Is Rapid7 even a vulnerability management company anymore? That might sound ridiculous, but their Q2'25 earnings report made it a surprisingly valid question. The answer matters a lot for Rapid7’s strategy and future progress. A few thoughts: → Rapid7's security operations business is now half of the company’s revenue. Rapid7 has been extending their core exposure management business into a broader security operations platform, including SecOps-focused additions to the Command platform and their MDR service. The strategy is working to some extent. They mentioned that detection and response is now "over half" of their total revenue. They also talked about growth between the two business units. Detection and response is growing at a "mid-teens" rate, which implies flat or negative growth in vulnerability management (given their overall growth rate of 3%). Backing into the math, this roughly means ~$400M+ ARR growing ~15% (give or take). Not bad! The leadership team was upbeat about their detection and response progress and its potential in the broader security operations market. It feels like security operations is becoming their primary offering and positioning — both quantitatively (revenue composition) and qualitatively (management sentiment). On one hand, that’s good. They need something to offset struggles in vulnerability management. On the other hand, security operations is brutally competitive, with competition from Microsoft, Google, Cisco, CrowdStrike, Palo Alto Networks, Zscaler, and many smaller but strong players. → Repositioning A lot of the earnings call commentary and several personnel announcements were related to market positioning. Repositioning Rapid7 from a vulnerability management company into a security operations company is a big challenge for a 25-year-old company at $841M ARR. Repositioning at scale does happen in cybersecurity, but the successful ones we've seen so far have been more subtle. → Strategic divergence from Qualys This is more of a market observation, but worth noting: Rapid7 and Qualys are moving in very different directions. Qualys is moving 'left' into risk and prevention. Rapid7 is moving 'right' into hardcore detection and response. Both are pursuing open platform strategies, aiming for integrations and partnerships where they don’t have products yet. Whether either approach works remains an open question. The part that's certain is neither company is going to stay in their vulnerability management lane. --- Another earnings report, another quarter of stalled growth for Rapid7. Revenue growth has completely flattened, and broadening the portfolio hasn’t changed that...yet. You have to be at least a little encouraged by the level of activity and execution on the product and strategy side, though. So, are they still a vulnerability management company? Yes, but only to the extent it drives a broader security operations portfolio.
Cole Grolmus This comment will about to stir something. Corey is an amazing leader of that organization and an even better human! Maybe its about time for R7 to spin off a business line? Keep SOC/MDR and spin VM...? Feedback welcomed!
Solid earnings analysis, Cole Grolmus. Corey Thomas's transparency about "VM is a feature, not the platform" reflects the real market transformation. The vuln management landscape now requires 6+ product categories: traditional VM, CNAPP, EASM, container security, API security, and -- to some extent -- DSPM. R7's platform acknowledges this complexity rather than pretending one scanner covers everything. Anton Chuvakin put it perfectly: "If your entire security strategy hinges on 'patch everything ASAP,' you're going to have a bad time." Turns out "patch harder" isn't a strategy - who knew? 😏
“Qualys is moving 'left' into risk and prevention. Rapid7 is moving 'right' into hardcore detection and response.”—Time will tell which way was right bet. It could be both, depending on the execution. 🤔
They've done well in SMB.
Interesting insights. It seems Rapid7 is definitely shifting focus towards security operations, which makes sense given the competitive landscape. Still valuable in vulnerability management, but their future seems to be more about detection and response. Time will tell if this pivot pays off. Cheers, NetFend - Network Defense & Security
as a former investor of Rapid7 I'm really disappointed in their execution. their golden opportunity was when they acquired divvy before wiz became the juggernaut it is now. now they are trying to compete in a much more competitive market with better well known companie for scraps. modest to anemic revenue growth will be offset by vm becoming a feature. only bright spot is Jana looking to acquire. even though leadership maybe transparent their track record doesn't look good compare to othe cyber security companies.
Thanks for sharing Cole Grolmus! Very informative and interesting perspective
Evolution is relevance.
Senior Cybersecurity Advisor at Rapid7 | MBA | Ex-Microsoft | Driving Risk Reduction & Strategic Uplift Across Complex Environments | Founder, Creator Security Warden
1moWe haven’t been a pure play VM company in a while (although we now have even greater vulnerability coverage than Tenable). We have services across the whole spectrum from endpoint to attack surface management (including external) and continuous red teaming. Our branding and marketing has been a bit disjointed but you’ll see a new unified Command Platform has landed and we’re accelerating fast, integrating our capabilities and away from point solutions products. Keep an eye on us 😉