Krissanaporn Detrapipat | Moment | Getty Images
Company: Rapid7 (RPD)
work: Rapid 7 is a global cybersecurity software and services provider. Its products span information security, cloud operations, development, and information technology teams, empowering them to understand attackers and use that information to control a fragmented attack surface. Rapid7 Managed Threat Complete is its flagship product and includes the Rapid7 Managed Detection and Response program. Rapid7 also offers risk and threat coverage through its InsightIDR and Insight VM services, delivering them in one package. The company’s security solutions help more than 11,000 customers worldwide unify cloud risk management and threat detection.
Stock market value: $2.69 billion ($43.23 per share)
Rapid7 in 2024
Activist: Jana Partners
Percentage of Ownership: None
Average cost: None
Activist Commentary: Jana is a highly experienced activist investor founded by Barry Rosenstein in 2001. The firm gained a reputation for its well-researched activist positions and meticulous planning for long-term value. Rosenstein called his activist strategy the “V to the power of 3.” The three “Vs” are: (i) Value: Acquire at the right price; (ii) Vote: Know if there will be a vote before starting a proxy fight; and (iii) Multiple Ways to Win: Have multiple strategies to increase value and exit the investment. Since 2008, the firm has gradually shifted its strategy to what we characterize as the “Three S’s”: (i) Stock Price: Acquire at the right price; (ii) Strategic Activism: Sell the company or spin off the business; and (iii) Star Advisor/Candidate: Work with and advise top industry executives and take board seats when appropriate.
what’s happening
On June 26, The Wall Street Journal reported that Jana was investing heavily in Rapid7, potentially prompting the company to sell and improve its operations and forecasts.
Behind the Scenes
Rapid7 is a cybersecurity company that expands its security operations expertise for its clients. Its flagship product, Managed Threat Complete, combines end-to-end 24/7 managed detection and response with vulnerability management products. The company has historically focused on on-site cybersecurity operations but has begun to expand into the fast-growing cloud security space. Rapid7 operates in a very attractive industry and benefits from several significant tailwinds. In an era when software budgets are being cut or reallocated to AI, the threat of cyberattacks looms large and poses a significant risk as spending on these types of services plateau or increase. Additionally, cybersecurity analysts and in-house security staff are limited, creating a great need for outsourcing. With more complex operations and a multitude of applications both on-site and in the cloud, Rapid7 is well-positioned to continue to grow and aims to become a quality provider for subject matter experts who may not be able to sustain the services of the largest and most expensive competitors.
Despite being well-positioned, the company has delivered negative returns on a one-, three-, and five-year basis. Rapid7 is one of the top three companies in vulnerability management, but it is assigned a much lower revenue multiple (3x) compared to competitors Tenable (5.5x) and Qualys (8x). One factor is that Rapid7 offers a mix of low- and high-growth cybersecurity products, which is difficult to assess, but more importantly, multiple missteps by management, exacerbated by a lack of board oversight. First, the company changed its sales model, shifting to selling packaged products instead of selling products individually. It also moved from direct sales to a channel model. Second, it faced challenges in bringing its cloud products to market. Additionally, to transform from a pure growth to a profitable software company, Rapid7 is focused on achieving its goal of $160 million in free cash flow and improving profit margins. In August 2023, perhaps in pursuit of these goals, the company suddenly announced plans to cut its workforce by 18%. Rapid7 has further issues with retention of key executive positions, including the departure of its Chief Innovation Officer and, crucially, its Chief Operating Officer and President. Finally, the company has been unable to make adequate forecasts, leading to significant investor uncertainty and questions about board oversight. In February 2024, the company issued its 2024 guidance, stating that it was very confident, but then cut it in May when it released its first quarter results. This resulted in a 17% drop in shares on May 8th. This is a company operating in a very complex and dynamic space that seems to be doing everything at once and not delivering.
For such companies, there are generally two paths to shareholder value creation: (i) a long-term plan that includes restructuring the board, refreshing management, and revising the strategic and operating plans, and (ii) a short-term plan to sell the company to an interested buyer who can make those changes. With respect to the long-term plan, Jana typically works with industry executives and consultants in conducting due diligence and executing activist plans, and does not believe this situation is an exception. The firm often brings these individuals to the negotiating table as director candidates when deemed necessary. Jana has experience in bringing these professionals to company boards, where they often serve as an asset to fix company issues ranging from operations to governance to capital allocation. However, Jana also has extensive experience in strategic activism and selling portfolio companies. Jana expects to advocate for a strategy that is expected to maximize shareholder value, adjusted for risk and time. Given the problems the company has experienced and the lack of focus from its CEO (Corey Thomas is Chairman and CEO of Rapid7, and also serves on the National Security Communications Advisory Committee, Chairman of the Federal Reserve Bank of Boston, and a member of the Council on Foreign Relations. He also serves on the board of trustees of Blue Cross Blue Shield of Massachusetts, LPL Financial, and Vanderbilt University), a sale would seem to be the easier and more likely path forward if there was a bidder at the right price.
Given the industry tailwinds, there could be multiple strategic and financial buyers interested in the company. Recent transactions in the cybersecurity sector include Cisco’s $28 billion acquisition of Splunk and Francisco Partners’ $1.7 billion acquisition of Sumo Logic. If Jana insists on selling Rapid7, it will likely ask the board to do so through a full sale process that achieves maximum value for shareholders. Additionally, Jana has a strategic partnership with Cannae Holdings, which could help it provide equity in a strategic deal with a private equity firm. Consider that Cannae partnered with a private equity firm to acquire Dun & Bradstreet in 2019. Even if Jana believes a sale of the company is the best way to optimize shareholder value, it is important to note that the company would still need to get the consent of the board. This does not seem like something the board and management would just walk away quietly. In such a case, Jana’s solution would be to launch a proxy fight, which could take time. The 2024 annual meeting was passed on June 13, and the director nomination period won’t open until February 13, 2025.
Ken Squire is founder and president of 13D Monitor, an institutional research service on shareholder activism, and founder and portfolio manager of 13D Activist Fund, a mutual fund that invests in a portfolio of activist 13D investments.