Rapid7 (RPD) Q1 2025: Detection & Response Now 50%+ of ARR as Upgrade Cycle Lags
Rapid7’s first quarter saw detection and response (DNR) climb past half of total ARR, but the company’s risk and exposure management upgrade cycle fell behind plan as mid-market budget constraints and macro caution extended deal cycles. Profitability and cash flow held up despite top-line pressure, but the path to reaccelerated growth depends on converting a large install base to modern platforms—a process now taking longer than leadership expected.
Summary
- DNR Surpasses 50% of ARR: Detection and response momentum offset ongoing risk management headwinds.
- Upgrade Cycle Drag: Exposure Command migrations slowed by mid-market budget caution, delaying growth stabilization.
- Profit Focus Maintained: Operating discipline and India center efficiency support margin resilience amid macro uncertainty.
Performance Analysis
Rapid7’s Q1 results reveal a business increasingly anchored by detection and response (DNR), which now accounts for over half of total annual recurring revenue (ARR) and grew at a mid-teens rate. This segment’s expansion is driven by persistent demand for managed detection and response (MDR)—a managed security service providing 24/7 threat monitoring—especially as customers seek broader visibility and automation to address complex threat environments. The DNR business benefited from recent product enhancements, including the Intelligence Hub and expanded AI-powered capabilities, which resonated with both new and existing customers.
However, the risk and exposure management business remains a material drag, with continued deceleration in traditional vulnerability management (VM) and a slower-than-expected upgrade cycle to the integrated Exposure Command platform. Macro caution, especially among North American mid-market customers, extended deal cycles and suppressed new bookings, leading to a 4% ARR growth rate that fell below internal targets. International revenue provided a partial offset, growing 10% and now representing a quarter of total revenue, but the softness in the U.S. core weighed on overall performance.
- Detection Response Drives Growth: DNR now exceeds 50% of ARR, fueled by MDR adoption and product innovation.
- Risk Segment Under Pressure: Traditional VM continues to decline, with Exposure Command upgrades lagging due to budget constraints.
- Margin Resilience: Gross margin at 75% and disciplined opex spending supported operating income above guide.
Despite top-line challenges, Rapid7 delivered revenue and profitability above guidance through operational discipline, with free cash flow of $25 million and a strengthened capital structure following convertible note repayment. The outlook for growth remains tempered by macro uncertainty and the pace of exposure management migrations.
Executive Commentary
"Our detection response business continues to be our growth engine, anchored by strong momentum in our managed offering. We ended Q1 with over half of our ARR coming from detection response, growing in the mid-teens year over year. This growth is driven by persistent demand trends, particularly for MDR, which represents more than 75% of our DNR business, as customers seek enhanced visibility, broader coverage, and operational efficiency in managing an increasingly complex threat landscape."
Corey Thomas, Chief Executive Officer
"ARR results came in below our expectations and reflect continued healthy growth in our detection and response business, offset by both macroeconomic headwinds and continued pressure in our risk and exposure management business. Amid this, we delivered revenue and profitability that exceeded our guided ranges, and we continued to demonstrate strong operational discipline and free cash flow generation."
Tim Adams, Chief Financial Officer
Strategic Positioning
1. Detection & Response as Core Growth Engine
DNR now forms the backbone of Rapid7’s growth strategy, with MDR (managed detection and response) comprising over 75% of the segment. The company’s integrated platform, enhanced by AI-powered SIEM (security information and event management) and long-term log retention, differentiates Rapid7 in crowded markets. Recent wins, such as a healthcare consolidation to Managed Threat Complete, showcase the platform’s appeal for organizations seeking automation and operational efficiency.
2. Risk & Exposure Management in Transition
The risk and exposure management business is undergoing a deliberate but slower-than-expected pivot, as Rapid7 seeks to migrate legacy VM customers to Exposure Command—a unified platform integrating vulnerability, cloud-native application protection (CNAP), and threat context. Budget constraints in the mid-market, the core of Rapid7’s VM base, are the main friction points. Leadership is refining pricing, packaging, and partner enablement to accelerate this cycle, but acknowledges that timing remains uncertain and is the primary variable for near-term growth.
3. Operational Efficiency and Cost Structure
Investments in the India SOC and Innovation Center are central to Rapid7’s margin strategy, enabling more scalable service delivery and supporting international growth. The company is leveraging AI and automation not just for product differentiation, but also to drive operating leverage and maintain profitability even as revenue growth slows. The international business, now 25% of revenue, is growing faster than the U.S. and benefits from this global operational footprint.
4. Capital Discipline and Balance Sheet Strength
Rapid7 repaid its 2025 convertible notes, simplifying its capital structure and maintaining ample liquidity to support future investments. The company’s ability to deliver free cash flow and sustain operating income guidance, even as ARR growth moderates, reflects a focus on financial resilience and flexibility.
Key Considerations
This quarter marks a clear pivot for Rapid7: the company’s long-term trajectory now depends on the successful migration of a large legacy install base to next-generation platforms, while maintaining DNR momentum and expanding internationally.
Key Considerations:
- Upgrade Cycle Bottleneck: Exposure Command migrations are taking longer than planned, with mid-market budget constraints the primary gating factor.
- International Expansion: Non-U.S. markets are growing at double the rate of the U.S., providing a partial offset to domestic headwinds.
- AI and Automation Leverage: Technology investments are driving both product differentiation and margin improvement, especially in MDR service delivery.
- Segment Divergence: DNR growth is robust, but risk and exposure management remains a headwind until more customers upgrade from traditional VM.
- Capital Flexibility: Repayment of convertible notes and sustained free cash flow provide room to navigate macro volatility and invest in core initiatives.
Risks
Rapid7 faces material near-term risk from a slower-than-expected upgrade cycle in its risk and exposure management business, particularly as macro uncertainty drives extended deal cycles and tighter budgets in the U.S. mid-market. Competitive intensity in vulnerability management, the potential for increased churn among legacy customers, and the need to execute on complex migrations all present downside scenarios. Management’s wider guidance range reflects these uncertainties.
Forward Outlook
For Q2 2025, Rapid7 guided to:
- Revenue of $211 million to $213 million
- Non-GAAP operating income of $30 million to $32 million
- Non-GAAP net income per share of $0.43 to $0.46
For full-year 2025, management lowered and widened its ARR guidance to $850 million to $880 million and maintained operating income guidance of $125 million to $135 million. Free cash flow guidance was adjusted to $125 million to $135 million.
Leadership emphasized that DNR momentum and the pace of Exposure Command upgrades will determine whether ARR growth stabilizes or reaccelerates in the back half of the year. Macro caution and U.S. mid-market budget scrutiny remain the key variables.
- Upgrade velocity in risk and exposure management is the main swing factor for upside or downside.
- International and enterprise segments are expected to be more resilient than U.S. mid-market.
Takeaways
Rapid7’s Q1 underscores a business in transition, with DNR now the clear growth engine but legacy risk management still a drag. The outcome for 2025 hinges on the pace of Exposure Command migrations and the company’s ability to maintain margin discipline during a period of macro-driven unpredictability.
- DNR Outperformance: Robust demand and product innovation in DNR are offsetting risk segment softness, but further upside depends on successful cross-sell and new customer acquisition.
- Upgrade Cycle Execution: The speed and success of moving legacy VM customers to integrated platforms will determine whether growth reaccelerates or remains muted.
- Margin and Cash Flow Focus: Operational discipline and efficiency investments provide a buffer against top-line volatility, but cannot fully offset prolonged upgrade delays or macro shocks.
Conclusion
Rapid7 enters the remainder of 2025 with a resilient DNR growth engine, but faces a slower and more complex risk management upgrade cycle than anticipated. Margin discipline and global expansion provide stability, yet the company’s long-term growth will depend on converting its install base to modern platforms and sustaining innovation in a competitive market.
Industry Read-Through
Rapid7’s results highlight a broader industry reality: security vendors with large legacy install bases face mounting pressure to modernize platforms and drive integrated solutions, as standalone vulnerability management becomes increasingly commoditized. Detection and response services—especially managed offerings—are showing resilience even in cautious macro environments, but upgrade cycles are lengthening, especially in budget-constrained mid-market segments. International growth and operational efficiency are becoming key differentiators, and the ability to leverage AI for both product and margin enhancement is now table stakes across the cybersecurity landscape.