Krisanapong Detraphihat | Moment | Getty Images
Company: Rapid7 (RPD)
Company: Fast7 is a global provider of cybersecurity software and services. The products span information security, cloud operations, development and information technology teams, allowing them to understand attackers and use that information to take control of their fragmented attack surface. Rapid7 Managed Threat Complete is the company's flagship offering and includes the Rapid7 Managed Detection and Response program. Rapid7 also offers risk and threat coverage through InsightIDR and Insight VM services, making them available in one package. Its security solutions help more than 11,000 customers worldwide unify cloud risk management and threat detection.
Market value: $2.69 billion ($43.23 per share)
Rapid7 in 2024
Activist: Jana Partners
Percentage ownership: n/a
Average costs: n/a
Activist commentary: Jana is a highly experienced activist investor founded in 2001 by Barry Rosenstein. The company made a name for itself by taking deeply researched activist positions with well-thought-out plans for long-term value. Rosenstein called his activist strategy “V cubed”. The three “Rs” were: (i) Value: buy at the right price; (ii) Voting: knowing if you have the votes before starting a proxy fight; and (iii) Multiple Ways to Win: having more than one strategy to increase value and exit an investment. Since 2008, the company has gradually shifted that strategy to one we characterize as the three “S's” (i) Stock price: buy at the right price; (ii) Strategic activism: sale of company or spin-off of a company; and (iii) Star Advisors/Nominees: Work with top industry executives to advise them and, if necessary, take on board positions.
What is going on
On June 26, The Wall Street Journal reported that Jana has taken a significant stake in Rapid7 and may push the company to sell itself while also improving operations and forecasts.
Behind the scenes
Rapid7 is a cybersecurity company that extends the expertise of its customers’ security operations. Its flagship offering, Managed Threat Complete, combines end-to-end 24/7 managed detection and response with vulnerability management offerings. Historically, the company has focused on on-premises cybersecurity operations, but is now beginning to expand into the explosive growth area of cloud security. Rapid7 operates in a highly attractive sector and benefits from several significant tailwinds. At a time when software budgets are being cut or reallocated to AI, the threat of cyberattacks is high and the risk that spending on these types of services will remain flat or increase is high. In addition, the number of cybersecurity analysts and in-house security staff is limited, creating a huge need for outsourcing. With more complex operations and numerous applications both on-premises and in the cloud, Rapid7 is well positioned to continue growing and strives to be a high-value provider for subject matter experts who may not be able to afford the services of their largest and most expensive competitors.
Despite its favorable position, the company has delivered negative returns on a one-, three- and five-year basis. Rapid7 is one of the top three players in vulnerability management, but it has been assigned a much smaller revenue multiple (3x) compared to peers Tenable (5.5x) and Qualys (8x). One factor here is that Rapid7 offers a mix of low- and high-growth cybersecurity offerings, which is difficult to value, but more important are the multiple missteps by management, compounded by a lack of board oversight. First, the company has undergone changes to its sales model, including a shift from selling individual offerings to selling packaged products. It has also moved from direct to a channel model. Subsequently, the company has encountered challenges in bringing its cloud product to market. Additionally, to transition from pure growth to a profitable software company, Rapid7 has focused on achieving targets for $160 million in free cash flow and improved margins. In August 2023, probably to achieve these goals, the company abruptly announced plans to reduce its workforce by 18%. Rapid7 has had further retention issues in key leadership roles, including departure of its Chief Innovation Officer and its very important COO and President. Finally, the company has failed to make good forecasts, which has led to enormous uncertainty among investors and questions about the board's oversight. In February 2024, the company released its 2024 guidance, which it said it was very confident about, only to lower it in May when the company has delivered its Q1 results. That led to a 17% drop in the stock price on May 8. This is a company operating in a very complex and dynamic space – it’s doing everything at once and seemingly has failed to deliver on its results.
In a company like this, there are typically two paths to creating shareholder value: (i) a long-term plan involving a board overhaul, a management overhaul and a review of strategic and operational plans and (ii) a shorter-term plan to sell the company to an interested buyer who can implement these changes. Regarding the long-term plan, Jana typically works with industry executives and consultants to conduct due diligence and implement its activist plans, and we do not expect this situation to be any different. The company will often bring these individuals to the table to serve as director nominees, if deemed necessary. Jana has experience getting these experts onto corporate boards, where they often serve as assets to help the company correct its problems, from operations to governance to capital allocation. But Jana also has extensive experience in strategic activism and selling portfolio companies. We expect Jana will advocate for the strategy that she expects will maximize shareholder value on a risk- and time-adjusted basis. Given the problems facing the company and the CEO's lack of focus (in addition to his role as Chairman and CEO of Rapid7, Corey Thomas is on the Advisory Committee on National Telecommunications SecurityChairman of the Federal Reserve Bank of Boston and a member of the Council on Foreign RelationsHe is also a member of the board of the Blue Cross Blue Shield of Massachusetts, LPL financial And Vanderbilt University.), it seems that a sale can be an easier and more secure path if there is a buyer who pays the right price.
Given the industry tailwinds, there may be several strategic and financial buyers interested in this company. Recent transactions in the cybersecurity sector include Cisco's $28 billion acquisition of Splunk and Francisco Partners' $1.7 billion acquisition from Sumologica. If Jana advocates a sale of Rapid7, she will ask the board to do so through a complete sale process that delivers the highest value for shareholders. Moreover, Jana has one Strategic collaboration with Cannae Holdings, which could be useful in providing equity in a strategic transaction with a private equity firm. Recall that in 2019 Cannae collaborated with private equity firms to buy Dun & Bradstreet. It’s important to note that even if Jana believes a sale of the company is the best way to maximize shareholder value, the company still needs to convince the board of directors. This doesn’t sound like a board and management team that’s going to sit back and relax. In such a case, Jana’s remedy would be to start a proxy fight, but that could take a while. The 2024 annual meeting just ended on June 13, and the director nomination window doesn’t open until February 13, 2025.
Ken Squire is the founder and chairman of 13D Monitor, an institutional research service on shareholder activism, and the founder and portfolio manager of the 13D Activist Fund, a mutual fund that invests in a portfolio of activist 13D investments.