tax years 2016 through 2019.
We have established reserves to provide for additional income taxes that management believes will more likely than not be due in future years. The reserves have been established based upon our assessment of the potential exposure. Our reserve for unrecognized income tax benefits of $5.0 million remained unchanged from December 31, 2022. We recorded $0.2 million of interest in 2023 related to uncertain tax positions. During the next twelve months, the Company does not expect any change to its uncertain tax positions other than the accrual of interest in the normal course of business.
We plan to permanently reinvest the undistributed earnings of our foreign subsidiaries. If we repatriate these earnings, we may be required to pay U.S. state and local taxes, as well as foreign withholding taxes.

89

(15)    Net Loss Per Share
The following table summarizes the computation of basic and diluted net loss per share of our common stock for the years ended December 31, 2023 and 2022 :
 Year Ended December 31,
 202320222021
 (in thousands, except share and per share data)
Numerator:
Net loss$(149,260)$(124,717)$(146,334)
Denominator:
Weighted-average common shares outstanding, basic and diluted60,756,087 58,552,065 55,270,998 
Net loss per share, basic and diluted$(2.46)$(2.13)$(2.65)
We intend to settle any conversion of our 2025 Notes, 2027 Notes and 2029 Notes in cash, shares, or a combination thereof. The dilutive impact of the Notes for our calculation of diluted net income (loss) per share is considered using the if-converted method. For the years ended December 31, 2023 and 2022, the shares underlying the Notes were not considered in the calculation of diluted net loss per share as the effect would have been anti-dilutive.
In connection with the issuance of the 2023 Notes, the 2025 Notes, the 2027 Notes and the 2029 Notes, we entered into 2023 Capped Calls, 2025 Capped Calls, 2027 Capped Calls and 2029 Capped Calls, which were not included for the purpose of calculating the number of diluted shares outstanding, as their effect would have been anti-dilutive. As further described in Note 11, Debt, the 2023 Capped Calls were not redeemed with the redemption of the 2023 Notes. The 2025 Capped Calls were not redeemed with the partial repurchase of the 2025 Notes and remain outstanding.
As of December 31, 2023 and 2022, the 2025 Notes, the 2027 Notes and the 2029 Notes were not convertible at the option of the holder. We had not received any conversion notices through the issuance date of our unaudited consolidated financial statements. For disclosure purposes, we have calculated the potentially dilutive effect of the conversion spread, which is included in the table below. The following potentially dilutive securities outstanding have been excluded from the computation of diluted weighted-average shares outstanding for the respective periods below because they would have been anti-dilutive:
 Year Ended December 31,
 202320222021
Options to purchase common stock716,270 932,126 1,411,387 
Unvested restricted stock units2,983,020 3,001,443 2,778,877 
Common stock issued in conjunction to acquisitions115,051 74,627 273,473 
Shares to be issued under ESPP103,778 106,965 36,831 
Convertible senior notes11,183,611 9,572,955 9,573,087 
Total15,101,730 13,688,116 14,073,655 

(16)    Commitments and Contingencies
(a)Purchase Obligations
As of December 31, 2023, we have non-cancellable firm purchase commitments relating to cloud infrastructure services, including with Amazon Web Services (“AWS”), and software subscriptions.
90

The following table presents details of the future non-cancellable purchase commitments under these agreements as of December 31, 2023 (in thousands):
2024$134,329 
202541,493 
20266,265 
20273,613 
2028 and thereafter 
Total$185,700 
(b)Warranty
We provide limited product warranties. Historically, any payments made under these provisions have been immaterial.
(c)Litigation and Claims
From time to time, we may be a party to litigation or subject to claims incident to the ordinary course of business. Although the results of litigation and claims cannot be predicted with certainty, we currently believe that the final outcome of these ordinary course matters will not have a material adverse effect on our business. Regardless of the outcome, litigation can have an adverse impact on us because of defense and settlement costs, diversion of management resources and other factors.
(d)Indemnification Obligations
We agree to standard indemnification provisions in the ordinary course of business. Pursuant to these provisions, we agree to indemnify, hold harmless and reimburse the indemnified party for losses suffered or incurred by the indemnified party, generally our customers, in connection with any United States patent, copyright or other intellectual property infringement claim by any third party arising from the use of our products or services in accordance with the agreement or arising from our gross negligence, willful misconduct or violation of the law (provided that there is not gross or willful misconduct on the part of the other party) with respect to our products or services. The term of these indemnification provisions is generally perpetual from the time of execution of the agreement. We carry insurance that covers certain third-party claims relating to our services and limits our exposure. We have never incurred costs to defend lawsuits or settle claims related to these indemnification provisions.
As permitted under Delaware law, we have entered into indemnification agreements with our officers and directors, indemnifying them for certain events or occurrences while they serve as officers or directors of the company.
(17)    Employee Benefit Plan
In December 2008, we established a discretionary 401(k) plan in which all full-time U.S. employees above the age 18 are eligible to participate after they have been employed for us for 90 days following the applicable date of hire. Matching contributions to the 401(k) plan can be made at our discretion. In 2023, 2022 and 2021, we made discretionary contributions of $4.3 million, $4.3 million and $3.6 million, respectively, to the plan.
(18)    Segment Information and Information about Geographic Areas
We operate in one segment. Our chief operating decision maker is our Chief Executive Officer, who makes operating decisions, assesses performance and allocates resources on a consolidated basis.
91

Net revenues by geographic area presented based upon the location of the customer are as follows:
 Year Ended December 31,
 202320222021
 (in thousands)
United States$579,025 $515,894 $414,856 
Other198,682 169,189 120,548 
Total$777,707 $685,083 $535,404 
Property and equipment, net by geographic area is presented in the table below:
 As of December 31, 2023As of December 31, 2022
 (in thousands)
United States$27,609 $41,570 
Other12,033 16,321 
Total$39,642 $57,891 

(19)    Restructuring
On August 7, 2023, our board of directors approved a restructuring plan that was designed to improve operational efficiencies, reduce operating costs and better align the Company’s workforce with current business needs, top strategic priorities and key growth opportunities (collectively, the “Restructuring Plan”). The Restructuring Plan included a reduction of the Company’s workforce by approximately 16%.
In 2023, we incurred $22.2 million of restructuring charges which were recorded within restructuring in the condensed consolidated statements of operations. In addition, we incurred $1.3 million of stock-based compensation expense related to acceleration of share-based awards.
As of December 31, 2023, the restructuring liability accrued but not paid totaled $3.8 million, which is included within accrued expenses in the condensed consolidated balance sheets. The execution of the Restructuring Plan was substantially complete as of December 31, 2023 and we expect the remaining restructuring liability to be paid by the end of the first quarter of 2024.
Potential position eliminations in each country are subject to local law and consultation requirements, which may extend this process beyond the fourth quarter of 2023 in certain countries. The charges that we expect to incur are subject to a number of assumptions, including local law requirements in various jurisdictions, and actual expenses may differ materially from the estimates disclosed above.
In 2023, we permanently closed certain idle office spaces in Plano, Texas, Los Angeles, California and Toronto, Canada, which resulted in an impairment loss of $3.6 million. Refer to Note 12, Leases, for further details on the impairment of long-lived assets.
The following table presents the activity of the restructuring liability for the year ended December 31, 2023:
Restructuring Liability
 (in thousands)
Balance at December 31, 2022$ 
Charges22,227 
Payments(18,463)
Balance at December 31, 2023$3,764 
Item 9. Changes in and Disagreements with Accountants on Accounting and Financial Disclosure.
None.


92

Item 9A. Controls and Procedures.
Evaluation of Disclosure Controls and Procedures
Our management, with the participation of our chief executive officer and chief financial officer, evaluated the effectiveness of our disclosure controls and procedures as of December 31, 2023. The term “disclosure controls and procedures,” as defined in Rules 13a-15(e) and 15d-15(e) under the Exchange Act of 1934, as amended, means controls and other procedures of a company that are designed to ensure that information required to be disclosed by a company in the reports that it files or submits under the Exchange Act is recorded, processed, summarized and reported, within the time periods specified in the SEC’s rules and forms. Disclosure controls and procedures include, without limitation, controls and procedures designed to ensure that information required to be disclosed by a company in the reports that it files or submits under the Exchange Act is accumulated and communicated to the company’s management, including its principal executive and principal financial officers, as appropriate to allow timely decisions regarding required disclosure. Management recognizes that any controls and procedures, no matter how well designed and operated, can provide only reasonable assurance of achieving their objectives and management necessarily applies its judgment in evaluating the cost-benefit relationship of possible controls and procedures. Based on the evaluation of our disclosure controls and procedures as of December 31, 2023, our chief executive officer and chief financial officer concluded that, as of such date, our disclosure controls and procedures were effective at the reasonable assurance level.
Management’s Report on Internal Control Over Financial Reporting
Our management is responsible for establishing and maintaining adequate internal control over financial reporting, as such term is defined in Rules 13a-15(f) and 15d-15(f) of the Exchange Act. Our management assessed the effectiveness of our internal control over financial reporting as of December 31, 2023 based on the criteria set forth by the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) in Internal Control – Integrated Framework (2013). Based on this assessment, management concluded that as of December 31, 2023, our internal control over financial reporting was effective.
This Annual Report on Form 10-K includes an attestation report of our independent registered public accounting firm regarding internal control over financial reporting, which appears in Part II, Item 8 of this Annual Report on Form 10-K.
Inherent Limitations of Internal Controls
Our management, including our chief executive officer and chief financial officer, does not expect that our disclosure controls and procedures or our internal controls will prevent all errors and all fraud. A control system, no matter how well conceived and operated, can provide only reasonable, not absolute, assurance that the objectives of the control system are met. Because of the inherent limitations in all control systems, no evaluation of controls can provide absolute assurance that all control issues and instances of fraud, if any, within the company have been detected. These inherent limitations include the realities that judgments in decision-making can be faulty, and that breakdowns can occur because of a simple error or mistake. Additionally, controls can be circumvented by the individual acts of some persons, by collusion of two or more people, or by management override of the control. The design of any system of controls also is based in part upon certain assumptions about the likelihood of future events, and there can be no assurance that any design will succeed in achieving its stated goals under all potential future conditions. Over time, controls may become inadequate because of changes in conditions, or the degree of compliance with the policies or procedures may deteriorate. Because of the inherent limitations in a cost-effective control system, misstatements due to error or fraud may occur and not be detected.
Changes in Internal Control over Financial Reporting
There were no changes in our internal control over financial reporting identified in connection with the evaluation required by Rule 13a-15(d) and 15d-15(d) of the Exchange Act that occurred during the period covered by this Annual Report on Form 10-K that has materially affected, or is reasonably likely to materially affect, our internal control over financial reporting.
Item 9B. Other Information.
Certain of our executive officers and directors may execute purchases and sales of our securities through Rule 10b5-1 equity trading plans and “non-Rule 10b5-1 equity trading arrangements” (as defined in Item 408(c) of Regulation S-K).
During the three months ended December 31, 2023, several of our executive officers, as set forth below, adopted or terminated a contract, instruction or written plan for the purchase or sale of Rapid7 securities that was intended to satisfy the affirmative defense conditions of Rule 10b5-1(c).

93

Name and PositionAction Adoption or Transaction DateType of Trading ArrangementNumber of Shares of Common Stock to be SoldExpiration Date
Andrew Burton, Chief Operating Officer (1)
AdoptionDecember 13, 2023Rule 10b5-1*
70,675**
12/31/2024***
Tim Adams, Chief Financial Officer
AdoptionNovember 28, 2023Rule 10b5-1*
15,000**
11/28/2024***
Corey Thomas,Chief Executive Officer (2)
AdoptionDecember 13, 2023Rule 10b5-1*
296,842**
12/13/2024***
(1) The selling start date under Mr. Burton's 10b5-1 Plan adopted on December 13, 2023 is contingent on the completion or expiration of his previously adopted plan.
(2) Mr. Thomas' plan includes the sale of 30,842 shares that were gifted to the Ancore Foundation, Inc., a charitable foundation of which Mr. Thomas is a director.

* Contract, instruction or written plan intended to satisfy the affirmative defense conditions of Rule 10b5-1(c) under the Exchange Act.

** Represents the maximum number of shares that may be sold pursuant to the Rule 10b5-1 trading arrangement in amounts and prices determined in accordance with a formula set forth in the plan. The actual number of shares sold will be dependent on the satisfaction of certain conditions as set forth in the written plan.

*** The Rule 10b5-1 trading arrangement will terminate on the earlier of the date all the shares under the plan are sold and the
expiration date indicated, subject to early termination for specified events set forth in the plan.

During the year ended December 31, 2023, other than noted above, none of our executive officers or directors terminated or modified a 10b5-1 equity trading plan, or adopted, terminated, or modified any “non-Rule 10b5-1 equity trading
arrangement”.
Item 9C. Disclosure Regarding Foreign Jurisdictions that Prevent Inspections.
Not Applicable.
94

PART III
Item 10. Directors, Executive Officers and Corporate Governance.
The information required by this item is incorporated by reference to our Proxy Statement for our 2024 Annual Meeting of Stockholders to be filed with the SEC within 120 days after the end of the fiscal year ended December 31, 2023.
As part of our system of corporate governance, our board of directors has adopted a code of business conduct and ethics. The code applies to all of our employees, officers (including our principal executive officer, principal financial officer, principal accounting officer or controller, or persons performing similar functions), agents and representatives, including our independent directors and consultants, who are not employees of ours, with regard to their Company-related activities. Our code of business conduct and ethics is available on our website at www.rapid7.com. We intend to post on this section of our website any amendment to our code of business conduct and ethics, as well as any waivers of our code of business conduct and ethics, that are required to be disclosed by the rules of the SEC or the Nasdaq Stock Market.
Item 11. Executive Compensation.
The information required by this item is incorporated by reference to our Proxy Statement for our 2024 Annual Meeting of Stockholders to be filed with the SEC within 120 days after the end of the year ended December 31, 2023.
Item 12. Security Ownership of Certain Beneficial Owners and Management and Related Stockholder Matters.
The information required by this item is incorporated by reference to our Proxy Statement for our 2024 Annual Meeting of Stockholders to be filed with the SEC within 120 days after the end of the year ended December 31, 2023.
Item 13. Certain Relationships and Related Transactions, and Director Independence.
The information required by this item is incorporated by reference to our Proxy Statement for our 2024 Annual Meeting of Stockholders to be filed with the SEC within 120 days after the end of the year ended December 31, 2023.
Item 14. Principal Accounting Fees and Services.
The information required by this item is incorporated by reference to our Proxy Statement for our 2024 Annual Meeting of Stockholders to be filed with the SEC within 120 days after the end of the year ended December 31, 2023.
95

PART IV
Item 15. Exhibits and Financial Statement Schedules.
(a)(1) Financial Statements
See Index to Consolidated Financial Statements on page 61 of this Annual Report on Form 10-K, which is incorporated into this item by reference.
(a)(2) Financial Statement Schedules
All financial statement schedules are omitted because they are not applicable or the required information is shown in the financial statements or notes thereto.
(b) Exhibits
The following list of exhibits includes exhibits submitted with this Annual Report on Form 10-K as filed with the SEC and others incorporated by reference to other filings.

Exhibit
 Number 
Description
3.1
Amended and Restated Certificate of Incorporation of Rapid7, Inc., as of June 3, 2020 (incorporated by reference Exhibit 3.1 to the Registrant’s Quarterly Report on Form 10-Q (File No. 001-37496), filed on August 10, 2020).
3.2
Amended and Restated Bylaws of Rapid7, Inc., as of June 3, 2020 (incorporated by reference to Exhibit 3.2 to the Registrant’s Quarterly Report on Form 10-Q (File No. 001-37496), filed with the Securities and Exchange Commission on August 10, 2020).
4.1
Form of common stock certificate of Rapid7, Inc. (incorporated by reference to Exhibit 4.1 to the Registrant’s Registration Statement on Form S-1/A (File No. 333-204874), filed on July 6, 2015).
4.2
Indenture, dated as of August 13, 2018, between Rapid7 Inc. and U.S. Bank National Association, as trustee (incorporated by reference to Exhibit 4.1 to the Registrant's Current Report on Form 8-K (file No. 001-37496), filed on August 13, 2018).
4.3
4.4 *
4.5
Indenture, dated as of May 1, 2020, by and between Rapid7, Inc. and U.S. Bank National Association, as Trustee (incorporated by reference to Exhibit 4.1 to the Registrant’s Current Report on Form 8-K (File No. 001-37496), filed on May 4, 2020).
4.6
4.7
Indenture, dated as of March 19, 2021, by and between Rapid7, Inc. and U.S. Bank National Association, as Trustee (incorporated by reference to Exhibit 4.1 to the Registrant’s Current Report on Form 8-K (File No. 001-37496), filed on March 19, 2021).
4.8
4.9
Indenture, dated as of September 8, 2023, by and between Rapid7, Inc. and U.S. Bank Trust Company. National Association, as Trustee (incorporated by reference to Exhibit 4.1 to the Registrant's Current Report on Form 8-K (File No. 001-37496), filed on September 8, 2023).
4.10
10.1
Form of Confirmation for Capped Call Transactions (incorporated by reference to Exhibit 10.1 to the Registrant’s Current Report on Form 8-K (File No. 001-37496), filed on August 13, 2018).
10.2
Purchase Agreement, dated April 28, 2020, by and between Rapid7, Inc. and Barclays Capital Inc. (incorporated by reference to Exhibit 10.2 to the Registrant’s Current Report on Form 8-K (File No. 001-37496), filed on May 4, 2020).
10.3
Form of Capped Call Transactions (incorporated by reference to Exhibit 10.2 to the Registrant's Current Report on Form 8-K (File No. 001-37496), filed on May 4, 2020).
96

10.4
Purchase Agreement, dated March 16, 2021, by and between Rapid7, Inc., Goldman Sachs & Co. LLC and Barclays Capital Inc. (incorporated by reference to Exhibit 10.1 to the Registrant’s Current Report on Form 8-K (File No. 001-37496), filed on March 19, 2021).
10.5
Form of Confirmation for Capped Call Transactions. (incorporated by reference to Exhibit 10.2 to the Registrant’s Current Report on Form 8-K (File No. 001-37496), filed on March 19, 2021).
10.6
Purchase Agreement, dated September 5, 2023, by and between Rapid7, Inc., Goldman Sachs & Co. LLC and J.P. Morgan Securities LLC. (incorporated by reference to Exhibit 10.1 to the Registrant’s Current Report on Form 8-K (File No. 001-37496), filed on September 5, 2023).
10.7
Form of Confirmation for Capped Call Transactions. (incorporated by reference to Exhibit 10.2 to the Registrant’s Current Report on Form 8-K (File No. 001-37496), filed on September 5, 2023).
10.8
Credit and Security Agreement, dated as of April 23, 2020, by and among Rapid7, Inc., Rapid7 LLC, KeyBank National Association, and the lenders party thereto (incorporated by reference to Exhibit 10.1 to the Registrant’s Current Report on Form 8-K (File No. 001-37496), filed on April 28, 2020, and incorporated herein by reference).
10.9
Merger Agreement, dated as of April 24, 2020, by and between Rapid7, Inc., Rapid7 LLC, Stratus Acquisition, Inc., Divvy Cloud Corporation and Fortis Advisors LLC. (incorporated by reference to Exhibit 10.2 to the Registrant’s Current Report on Form 8-K (File No. 001-37496), filed on April 28, 2020).
10.10
First Amendment Agreement, dated as of May 29, 2020, by and among Rapid7, Inc., Rapid7 LLC, KeyBank National Association, and the lenders party thereto (incorporated by reference to Exhibit 10.4 to the Registrant’s Quarterly Report on Form 10-Q (File No. 001-37496), filed on August 10, 2020).
10.11
Second Amendment Agreement, dated as of December 22, 2021, by and among Rapid7, Inc., Rapid7 LLC, KeyBank National Association, and the lenders party thereto (incorporated by reference to Exhibit 10.9 to the Registrant’s Annual Report on Form 10-K (File No. 001-37496), filed on February 24, 2022).
10.12+
2011 Stock Option and Grant Plan and Forms of Stock Option Agreement, Stock Option Exercise Notice and Restricted Stock Agreement thereunder (incorporated by reference to Exhibit 10.2 to the Registrant’s Registration Statement on Form S-1 (File No. 333-204874), filed on June 11, 2015).
10.13+
Rapid7, Inc. 2015 Equity Incentive Plan, as amended (incorporated by reference to Exhibit 10.1 to the Registrant's Current Report on Form 8-K (file No. 001-37496), filed on July 19, 2021)
10.14+
Forms of Stock Option Agreement, Notice of Exercise, Stock Option Grant Notice and Restricted Stock Unit Agreement under the Rapid7, Inc. 2015 Equity Incentive Plan, as amended (incorporated by reference to Exhibit 10.3 to the Registrant’s Registration Statement on Form S-1/A (File No. 333-204874), filed on July 6, 2015).
10.15+
Rapid7, Inc. 2015 Employee Stock Purchase Plan (incorporated by reference to Exhibit 10.1 to the Registrant’s Current Report on Form 8-K (File No. 001-37496), filed on October 13, 2015).
10.16+
Form of Indemnification Agreement by and between Rapid7, Inc. and each of its directors and executive officers (incorporated by reference to Exhibit 10.5 to the Registrant’s Annual Report on Form 10-K (File No. 001-37496), filed on March 10, 2016).
10.17
Stock Purchase Agreement, dated July 16, 2021, by and between Rapid7, Inc., Rapid7 International Holdings Limited, IntSights Cyber Intelligence Ltd., the Sellers and Shareholder Representative Services LLC (incorporated by reference to Exhibit 10.1 to the Registrant's Current Report on Form 8-K (File No. 001-37496), filed on July 19, 2021).
10.18
Lease dated November 16, 2017 between Podium Developer LLC and Rapid7, Inc (incorporated by reference to Exhibit 10.1 to the Registrant’s Current Report on Form 8-K (File No. 001-37496), filed on November 16, 2017).
10.19
Lease dated July 19, 2019 between Office Tower Developer LLC and Rapid7, Inc (incorporated by reference to Exhibit 10.1 to the Registrant's Current Report on Form 8-K (File no. 001-37496), filed with the Securities and Exchange Commission on July 25, 2019).
10.20
First Amendment to Lease, dated as of September 9, 2020 by and between Office Tower Developer LLC and Rapid7, Inc. (incorporated by reference to Exhibit 10.1 to the Registrant’s Quarterly Report on Form 10-Q (File No. 001-37496), filed on November 5, 2020).
10.21
Second Amendment to Lease, dated as of November 9, 2020 by and between Office Tower Developer LLC and Rapid7, Inc. (incorporated by reference to Exhibit 10.15 to the Registrant's Annual Report on Form 10-K (File no. 001-37496), filed on February 26, 2021).
10.22
Third Amendment to Lease, dated as of February 5, 2021 by and between Office Tower Developer LLC and Rapid7, Inc. (incorporated by reference to Exhibit 10.16 to the Registrant's Annual Report on Form 10-K (File no. 001-37496), filed on February 26, 2021).
10.23+
Rapid7, Inc. Executive Incentive Bonus Plan (incorporated by reference to Exhibit 10.1 to the Registrant’s Current Report on Form 8-K (File No. 001-37496), filed on February 2, 2017).
97

10.24+
Employment Agreement, dated as of January 3, 2013, by and between Rapid7, Inc. and Corey Thomas (incorporated by reference to Exhibit 10.9 to the Registrant’s Registration Statement on Form S-1 (File No. 333-204874), filed on June 11, 2015).
10.25+
Amendment to Employment Agreement, dated as of April 4, 2016, by and between Rapid7, Inc. and Corey Thomas (incorporated by reference to Exhibit 10.1 to the Registrant’s Current Report on Form 8-K (File No. 001-37496), filed with the Securities and Exchange Commission on April 5, 2016).
10.26+
Second Amendment to Employment Agreement, dated as of March 24, 2017, by and between Rapid7, Inc. and Corey Thomas (incorporated by reference to Exhibit 10.2 to the Registrant’s Quarterly Report on Form 10-Q (File No. 001-37496), filed on May 10, 2017).
10.27+
Third Amendment to Employment Agreement, dated as of August 7, 2023, by and between Rapid7, Inc. and Corey Thomas (incorporated by reference to Exhibit 10.1 to the Registrant's Quarterly Report on Form 10-Q (File No. 001-37496), filed on November 6, 2023).
10.28+
Offer Letter Agreement, dated as of October 3, 2016, by and between Rapid7, Inc. and Andrew Burton (incorporated by reference to Exhibit 10.1 to the Registrant’s Current Report on Form 8-K (File No. 001-37496), filed on October 4, 2016).
10.29+
Offer Letter, dated as of November 23, 2021, by and between Rapid7, Inc. and Tim Adams (incorporated by reference to Exhibit 10.1 to the Registrant’s Current Report on Form 8-K (File No. 001-37496), filed on November 29, 2021).
10.30+
Severance and Equity Award Vesting Acceleration Letter, dated as of March 28, 2017, by and between Rapid7, Inc. and Andrew Burton (incorporated by reference to Exhibit 10.3 to the Registrant’s Quarterly Report on Form 10-Q (File No. 001-37496), filed on May 10, 2017).
10.31+
Severance and Equity Award Vesting Acceleration Agreement, dated as of August 8, 2023, by and between Rapid7, Inc. and Andrew Burton (incorporated by reference to Exhibit 10.2 on Form 10-Q (File No. 001-37496), filed on November 6, 2023).
10.32+
Severance and Equity Award Vesting Acceleration Agreement, dated as of August 30, 2023, by and between Rapid7, Inc. and Tim Adams (incorporated by reference to Exhibit 10.3 on Form 10-Q (File No. 001-37496), filed on November 6, 2023).
10.33+
Severance and Equity Award Vesting Acceleration Agreement, dated as of August 8, 2023, by and between Rapid7, Inc. and Christina Luconi (incorporated by reference to Exhibit 10.4 on Form 10-Q (File No. 001-37496), filed on November 6, 2023).
10.34+*
Exhibit
 Number 
 Description
21.1* 
23.1* 
24.1 
31.1* 
31.2* 
32.1** 
32.2** 
97*
101.INS 
Inline XBRL Instance Document - the instance document does not appear in the Interactive Data file because its XBRL tags are embedded within the inline XBRL document.
101.SCH Inline XBRL Taxonomy Extension Schema Document.
101.CAL Inline XBRL Taxonomy Extension Calculation Linkbase Document.
101.DEF Inline XBRL Taxonomy Extension Definition Linkbase Document.
101.LAB Inline XBRL Taxonomy Extension Label Linkbase Document.
101.PRE Inline XBRL Taxonomy Extension Presentation Linkbase Document.
104Cover Page Interactive Data file (formatted as inline XBRL with applicable taxonomy extension information contained in Exhibits 101)
98


*Filed herewith.
**This certification is deemed not filed for purposes of Section 18 of the Securities Exchange Act of 1934, as amended, or otherwise subject to the liability of that section, nor shall it be deemed incorporated by reference into any filing under the Securities Act of 1933, as amended, or the Securities Exchange Act of 1934, as amended.
+Indicates management contract or compensatory plan.

Item 16. Form 10-K Summary.
Not applicable.
99

SIGNATURES
Pursuant to the requirements of Section 13 or 15(d) of the Securities Exchange Act of 1934, as amended, the registrant has duly caused this report to be signed on its behalf by the undersigned, thereunto duly authorized.
RAPID7, INC.
Date: February 26, 2024
By: /s/ Corey E. Thomas
 
Name: Corey E. Thomas
 
Title: Chief Executive Officer

100

POWER OF ATTORNEY
KNOW ALL BY THESE PRESENTS, that each person whose signature appears below constitutes and appoints Corey E. Thomas and Tim Adams, and each of them, as his true and lawful attorneys-in-fact and agents, each with the full power of substitution, for him and in his name, place or stead, in any and all capacities, to sign any and all amendments to this report, with exhibits thereto and other documents in connection therewith, with the Securities and Exchange Commission, granting unto said attorneys-in-fact and agents, and each of them, full power and authority to do and perform each and every act and thing requisite and necessary to be done in and about the premises, as fully to all intents and purposes as he might or could do in person, hereby ratifying and confirming all that said attorneys-in-fact and agents, or their, his substitute or substitutes, may lawfully do or cause to be done by virtue hereof.
Pursuant to the requirements of the Securities Exchange Act of 1934, as amended, this report has been signed below by the following persons on behalf of the registrant in the capacities and on the dates indicated.
Name Title Date
/s/ Corey E. Thomas Chief Executive Officer and Director February 26, 2024
Corey E. Thomas
(Principal Executive Officer)
/s/ Tim Adams Chief Financial Officer February 26, 2024
Tim Adams
(Principal Financial Officer and Principal Accounting Officer)
/s/ Michael Berry Director February 26, 2024
Michael Berry
/s/ Marc Brown Director February 26, 2024
Marc Brown
/s/ Judy Bruner Director February 26, 2024
Judy Bruner
/s/ Benjamin Holzman Director February 26, 2024
Benjamin Holzman
/s/ Christina Kosmowski Director February 26, 2024
Christina Kosmowski
/s/ J. Benjamin Nye Director February 26, 2024
J. Benjamin Nye
/s/ Thomas Schodorf Director February 26, 2024
Thomas Schodorf
/s/ Reeny SondhiDirectorFebruary 26, 2024
Reeny Sondhi

101