Logo of jester cap with thought bubble.

Image source: The Motley Fool.

DATE

May 5, 2026 • 4:30 p.m. ET

CALL PARTICIPANTS

  • Chief Executive Officer — Corey Thomas
  • Chief Financial Officer — Rafe Brown
  • Head of Investor Relations — Matt Wells

TAKEAWAYS

  • Annual recurring revenue (ARR) -- $832 million at quarter-end, reflecting a sequential decline attributed to contraction in standalone non-core offerings.
  • ARR: Core platform solutions -- Over 80% of total ARR, grew approximately 2% year over year, with detection and response representing 55% of ARR and growing at 7% year over year.
  • Non-platform offerings ARR -- Continued year-over-year and sequential decline, directly driving overall ARR contraction.
  • Total revenue -- $209.7 million, down 0.3% year over year; product revenue was flat, and services revenue declined modestly.
  • Non-GAAP operating income -- $24.4 million, representing an 11.7% margin, above internal guidance.
  • Non-GAAP gross margin -- 72%, declining approximately 280 basis points year over year, primarily due to increased staffing in global security operation centers.
  • Non-GAAP earnings per diluted share -- $0.36.
  • Free cash flow -- $33.4 million for the quarter, supported by strong collections.
  • Customers -- Ended the quarter with over 11,500 customers and an average ARR per customer of $72,000.
  • Balance sheet liquidity -- $670 million in cash, cash equivalents, and short-term investments, with an additional undrawn $200 million revolver.
  • Fiscal Q2 2026 ARR guidance -- Approximately $820 million expected, with core platform ARR projected to be flat sequentially and further sequential non-core ARR decline anticipated.
  • Fiscal Q2 2026 revenue guidance -- $207 million to $209 million, a projected year-over-year decline of about 2.9% at the midpoint.
  • Fiscal Q2 2026 non-GAAP operating income guidance -- $24 million to $26 million, implying a 12% margin at the midpoint.
  • Fiscal Q2 2026 non-GAAP EPS guidance -- $0.33 to $0.36 on approximately 78.3 million fully diluted shares.
  • Fiscal 2026 (ending Dec. 31, 2026) revenue guidance -- $836 million to $842 million, a year-over-year decline of around 2.4% at the midpoint.
  • Fiscal 2026 non-GAAP operating income guidance -- Increased to a $112 million to $118 million range, with a targeted full-year operating margin of 13.7% at the midpoint.
  • Fiscal 2026 non-GAAP EPS guidance -- $1.52 to $1.60 on approximately 79.4 million diluted shares.
  • Fiscal 2026 free cash flow guidance -- $125 million to $135 million, projecting a 15.5% margin at the midpoint.
  • Major strategic developments -- Acquired Kinzo Security to accelerate autonomous, AI-driven security operations aligned with the company's preemptive security strategy.
  • Significant customer wins -- Secured new Fortune 500 and health sector customers in seven-figure and large six-figure ARR deals, highlighting competitive wins in MDR and security platform adoption.
  • Platform innovation -- Introduced runtime validation and data security posture management capabilities to Exposure Command, allowing identification of vulnerabilities actively exploited in customer environments.
  • Go-to-market execution -- Organizational changes implemented by the chief commercial officer are yielding improved sales productivity and pipeline focus in core areas.

Need a quote from a Motley Fool analyst? Email [email protected]

RISKS

  • CFO Rafe Brown stated, "standalone non-platform offerings are not central to our strategy. As a result, their declines have been the driver of the sequential net ARR declines we have witnessed in recent periods."
  • Revenue guidance for fiscal Q2 2026 and fiscal 2026 projects continued year-over-year decline, with fiscal Q2 revenue midpoint down approximately 2.9% and full-year guidance midpoint down approximately 2.4%.
  • Non-GAAP gross margins declined by 280 basis points year over year, due to increased staffing costs, and management expects tightening cost management to support future improvement rather than immediate recovery.
  • CEO Corey Thomas said, "it is a growth driver, to be clear. It is not, but we are seeing the stabilization and improvements that we would expect, and we see good leading indicators that that business is set up to improve. But it is nothing that we can claim success or improvement on."

SUMMARY

Management emphasized the bifurcation between core platform solutions—which now account for more than 80% of ARR and delivered year-over-year growth—and declining non-core, standalone offerings that directly caused net ARR and revenue contraction. The company is investing heavily in AI and automation, exemplified by the acquisition of Kinzo Security and enhancements to the Command platform, aiming to position itself for long-term margin improvement and future ARR acceleration. New Fortune 500, health, and industrial customer wins were attributed to competitive differentiation in detection and response as well as exposure management capabilities. Updated fiscal 2026 guidance reflects intensified focus on profitability, with non-GAAP operating income and free cash flow guidance raised, while revenue outlook reflects expected continued declines. Management signaled that exposure management, while stable, has not yet returned to growth, and that the shift to platform sales, AI-driven value, and improved sales efficiency define near-term operational priorities.

  • The quarter marked the first full period of execution under a new sales leadership structure that drove measurable improvements in core pipeline concentration and sales productivity.
  • Upgrades to the Exposure Command platform—including runtime validation and data security posture management—enable customers to surface and address only those exposures that are both present and actually exploitable within complex environments.
  • Management framed increased vulnerability discovery driven by AI and frontier models as a multi-year industry tailwind, but noted that operational platform requirements for remediation, exposure, and response will rise, making their approach essential.
  • Integration of Kinzo is underway and will expand the company's machine-speed detection and investigation capabilities across more data sources during the year, but full monetization impact is expected to emerge via VM-to-Exposure Command upgrades and MDR adoption, not immediate incremental pricing.

INDUSTRY GLOSSARY

  • ARR (Annual recurring revenue): The contractualized, recurring portion of revenue normalized over a 12-month period, a key KPI for SaaS and subscription-based companies.
  • MDR (Managed detection and response): Outsourced security operations that combine human-led threat detection with automated response, typically delivered as a managed service.
  • Exposure Command platform: Rapid7 (RPD +2.93%)'s unified platform for exposure management integrating AI-driven detection, remediation, and security posture management.
  • Kinzo Security: Newly acquired AI-driven, agentic SOC automation technology designed for autonomous security operations at machine speed.
  • SOAR (Security orchestration, automation, and response): Software that enables automation of security operations workflows, incident response, and remediation activities.
  • SIEM (Security information and event management): Technology that aggregates, analyzes, and manages security data and events from across the IT environment to enable threat detection and compliance reporting.
  • DSPM (Data security posture management): Security discipline focused on mapping sensitive data, access, and risk posture across environments for proactive exposure reduction.

Full Conference Call Transcript

Matt Wells: Thank you, operator, and good afternoon, everyone. We appreciate you joining us. Today, we will be discussing Rapid7, Inc.'s first quarter fiscal 2026 financial results. We have distributed our earnings press release over the wire, and it can be accessed on our investor relations website. With me on the call today are Corey Thomas, our CEO, and Rafe Brown, our CFO. As a reminder, all participants are in a listen-only mode, and a question and answer session will follow our opening remarks. Before I hand the call over to Corey, I want to note that certain statements made during this conference call may be considered forward-looking under federal securities laws.

Such statements are made pursuant to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995 and include our outlook for the second quarter and fiscal year 2026, any assumptions for fiscal periods beyond that period, and our positioning, strategy, business plan, operational improvements, and growth drivers. These forward-looking statements are based on our current expectations and beliefs and information currently available to us. While we believe any forward-looking statements we make are reasonable, actual results could differ materially due to a number of risks and uncertainties including those contained in our filings with the SEC. Reported results should not be considered as indicative of future performance.

We do not undertake and expressly disclaim any obligation to update or alter our forward-looking statements, whether as a result of new information, future events, or otherwise, except to the extent required by applicable law. Further information on these forward-looking statements and risk factors are included in the filings we make with the SEC, including the section titled “Cautionary Language Concerning Forward-Looking Statements” in our earnings press release. Additionally, over the course of this call, we will use non-GAAP measures to describe our performance. Please review our earnings press release and filings with the SEC for a rationale behind the use of non-GAAP measures and for a full reconciliation of these GAAP to non-GAAP metrics.

These documents, in addition to a replay of this call, will be available on the Rapid7, Inc. Investor Relations website. And with that, I would like to turn the call over to Corey.

Corey Thomas: Thank you, Matt, and welcome to everyone joining Rapid7, Inc.'s first quarter 2026 earnings call. Let me start by sharing insights from the influx of conversations we have been having with customers as they navigate the rapidly evolving cyber landscape. CIOs and CISOs are telling us the same thing in different ways. Advances from frontier models have fundamentally accelerated the threat environment and outpaced operating models built to defend against it. Vulnerabilities can now be discovered and exploited autonomously, and attackers are moving at machine speed. This fundamentally rewrites the value equation in security.

The premium is no longer on detecting threats faster after they emerge; it shifts to preemptive exposure management, autonomous detection, and remediation at scale, closing the windows attackers exploit before they can be exploited at all. This is precisely the environment that plays to our strengths, and that is why our investments in the AI SOC and preemptive security operations are resonating so strongly with customers. The shift we are enabling from reactive to preemptive, from human scale to machine scale, is not a marketing reframe. It is the only viable path forward for teams that need to anticipate where attackers will move next, prioritize the exposures that actually matter, and respond at the speed of modern attacks.

Customers are looking for a partner who can unify their data, apply AI with the right context, drive remediation at scale, and translate all of it into measurable outcomes. That is exactly where we are focused. The core platform we are building across detection and response and exposure management is becoming the foundation customers turn to as they modernize for this new threat reality. By unifying exposure and inspection on the Command platform, and combining AI-driven operations with the depth of expertise that we have built over 25 years, we are giving customers a single, coherent way to reduce risk, disrupt attackers, and build durable cyber resilience.

The opportunity in front of us has never been clearer, and our conviction in this strategy has never been higher. Turning to the first quarter, I am pleased to report that Rapid7, Inc. delivered outperformance against all guided metrics. ARR of $832 million and revenue of $210 million were driven by sustained growth in our detection and response business, offset by trends in other parts of our business, particularly our non-core standalone offerings. Non-GAAP operating income of $24 million exceeded our guidance and helped drive strong free cash flow of $33 million. Our quarterly results reflect a greater focus on balancing strategic investment and driving scale in the business.

In detection and response, ARR growth of approximately 7% was driven by strength in our MDR business. Our approach to delivering AI-enabled SOC, combined with deep services expertise, continues to receive strong market validation, and this quarter we added a new Fortune 500 customer in a seven-figure ARR deal. In exposure management, we will continue to simplify the migration process of upgrading our large vulnerability management base into the Exposure Command platform. Our approach to a unified AI-driven exposure platform continues to resonate with new and existing customers. In this quarter, a large Fortune 500 customer consolidated on Rapid7, Inc. as their exposure platform of choice in a competitive deal cycle.

In the quarter, we acquired Kensile Security, an agentic platform built to run security operations autonomously and at machine speed. This is a direct accelerant to our AI SOC vision. Data mesh shifts customers away from a per-alert investigation model to a system-driven one. Coverage scales with the environment, not headcount. This unlocks two things: a meaningful tailwind for MDR growth and a path to higher contribution margins through software-driven efficiency. Most importantly, Kinzo opens the door to the full MDR market. Rapid7, Inc. is evolving into a preemptive, agentic security platform that accelerates the entire SOC, delivered either as a managed service or a self-managed platform.

By combining deep MDR expertise with exposure-driven visibility into vulnerabilities and attacker behavior, Rapid7, Inc. enables organizations to detect, investigate, and stop threats earlier. We also continue to innovate on our Exposure Command platform, delivering two major capabilities: runtime validation for cloud environments and data security posture management to strengthen proactive exposure reduction across hybrid environments. In plain terms, we no longer just tell customers what their vulnerabilities are. We tell them which ones are actively being exploited in their environment. Runtime validation determines what attackers can actually reach in production, and DSPM maps where the high-value data lives and who has access to it. Together, they collapse the noise and surface the small set of exposures that actually matter.

These steps accelerate the playbook we shared with you in February: strategically investing in our AI-enabled SOC to deliver preemptive security infrastructure while also deploying expert talent towards high-value customer engagements that AI cannot replicate. Turning to customer wins in the quarter, Rapid7, Inc. continues to be the partner of choice for global organizations securing complex on-prem, cloud, and hybrid environments. The go-to-market changes Alan, our chief commercial officer, put in place at the start of the year are beginning to bear fruit. We are running a sharper, more focused organization, and productivity has improved.

While it is still early, the operating discipline we committed to in February is beginning to take hold, and we believe that as an organization we can continue to drive efficiencies over the middle term. In this quarter alone, a Fortune 500 mining company with global operations selected Rapid7, Inc. as its MDR provider of choice in a seven-figure deal. This was a long, competitive sales cycle in which our SIEM and detection and response capabilities stood out to their security leaders. Rapid7, Inc.'s history managing cloud, hybrid, and on-prem environments and strong technical knowledge helped cement this decision.

After years of only covering a portion of its environment, a global Fortune 500 aviation manufacturer expanded with Rapid7, Inc. as their preferred global exposure management provider in a large six-figure deal. Capabilities of our Command platform combined with our in-house technical talent were resonant points during the expansion process. And lastly, a leading health services provider selected Rapid7, Inc. as their MDR provider of choice in a large six-figure deal. Previously, subsidiaries of the organization used disparate tools and lacked unified coverage. Rapid7, Inc.'s ability to address challenges at a regional and local level, in addition to unified coverage across ecosystems, stood out to security leaders at the organization.

Now, before I pass the call to Rafe, I want to dive deeper into the implications that the unprecedented shift to frontier models brings to the security landscape. I want to be clear that this market shift is a long-term tailwind for us, not a threat. Vulnerability discovery has been accelerating and commoditizing for years, driven by advances in AI coding and reasoning, and frontier models like Anthropic’s Methos and Google’s Big Sleep have made that trajectory undeniable. Methos surfaced more than 2,000 previously unknown vulnerabilities in seven weeks. That is a new baseline. But here is the part of the story that headlines miss. Methos commoditized vulnerability identification—finding bugs in code.

It does not commoditize the operational reality of managing those vulnerabilities across complex enterprise environments. It does not commoditize detection and response. It does not commoditize exposure management. If anything, it makes it all the more essential because the volume and velocity of findings every enterprise has to act on is about to increase dramatically. The value is migrating in three directions, and Rapid7, Inc. is at the intersection of each trend. First, remediation at scale. The Command platform provides the granular visibility and tracking required to manage thousands of findings across hybrid environments. Combined with our SOAR capabilities and Kenzo’s agentic AI, we are moving from traditional patch management towards AI-native remediation—identifying flaws and deploying fixes autonomously.

Second, detection and response. A faster discovery cycle on the attacker side means a faster response cycle on the defender side. Kenzo accelerates our MDR service from AI-assisted workflows to autonomous, machine-speed investigation. Detection is no longer the bottleneck; it becomes a precursor to near-instantaneous response. And third, preemptive exposure management. Our March releases of runtime validation and data security posture management move Exposure Command from continuous assessment to continuous validation, telling customers which exposures are actually exploitable in their environment against their sensitive data, given their identity surface. This is the shift the market is describing, and it is the shift that Rapid7, Inc. has been building toward.

More vulnerabilities found means more demand for an operational platform that turns findings into outcomes. To close, this is a moment of real change in our industry. We have the data foundation. We now have a step-change AI capability accelerated by Kenzo. And we have the expertise customers do not get from a model alone. The team is executing with urgency. The operating discipline is taking hold, and the work we are doing this year sets up share gains we expect to deliver over the medium term. With that, I would like to pass the call to Rafe to discuss Q1 results in more detail and our updated 2026 guidance. Rafe, over to you.

Rafe Brown: Thank you, Corey, and good afternoon, everyone. As a quick reminder, unless otherwise noted, all numbers except revenue and balance sheet items mentioned during my remarks today are non-GAAP. Please refer to our earnings release and SEC filings for additional details regarding the presentation of our results and guidance metrics. In 2026, I am pleased to report that we exceeded guidance across all guided metrics. We finished the first quarter with total ARR of $832 million. But let me add a bit more color.

I have now been at Rapid7, Inc. for five months, making this a good opportunity to step back and share some of my observations, which I think will also help you better understand our underlying mix of businesses, as well as the rationale for the strategy we are pursuing. A key takeaway is that while many people think of Rapid7, Inc. as a VM and DNR provider, that categorization of our business is incomplete. I believe that the business should be thought of in two distinct groupings. First, our core platform solutions group, comprised of our detection and response solutions, which includes MDR, and our exposure management business, which includes VM and Exposure Command.

These core platform solutions constitute more than 80% of our total ARR and have been the sustained growth driver in our business in recent years. As you know, we have different underlying trajectories within core platform solutions, led by our strong MDR business and work underway to return the exposure management business to growth. These core platform solutions are where our business is focused. As such, the performance of our core platform solutions is the clearest indicator of the ongoing transformation within Rapid7, Inc., and they are the solutions where we are concentrating product development and go-to-market resources. The remainder of our business mix, or second grouping, consists of standalone non-platform offerings.

As customers have shifted towards platform-based offerings over the past few years, these standalone non-platform products have declined on a year-over-year basis. While they remain profitable and we continue to support our customers using these products, standalone non-platform offerings are not central to our strategy. As a result, their declines have been the driver of the sequential net ARR declines we have witnessed in recent periods. With the benefit of that context and framing, let me unpack our Q1 ARR performance.

Our core platform solutions, now totaling over 80% of our overall ARR as I shared moments ago, grew approximately 2% on a year-over-year basis, led by our strongest offer in the group—our detection and response business—which, at approximately 55% of total ARR, grew approximately 7% on a year-over-year basis. While DNR growth was partially offset by our exposure management business within these core platform solutions, we remain pleased to see ongoing momentum in our more holistic Exposure Command offerings, driven by both new customers and customers migrating to this new platform.

We are not where we want to be across all elements of our core platform solutions, but re-accelerating the growth of these core platform solutions is the focus of our strategy, and where we are placing our bets, as you heard Corey describe in detail earlier. In contrast, our non-platform products declined in the quarter, driving the sequential decline we saw in total ARR. As we plan for the remainder of 2026 and beyond, we see opportunities to optimize margins for these standalone, non-platform solutions as we take steps to improve the alignment of our investment resources toward growing core platform solutions. Returning now to other important metrics, total revenue of $209.7 million declined 0.3% year over year.

Within this, product revenue of $204 million was flat year over year and services revenue declined slightly. We finished the quarter with over 11,500 customers and an average ARR per customer of approximately $72,000. Turning to first quarter profitability, total non-GAAP gross margins of 72% were down approximately 280 basis points year over year, consistent with our expectations, driven by improved staffing in our global security operation centers. We reported non-GAAP operating income of $24.4 million, or a margin of 11.7%, favorable to our guidance. This upside to profitability drove non-GAAP earnings of $0.36 per diluted share. Free cash flow totaled $33.4 million in the first quarter, driven by strong collections.

From a balance sheet perspective, we ended the first quarter with $670 million in cash, cash equivalents, and short-term investments. In addition to these resources, we have a $200 million undrawn revolver in place. Our cash and investment balances, undrawn credit facility, and continued free cash flow generation give us confidence in our ability to settle our March 2027 convertible debt upon maturity as well as fund ongoing operations. This brings us to second quarter 2026 guidance. We expect to end the second quarter with ARR of approximately $820 million.

On a sequential basis, we expect ending ARR for our core platform solutions—DNR and exposure management—will be approximately flat quarter on quarter, with an expected sequential ARR decline in our non-core standalone, non-platform offerings. For the second quarter, we expect total revenue in the range of $207 million to $209 million, or down approximately 2.9% at the midpoint on a year-over-year basis. Non-GAAP operating income is expected to be in the range of $24 million to $26 million, or a margin of 12% at the midpoint. Non-GAAP earnings per diluted share are expected in the range of $0.33 to $0.36 on approximately 78.3 million fully diluted shares.

Updating our full year fiscal 2026 guidance, we expect total revenue in the range of $836 million to $842 million, a year-on-year decline of approximately 2.4% at the midpoint. We are raising non-GAAP operating income guidance to a range of $112 million to $118 million, or a full year non-GAAP operating margin of 13.7% at the midpoint. As previously highlighted, the business exited 2025 with a higher expense run rate, reflecting 2025 investments across people, technology, and our India global capability center. By closely managing ongoing investments, we expect non-GAAP operating margins to improve to the mid-teens as 2026 progresses, and we remain focused on continuing to improve operating margins in 2027.

Non-GAAP earnings per share are expected to be in the range of $1.52 to $1.60 per share on approximately 79.4 million fully diluted shares. We expect 2026 free cash flow in the range of $125 million to $135 million for the full year, flat with prior year performance at the midpoint and a free cash flow margin of approximately 15.5%. In conclusion, there is a tremendous opportunity for cybersecurity companies who can help their customers respond at the incredible pace of new vulnerabilities and increasing attacks. Rapid7, Inc.'s core platform offerings of detection and response and exposure management are uniquely positioned to help companies navigate these threats, which we believe presents a long-term growth opportunity for our business.

And with that, I would like to turn the call over to the operator for Q&A.

Operator: If you have joined by the webinar, please use the raise hand icon which can be found at the bottom of your webinar application. When you are called on, please unmute your line and ask your question. We kindly ask that you limit yourself to one question and one follow-up. Our first question comes from Michael Cikos with Needham. Please unmute your line to ask your question.

Michael Cikos: Hey, guys. Thanks for taking the questions here. Can you hear me okay?

Operator: Yes, we hear you just fine.

Michael Cikos: Terrific, thank you again. I just wanted to start out with the guidance we have here for the ARR, and thanks for splitting out the core versus the non-core. Could you help us think about that core business? Where are we specifically with exposure management in helping that business start to see growth versus some of the headwinds we have seen in recent quarters?

Corey Thomas: Yes. Rafe and I can tag-team it. On exposure management, we are happy that we are seeing stabilization. I would not say that it is a growth driver, to be clear. It is not, but we are seeing the stabilization and improvements that we would expect, and we see good leading indicators that business is set up to improve. But it is nothing that we can claim success or improvement on. We are still working through the upgrade cycle in a noisy environment.

We are optimistic that the backdrop of what is happening in AI gets customers refocused back on the need to take exposure management seriously as a priority, because there was lots of noise before about all the things people could focus on. We are certainly heartened by the early conversations, but that is not something that we will translate directly into a forecast or guide at this stage.

Michael Cikos: Understood. And for the guide here, again, I know we are navigating the core versus the non-core ARR components. If I am just looking at the guide we have here on the ARR for Q2—and I know you guys are only guiding a quarter out at this point—it is less than what consensus had been thinking about here. Can you give us a flavor for what the shape of the rest of the year looks like, or any other things we should be mindful of as we navigate the next couple of quarters since we are only getting that ARR data point from a guidance standpoint on a quarterly basis?

Corey Thomas: We are only guiding the quarter right now, and as Rafe says, we want to make sure that you have the transparency as we go through it. The one thing I will comment on is, clearly in the first half of the year, we are seeing the non-core—which I have talked about before—decelerating off at a faster rate. Our core is still a net positive contributor. As that plays out, we will see how that plays out and whether we see the acceleration in exposure and the impact of DNR. I would just say, to give you revenue guidance, we feel very good about that. We have lots of confidence in all the measures that we guide on.

We will keep you updated as we go along, but we are not doing any further breakouts right now.

Michael Cikos: Thank you. I will leave it there.

Matt Wells: Thank you. Appreciate it.

Operator: Our next question comes from Matthew Hedberg with RBC. Please unmute to ask your question.

Analyst: Hey, guys. This is Mike Richards on for Matt. Appreciate you taking the question. It made a ton of sense when you were talking about the changes with Methos and the other frontier models and how that can act as a tailwind for Rapid7, Inc. But I was wondering about how these changes are impacting customers. Is there confusion in the market around frontier models and vulnerability discovery and what that means versus exposure management, or do they get it? Any details you can provide on what the customers are thinking right now?

Corey Thomas: It is a great question. Number one, I think there is probably more confusion with investors than there is with security experts, which we understand, which is why I wanted to clarify it in my prepared remarks. Most customers—there are two classes of things that are going on. Customers that have the expertise on staff are expecting a lot more scale of vulnerabilities and confusion. What we are hearing from them is the need to really focus on exploitability, understanding what is in the environment, focus on understanding reachability—what is happening—and then remediation and organization management at scale, which requires an understanding of the attack surface. These are all things that we are focused on.

We are accelerating our efforts to make it easier for customers to understand which vulnerabilities matter most, because there is going to be a lot of real things and a lot of noise. As things surge for customers, they are remediating and addressing the most important things as quickly as possible. What we have seen so far with customers is that those that are in the know understand it and are focused on it, and they are asking us how we can help them actually manage the complexity of having a lot more to manage. There will be a lot more real stuff to address, and there is going to be a lot more noise too.

There are also a lot of customers that are less mature in their cycle, and the word vulnerability is vulnerability, but the knowledge does get out there. They will have to respond. They will not be able to remediate everything all at once, and so they too will have to understand it. The tricky part for an investor is that “vulnerability”—whether you do discovery or scanning or vulnerabilities in code—sounds the same, but they are very different. Code-level vulnerabilities are very different than vulnerability management, which is very different than exposure management. Exposure management is about addressing the things that are actually exploitable and the vulnerabilities that actually lead to compromise, and doing that at scale across the environment.

There are differences, but using the word vulnerability can cause nuance and confusion.

Analyst: I appreciate it. That is helpful. Yes, that is super helpful. And just as a quick follow-up, maybe taking a step back from a macro perspective, are you seeing any change in customer behavior as it relates to geopolitical uncertainty or even AI budgets crowding out, as we have heard of more and more enterprises running up on their AI budgets and that impacting other areas of enterprise software spend?

Corey Thomas: Everyone is trying to figure out what is the right way to budget and plan for it. That is an obvious thing that organizations all over the world are trying to figure out—what is the right AI strategy, how do I budget for it, how do I plan for it, and how do I deal with the leapfrogging that happens from time to time? Universally, this is a year where, more than ever, we are seeing customers looking for how they can start showing real benefits and new outcomes from the technology. It is moving from pilots to delivery. That is what makes me excited about the investment we have made organically and with Kinzo.

Customers are in the “show me” stage, looking for how we can help them scale their security operations. I hardly know any customers that are getting a lot more people allocated to the teams, so they are looking for technology and services to scale their security operations, and that is where we are focused. Thanks again for your questions.

Operator: Thank you. Our next question comes from Joseph Gallo with Jefferies. Please unmute to ask your question.

Joseph Gallo: Hey, guys. Thanks for the question. I want to ask one high-level one and one explicit about Q2. High level, you are investing in areas of growth—MDR, go to market, integrating AI. How should we think about the trade-off between stabilizing ARR growth and maintaining gross margins going forward? Any guardrails that we can think through?

Corey Thomas: Our team has a very clear mandate: we have to scale margins. We feel that we have the right setup for that. If you think about our MDR business, which is our fast-growing business that historically has had less contribution margins at scale than some of our other businesses, that is also a business where we expect gross margins to expand. That was a big part of Kenzo’s thesis—that we can deliver better service with better efficiency and better cost leverage. We are excited by that. Delivering our customers a better experience and doing it more efficiently is good for our investors too.

Both myself and the management team have a mandate that we have to expand margins over time, but we are willing to make tactical investments to make sure we are doing it the right way. It was absolutely the right thing to do this year, as we saw the tsunami of cyber risk hitting customers, to make sure that we were properly staffed in our MDR environment to manage and respond, and to deliver a great quality of service, which leads to long-term retention and expansion. We know that we can do more AI automation to handle some of those soft services over time.

We feel very good that we made the right decision to make sure customers are set up well, and we are managing the business to expand margins over time.

Rafe Brown: I would just call out, as we mentioned in our remarks, we continue to expect to see bottom-line margins improving as we go across 2026. When we do planning, we roll it out and look at carryforward numbers to make sure we are very conscious of run rates going into the next year. In 2025, we saw some investment, and we knew that would impact year-over-year comparisons in the first part of the year, but you will start to see the benefits of that and see those improving margins even here in 2026 as we move to the back half of the year.

Joseph Gallo: That is very clear and really helpful. Maybe just a follow-up. I want to understand exactly what our takeaway should be with your Q2 ARR guide. Q1 declined $8 million quarter over quarter. You are guiding to another decline of $12 million. Is that 20% of the non-core business? Is that churn getting worse? Is it lower expected new business for the 80% of the business that is growing? We are one month into Q2, so I am curious what you are seeing in Q2 that indicates that new ARR might be a little bit worse than you saw in Q1.

Corey Thomas: In Q1, even though we expect other, or the non-core, to churn—and it is not a core area of focus or investment—when we see acceleration, we take a more cautious outlook. We definitely saw acceleration of the churn in Q1 in the standalone non-core businesses, and we are taking an appropriately thoughtful viewpoint as we go into Q2. I also do not want to predict that we are going to overcompensate for that by acceleration of core. That is the primary driver and takeaway now. That is part of why Rafe gave the commentary.

Rafe Brown: That is exactly right. We wanted to share that color on what is going on, because it is important for everyone to see where our core business is, how it has been growing, and have that clarity. That is going to be the long-term future for the organization, and those products will be the ones that we are taking to customers on a regular basis. We hope by breaking that out, that illuminates exactly what is going on.

Joseph Gallo: It is extremely helpful. Thank you very much for that. Thanks. Thank you very much.

Operator: Our next question is from Adam Tindle with Raymond James. Please unmute to ask your question.

Adam Tindle: Okay, thanks. Good afternoon. I just want to continue on the topic of core versus non-core. If I rewind back, Corey, I know the strategy was to really create a lot of synergy between the platform historically. As we fast forward to today and have one piece of the business that is understandably non-regrettable churn or in decline, how are you managing the impact on core while non-core churns? I imagine there is some customer overlap. Why would churn in the non-core piece potentially not impact core? What are you doing to mitigate that potential risk?

Corey Thomas: It is exactly the right question. Whenever you have dynamics—and just to remind you, non-core includes things that are lower on the priority list and some legacy standalone stuff—you hit the core point. As you manage these things, what we have to do well is help customers scale their security operations, and the core of that is the preemptive platform with exposure management and detection and response, and how we weave that together. There is a subset— not all customers are overlapping. We have a healthy amount of standalone customers. For customers that are overlapping, their experience matters deeply, and our teams are actively working to make sure that we deliver those customers the right experience.

In the world of rapid innovation at the pace of AI, we are rapidly rolling out new services that address their need, and we are expanding their scope and their experience with us. If you look at some of the announcements we have been making, we have been picking up our pace of innovation, our pace of things that we are communicating to the market, and our pace of what we are providing customers as far as their existing subscriptions. Our view is, if we do that well and keep delivering on that, we are adding more strategic value in areas that matter more, and therefore we can continue to focus on those areas.

These types of transitions have to be managed well, and it is something that we are focused on.

Adam Tindle: Rafe, maybe just a quick follow-up. You talked about the silver lining being profitability. I think you mentioned mid-teens operating margin in fiscal 2026 and that you expect to continue to improve in fiscal 2027. It is uncommon that we see platforms undergoing growth pressure that are still able to scale and not experience lack of leverage on the downside. What are the drivers in terms of your confidence in margins in mid-teens and continuing to improve in fiscal 2027, and any parameters you would like to set so we can understand what “continue to improve” in fiscal 2027 might mean?

Rafe Brown: What is giving us confidence as we go through 2026 is, first of all, recall that there was a great deal of investment across people and technology last year, including opening up the India center. All of those things happened in 2025. Especially in the early parts of the year, the year-over-year comparisons bear the brunt of that cost uptick. A lot of that work was in place to help build efficiencies in our organization, giving us locations where we can get great productivity at an affordable rate. Having SOCs around the world on a global basis is important to our customers, but also important to our efficient operations.

As we get people ramped up and get that part of the business locked in, that is offering efficiencies for us. We are also being very careful in 2026 about cost management across the board. We want to deliver on the commitment we have made on margins, so we are being cautious about where we spend. Some of this plays out when we talk about core versus non-core—being clear about where we should invest to drive long-term growth versus where we need to be more moderate in how we manage those costs.

All of that together is driving what we are planning for 2026 and giving us confidence as we look at those run rates as we leave this year into next. Thank you.

Operator: Our next question comes from Jonathan Ho with William Blair. Please unmute and ask your question.

Jonathan Ho: Hi, good afternoon. I wanted to dig a little bit into the emergence of the Methos models. How do we think about the broader opportunity set around MDR and CTEM evolving with that AI landscape, and how does your product specifically need to change to address the emerging landscape?

Corey Thomas: Great question, Jonathan. I think you have to first understand what is changing for customers in order to understand the work we are doing that is valuable and the work we need to do differently. Customers are going to see an influx of zero-days. They are going to see a much larger volume of vulnerabilities. They are going to see more exploitable vulnerabilities, but the amount of vulnerabilities they see are not all going to be exploitable. Their ability to figure out what really matters is going to be key. Their ability to manage remediation at scale in tighter time frames matters.

If you could do remediation in months before, then figuring out which stuff matters and managing the remediation in days, weeks, and months as appropriate is critical. We have a massive remediation backlog overall. The pace of exploiting vulnerabilities is increasing, and dwell time is shrinking. People will have to go from detection quickly to active response. That is another significant change. Customers will be dealing with speed, scale, and the need to respond quickly without breaking things. Where does that go?

Rapid7, Inc. has a long history of focusing on exploitability, and our security researchers are accelerating and moving our models and upgrading those to deal with the increasing insertion and speed to discern what is exploitable from what is not. As we built out our overall exposure management framework, we believe that vulnerabilities are not the core thing that matter in themselves. It is the intersection of vulnerabilities, how devices and networks and technology are configured, as well as the controls in the environment. After all, that is what exploitability is—it is reachability combined with what controls are in place and what is configured, combined with what is vulnerable. We understand that better than most organizations.

The last piece we invested in is Kenzo, which is the detection accelerator. We are upping the visibility and the ability to quickly process what is exploited in the environment. We are accelerating investments in remediation management to help customers track and manage remediation across the environment. We were already bringing forth Kinzo for instantaneous detection, but we are also investing heavily in leveraging our understanding of both the configuration surface and the control surface to help customers understand the best interdiction or immediate intervention options they have to contain attacks. They will have to respond in the moment, and sometimes a forward remediation is not available.

Those are the things that are changing for the customer, the things we are investing in, and the things we are accelerating and changing in our technology.

Jonathan Ho: Thank you. I will keep it to one.

Operator: Next question is from Eric Heath with KeyBanc. Please unmute to ask your question.

Eric Michael Heath: Alright, thanks for taking the question. Maybe one for Corey and one for Rafe, if I may. Corey, Glasswing has been out for about a month and it feels like there is a lot of urgency out there. What impact have you seen thus far in Q2 in the pipeline? And then for Rafe, very much appreciate the color on the platform growth and the guidance. Any specificity you can give on how net new ARR in Q1 was for core platform, and how we should think about the exit rate for the non-core platform products as we exit 2026?

Corey Thomas: I have hit on it partially before. With Glasswing, there are two things. There is a small cohort of our customers who have seen it and accessed it, and they want insights into how we help them deal with the truly exploitable ones and also the volume and the noise. That feedback and engagement is driving some of the strategy I talked about earlier. Then there are those on the outside trying to figure it out, and they are looking for perspective about how much this changes their technology strategy. Do they have to put all new projects on hold and do remediation for the next six months? If so, what type of remediation? They are in a necessity mindset.

We are still in the early days because many organizations do not know the magnitude of the impact specifically for them.

Rafe Brown: To add a bit more color on the first quarter, we were really pleased with the sales organization and their hard work in Q1. You will recall that we had a new leader—Alan joined late last year. He made a few changes on the team, even as we started this quarter, and the team executed well. Productivity increased across the quarter. We saw good execution on a lot of operational details that are important to running a sales organization. That translates into our core platform solutions, where within core, the detection and response business—which is now 55% of total ARR, a little more color than we have shared in past quarters—grew at 7% on a year-over-year basis.

That is new, net of any churn we had in the quarter. Combined with exposure management solutions, that whole core solution group was growing at 2%. Good execution on the top line, good work from the product team helping our customers, and execution all around ensured that core numbers were growing in the first quarter.

Operator: The next question is from Srinivas Guthari with Baird. Please unmute to ask your question.

Analyst: Thanks a lot for taking my question. A follow-up to Jonathan’s, and Corey, thanks for the color on how the value will shift towards remediation at scale and exposure validation. In terms of monetization and timing, how does that show up in practice in this post-frontier AI model world—in terms of MDR, urgency for Exposure Command upgrades, runtime validation, and the broader platform?

Corey Thomas: Our current plans—this is probably a double using baseball parlance—are for this to be a catalyst to help move the priority of exposure management back to the forefront, which significantly helps with the VM upgrade initiative and focus. That is our focus. We are not looking to charge incrementally for it. We think we have a monetization plan that is already attached to it. Seeing the VM-to-Exposure Command acceleration in the upgrade program is where we expect to see the monetization. We are accelerating some things along with that strategy where we focus and tighten how you manage remediation at scale, how you assess exposures from both a control and a configuration standpoint, and how you do active response.

On the MDR side, the thing I am talking to most customers about is how they enable active response and do more automation and more AI-driven response across their portfolio. Customers are getting comfortable with that. Our goal is to lead that discussion with trust. That is an expansion area, an investment area, and a potential monetization area, though it is a bit too early. It is one of the biggest incremental areas where we are recalibrating resources: how we shift active response to machine speed while ensuring we can do that safely based on our knowledge of the overall attack surface, the control surface, and the configuration surface.

Analyst: Very helpful. Thanks a lot, Corey. And just a follow-up, Rafe—you talked about prudence in the non-core guide and more confidence in the core platform growing. In terms of the go-to-market changes that have been put in place bearing fruit, can you unpack what is happening in the plumbing? Is there a healthier mix of more singles and doubles now? Is the channel-sourced pipeline more efficient? Is there a better upgrade motion?

Corey Thomas: The big one is that Alan has really tightened the focus on selling the core, which is DNR, Exposure, and the Command platform integrated capability. When you have a strategy, you are not selling all over the place. We have a tighter focus there. We are seeing tighter pipeline builds in those areas and more focused, consistent execution. The biggest thing is that as we set targets, we hit the targets. We all want to see acceleration and faster growth, but we have confidence in the trends of how we are seeing business performance start to shift.

We want everything to go faster, but we have confidence in both the management and the visibility that gives us confidence about how we see the year standing now.

Operator: Our next question is from Mina Marshall with Morgan Stanley. Please unmute to ask your question.

Analyst: Hi, this is Abhishek Merli on for Mina Marshall. Thanks for taking the question, and congrats on the quarter. I wanted to touch on Kenzo Security and where that product sits in the roadmap in the context of AI-driven investigation. What capabilities have already been incorporated into customer workflows versus what remains in development? Should we think of it as improving productivity or customer-facing remediation? Any further details on that?

Corey Thomas: Kenzo was excellent. Their data mesh and their model were extraordinary at doing investigations at scale. It was an alert processing engine that allowed you to process alerts from all over the environment. We are in the act of integrating it right now. It is not a done integration. The team has come in; we are integrating it and will be rolling it out to customers starting in the next couple of months and then through the rest of this year. The core of what Kenzo does is an AI platform for processing alerts and doing high-quality investigations at scale.

Typically, an analyst gets an alert, has to make sure it is not duplicated—over time, SIEMs did not do a good job of this; DNR systems like Rapid7, Inc.’s did a good job with deduplication. Then you have to collect knowledge and context to figure out whether it is real or false. Once you have a sense of whether it was real, you have to do another level of investigation to figure out how bad it was in the environment and what you need to contain and remediate. That took hours and days. Kenzo is excellent at doing that in massive volume and at machine speed, with better efficacy rates.

We are taking it in, applying the model, and extending the model to hit not just alerts but a much wider range of data sources as we go forward. The other part we are adding in at Rapid7, Inc. is that, because we have deep knowledge of the environment, we have a wider range of response options available. That is new development work in progress, so I will not get too far ahead, but customers need to know how they can respond at speed and scale.

Some of that will be used in our technology and some in third-party technology, but we have to have the brain to know which controls and systems to leverage at scale—whether existing controls or new startups—based on our knowledge of the environment.

Operator: Our next question is from Adam Borg with Stifel. Please go ahead.

Adam Borg: Thanks for fitting me in, and I will just stick to one. Corey, you talked at length about how the frontier models are driving increased vulnerability identification, but that is really where the tailwinds begin for you. Investors may be a little more confused on their role over time. What is preventing these frontier models from moving from identification of vulnerabilities toward exploitability, reachability, prioritization, and remediation that you talked about? They seem to be talking about moving in that direction. Any way you could talk about the moats that a vendor like yourself has to prevent that from occurring would be helpful. Thanks.

Corey Thomas: There are three different moats that matter. First, this is not versus the frontier models—we leverage frontier models inside Rapid7, Inc. Anyone who is not leveraging frontier models is not going to be relevant. This is about where the use cases matter. If anyone has used frontier models at any scale, you know you have to discern the cost of the activity you are doing. Someone can scan and do exploitability analysis in the environment, but they are paying a lot more than what you get for the same information in a core vulnerability management system. Frontier models are not designed to do that efficiently now. Could they build specialized software to do that?

Potentially, yes, but then you are building the product and you have to operate it at scale and cost. As someone who has tested these systems, you can run up a lot of money doing what you think is a straightforward scan. Second, it is not whether something is vulnerable; it is whether it is actually exploitable in the environment. Exploitability means you have to understand not just the vulnerability—you have to understand the configuration of the complete environment and the controls and how they intersect. That is specialized knowledge and data we have optimized around. We understand what is exploitable, what is reachable, and how that is configurable in the overall environment.

Third, when you get to taking action and responding in the environment, I do not think anyone wants a frontier model running rampant making configuration changes for active defense and active response in their environment. Models are updated all the time, and by many of the authors’ own admission, that is not how most people will trust security to be handled. For autonomous response, you need the knowledge base and you need the trust. We are building active response on a system of trust and knowledge. That is a big deal because you do not want your active response being too clever.

If you give the keys to systems that can make any type of change in the environment, minor errors can cause catastrophe. Most CISOs and IT people know that. They are looking for things that do the mission well and cost effectively. We are adopters of the technology, but it is important to understand the constraints too.

Adam Borg: Incredibly helpful. I really appreciate it.

Operator: Last question comes from Gray Powell with BTIG. Please unmute to ask your question.

Gray Powell: Thank you very much. Can you hear me?

Operator: Yes.

Gray Powell: Excellent. Thank you for taking the question. I think you hit on this before, but I want to circle back on the non-core products and how we should think about that trendline stabilizing over the next 12 months. If I am doing the math correctly, in ballpark terms, I would assume that non-core is maybe a little over $150 million in ARR. Q2 guidance implies that it is down about $10 million. Is there a level where we should think about that number stabilizing? And they are existing customers, so why is there not an opportunity to upsell them on the platform? Is there a conversion opportunity there?

Rafe Brown: Thank you for the question. The best way to think about it is we are trying to build out robust platforms that are attractive to our customers. Some of our customers have platform offerings but may have also bought something standalone. That is part of the equation. As Corey mentioned, it is very important that we take care of these customers and that their whole experience with Rapid7, Inc. is very important. We think there is also an opportunity for those who may not have a platform solution to migrate onto one of our platforms. We are looking for technologies that we can integrate in and make that platform richer. That is our number one focus around those customers.

I wanted to break that out because this trend has been going on behind the scenes for some time over the last few quarters, where you will see those standalone non-core offerings are where we have had more of the challenges on the renewal front. What we are calling out is that we are focused on building attractive platforms with robust technology. That creates an upgrade path for many of our customers and allows us to focus on meeting the demands of the present market.

Gray Powell: Understood. Okay. Thank you very much.

Analyst: Thank you very much.

Operator: Thank you, everyone, for joining. This concludes today’s call. You may now disconnect.