Rapid7, Inc. - FORM 8-K - January 23, 2018

Rapid7, Inc. - FORM 8-K - January 23, 2018

Rapid7, Inc. Reports

UNITED STATES

SECURITIES AND EXCHANGE COMMISSION

Washington, D.C. 20549

FORM 8-K

CURRENT REPORT

Pursuant to Section 13 OR 15(d)

of The Securities Exchange Act of 1934

Date of Report (Date of earliest event reported): January 23, 2018

Rapid7, Inc.

(Exact name of registrant as specified in its charter)


Delaware	001-37496	35-2423994
(State or other jurisdiction of incorporation)	(Commission File Number)	(IRS Employer Identification No.)


100 Summer Street, Boston, Massachusetts				02110
(Address of principal executive offices)				(Zip Code)

Registrant’s telephone number, including area code: (617) 247-1717

Check the appropriate box below if the Form 8-K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions (see General Instruction A.2. below):

☐	Written communications pursuant to Rule 425 under the Securities Act (17 CFR 230.425)

☐	Soliciting material pursuant to Rule 14a-12 under the Exchange Act (17 CFR 240.14a-12)

☐	Pre-commencement communications pursuant to Rule 14d-2(b) under the Exchange Act (17 CFR 240.14d-2(b))

☐	Pre-commencement communications pursuant to Rule 13e-4(c) under the Exchange Act (17 CFR 240.13e-4(c))

Indicate by check mark whether the registrant is an emerging growth company as defined in Rule 405 of the Securities Act of 1933 (§230.405 of this chapter) or Rule 12b-2 of the Securities Exchange Act of 1934 (§240.12b-2 of this chapter).


		Emerging growth company ☒

If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☒

Item 2.02

Results of Operations and Financial Condition

In connection with a proposed registered offing of common stock, Rapid7, Inc. has announced certain preliminary financial data as set forth below.

All references below to “Rapid7,” the “Company,” “we,” “us,” “our” and similar references refer to Rapid7, Inc., except where the context otherwise requires or as otherwise indicated.

Recent Developments

This recent developments section includes forward-looking statements. All statements contained herein other than statements of historical facts, including, without limitation, statements regarding our expectations regarding our financial and operating results for the year and three months ended December 31, 2017 and our future financial and business performance, are forward-looking statements. The words “anticipate,” “believe,” “continue,” “estimate,” “expect,” “intend,” “may,” “will” and similar expressions are intended to identify forward-looking statements. We have based these forward-looking statements largely on our current expectations and projections about future events and financial trends that we believe may affect our financial condition, results of operations, business strategy, short-term and long-term business operations and objectives and financial needs. These forward-looking statements are subject to a number of risks and uncertainties, including, without limitation, risks related to our rapid growth and ability to sustain our revenue growth rate, risk related to the timing of our recognition of deferred revenue, the ability of our products and professional services to correctly detect vulnerabilities, competition in the markets in which we operate, market growth, our ability to innovate and manage our growth.

Preliminary Financial Results

The following preliminary financial information for the three months and the year ended December 31, 2017 is based upon our estimates and subject to completion of our financial closing procedures. Moreover, these data have been prepared solely on the basis of currently available information by, and are the responsibility of, Rapid7. Our independent registered public accounting firm, KPMG LLP, has not audited or reviewed, and does not express an opinion with respect to, these data. This summary is not a comprehensive statement of our financial results for this period, and our actual results may differ materially from these estimates due to the completion of our financial closing procedures, final adjustments, completion of the audit of our financial statements and other developments that may arise between now and the time the audit of our financial statements is completed. Our actual results for the three months and the year ended December 31, 2017 will not be available until after the proposed public offering is completed. There can be no assurance that these estimates will be realized, and estimates are subject to risks and uncertainties, many of which are not within our control.

We have prepared estimates of the following preliminary financial data for the three months and the year ended December 31, 2017.


	Year ended December 31, 2017						% Change (year-over-year)						Three months ended December 31, 2017						% Change (year-over-year)
	Range						% Change (year-over-year)						Range						% Change (year-over-year)
	Low			High			Low			High			Low			High			Low			High
	(dollars in millions)
GAAP Data
Revenue	$	200.4		$	200.7			27	%		27	%	$	57.2		$	57.5			27	%		28	%
Loss from operations	$	(49.3	)	$	(49.0	)							$	(13.9	)	$	(13.6	)
Net loss	$	(46.5	)	$	(45.8	)							$	(14.0	)	$	(13.3	)
Cash flows from operating activities	$	12.5		$	13.0
Other Data
Calculated billings⁽¹⁾	$	254.8		$	255.8			30	%		30	%	$	92.0		$	93.0			42	%		43	%
Annualized recurring revenue⁽²⁾	$	163.0		$	164.0			34	%		35	%	$	163.0		$	164.0			34	%		35	%
Non-GAAP loss from operations⁽³⁾	$	(26.5	)	$	(26.3	)							$	(7.9	)	$	(7.7	)

⁽¹⁾

Calculated billings is a non-GAAP measure that we define as total revenue recognized in accordance with generally accepted accounting principles, or GAAP, plus the change in deferred revenue from the beginning to the end of the period. We consider calculated billings to be a useful metric for management and investors, as a supplement to the corresponding GAAP measure of total revenue, because billings drive deferred revenue, which is an important indicator of the health and visibility of trends in our business, and represents a significant percentage of future

revenue. We regularly monitor calculated billings because we believe the measure offers information regarding the performance of our business. With the expansion of our subscription, cloud-based product offerings (InsightVM, InsightIDR, InsightAppSec, and InsightOps) on the Insight platform, we may realize a shortening of our average contract duration, which should be taken into consideration when evaluating calculated billings. Our use of calculated billings has limitations as an analytical tool and should not be considered in isolation or as a substitute for revenue recognition or revenue measurement, or an analysis of our results as reported under GAAP. Also, it is important to note that other companies, including companies in our industry, may not use calculated billings, may compute billings differently, may have different billing frequencies, or may use other financial measures to evaluate their performance, all of which could reduce the usefulness of calculated billings as a comparative measure. The following table presents a reconciliation of calculated billings to revenue, the most directly comparable GAAP measure, for each of the periods indicated:


	Year ended December 31, 2017				Three months ended December 31, 2017
	Range				Range
	Low		High		Low		High
	(in millions)
Revenue	$	200.4	$	200.7	$	57.2	$	57.5
Deferred revenue, end of period		223.4		224.1		223.4		224.1
Deferred revenue, beginning of period		169.1		169.1		188.6		188.6

Calculated billings	$	254.8	$	255.8	$	92.0	$	93.0

⁽²⁾	Annualized recurring revenue is defined as the annual value of all recurring revenue related to contracts in place at the end of the period.

⁽³⁾

Non-GAAP loss from operations is a non-GAAP measure that we define as loss from operations calculated in accordance with GAAP plus stock-based compensation expense, amortization of acquired intangible assets and acquisition-related expense. We consider non-GAAP loss from operations to be a useful metric for management and investors, as a supplement to the corresponding GAAP measure of loss from operations, because non-GAAP loss from operations excludes non-cash charges that we do not believe to be indicative of our core operating results. We regularly monitor non-GAAP loss from operations because we believe the measure offers valuable information regarding the performance of our business and will help investors better understand our operating performance on a period-to-period basis. Our use of non-GAAP loss from operations has limitations as an analytical tool and should not be considered in isolation or as a substitute for an analysis of our results as reported under GAAP. Also, it is important to note that other companies, including companies in our industry, may not use non-GAAP loss from operations, may compute non-GAAP loss from operations differently or may use other financial measures to evaluate their performance, all of which could reduce the usefulness of non-GAAP loss from operations as a comparative measure. The following table presents a reconciliation of non-GAAP loss from operations to loss from operations calculated in accordance with GAAP, the most directly comparable GAAP measure, for each of the periods indicated:


	Year ended December 31, 2017						Three months ended December 31, 2017
	Range						Range
	Low			High			Low			High
	(in millions)
Loss from operations (GAAP)	$	(49.3	)	$	(49.0	)	$	(13.9	)	$	(13.6	)
Stock-based compensation expense		19.7			19.6			5.0			4.9
Amortization of acquired intangible assets		2.9			2.9			1.0			1.0
Acquisition-related expense		0.2			0.2			—			—

Non-GAAP loss from operations	$	(26.5	)	$	(26.3	)	$	(7.9	)	$	(7.7	)

Below we have provided information regarding comparisons to prior year and quarters for context.

Revenue

The increase in revenue for the year and three months ended December 31, 2017 was driven by increased adoption across our solutions globally.

GAAP and non-GAAP loss from operations

Our loss from operations on both a GAAP and non-GAAP basis for the year ended December 31, 2017 reflected our revenue growth, partially offset by increased costs of goods sold and increased sales and marketing expense. Our loss from operations on both a GAAP and non-GAAP basis for the three months ended December 31, 2017, reflected our revenue growth, partially offset by increased costs of goods sold and increased commissions as a result of our increased calculated billings.

Net loss

Our net loss for the year ended December 31, 2017 reflected our revenue growth, partially offset by increased costs of goods sold and increased sales and marketing expense. Our net loss for the three months ended December 31, 2017, reflected our revenue growth, partially offset by increased costs of goods sold and increased commissions as a result of our increased calculated billings.

Cash flow from operating activities

Our increased cash flow from operating activities for the year ended December 31, 2017 was driven by increased collections as a result of our increased calculated billings, partially offset by higher cost of goods sold and higher sales and marketing expense.

Calculated billings

The increase in calculated billings for the year and three months ended December 31, 2017 was driven by strong adoption across our solutions globally.

Annualized recurring revenue

The increase in annualized recurring revenue for the year ended December 31, 2017 was driven by strong adoption across our solutions globally, as evidenced by our calculated billings growth, and the increased shift of our customers to a subscription pricing model.

Preliminary Guidance

Based on available information, we anticipate the following results for the year ending December 31, 2018 calculated in accordance with Accounting Standards Codification 605 and without giving effect to the impact of the adoption of Accounting Standards Codification 606:

•

year-over-year annualized recurring revenue growth of at least 30% compared to the year ended December 31, 2017;

•

calculated billings slightly up relative to the year ended December 31, 2017 due to shorter anticipated contract lengths and the impact of the anticipated continued shift from perpetual to subscription licenses; going forward, we believe that calculated billings may be less useful as a measure of the growth of our business;

•

year-over-year revenue growth of approximately 20% compared to the year ended December 31, 2017 driven by the anticipated continued transition to subscription licenses with respect to our vulnerability management product line;

•

slightly improved non-GAAP loss from operations compared to the year ended December 31, 2017; and

•

cash flows from operating activities consistent with those for the year ended December 31, 2017.

Non-GAAP guidance excludes estimates for stock-based compensation expense, amortization of acquired intangible assets and acquisition-related expenses. Rapid7 has provided a reconciliation of historical non-GAAP financial measures to the most comparable GAAP measures above. A reconciliation of non-GAAP guidance measures to the most comparable GAAP measures is not available on a forward-looking basis as a result of the uncertainty regarding, and the potential variability of, many of the costs and expenses that we may incur in the future.

The information included in Item 2.02 of this Current Report on Form 8-K shall not be deemed “filed” for purposes of Section 18 of the Securities Exchange Act of 1934, as amended (the “Exchange Act”) or otherwise subject to the liabilities of that section, nor shall it be deemed incorporated by reference in any filing under the Securities Act of 1933, as amended, or the Exchange Act, regardless of any general incorporation language in such filing.

Item 8.01

Other Events

Updated Business Description and Risk Factors

In connection with a proposed registered offing of common stock, the Company is providing an updated business decription and the new and/or revised risk factors set forth below.

Description of Business

Business Overview

Organizations of all sizes are faced with a more sophisticated and motivated set of cyber attackers. Coupled with an increasingly complex IT environment and expanding attack surface, driven by mobility and a shift to the cloud, security and IT teams are struggling to maintain adequate levels of cyber security, provide visibility to their management teams, and meet increasing regulatory requirements. At the same time, they must navigate a shortage of capable cyber security professionals. Out of these challenges, the concept of Security Operations, or SecOps, is emerging. SecOps is a movement that recognizes that Security and IT Operations must work together to deliver better security and more nimbly adapt to emerging threats, without adding significant resources. SecOps requires solutions that provide visibility, analytics and automation that enable IT, Security and DevOps to work together to achieve significantly higher levels of productivity and success.

Rapid7 is a leading provider of security and IT analytics and automation solutions for SecOps, and is trusted by professionals around the world to provide visibility, analytics and automation to help manage risk, simplify IT complexity and drive innovation. Our solutions, which include vulnerability management, incident detection and response, security information and event management, or SIEM, application security testing, log analytics, and security orchestration and automation all focus on the critical needs of enterprises for greater visibility into their environments, analytics that provide context to complex data, and automation that enables SecOps teams to scale and more efficiently to address critical security and IT tasks.

We combine our extensive experience in collecting data from an ever-expanding IT environment, our deep insight into attacker behaviors and techniques, and our powerful and proprietary analytics to provide solutions that can quickly and efficiently identify and prioritize risks and active threats in an enterprise’s IT environment. Our broad data collection capabilities encompass endpoints, servers, applications, users, cloud-based assets, client devices, network activity, log data and information from third-party applications. We also provide workflows and automations that can enable and accelerate remediation of these risks and active threats. We have designed our solutions to be easy to deploy and use for security and IT teams of all sizes.

We offer analytic solutions across three core areas. Our Vulnerability Management offerings include our industry-leading vulnerability management, web application security testing and attack simulation products. These solutions provide enterprises with comprehensive, yet prioritized, visibility into potential cyber risks across their IT environment. We have also added remediation workflows to help ensure that these risks can be easily mitigated. Our Incident Detection and Response solutions are designed to enable organizations to rapidly detect and respond to cyber security incidents and breaches across physical, virtual and cloud assets, including those posed by the behaviors of their users. These solutions combine the collection of massive amounts of data with our core analytics and machine-learning-driven user behavioral analytics to simplify the task of identifying and responding to potential breaches. Our IT Analytics and Automation solutions are designed to allow operations teams to quickly gain visibility into their IT environment and facilitate automated workflows to eliminate repetitive, manual and labor-intensive tasks. Finally, to complement our SecOps products, we offer a range of services, including managed services based on our software solutions, incident response services, security advisory services, and deployment and training.

As of December 31, 2017, we had more than 7,000 customers, including 52% of the Fortune 100. We have experienced strong revenue growth, with revenue increasing from $46.0 million in 2012 to $157.4 million in 2016, representing a 36% compound annual growth rate. In the third quarter of 2017, 71% of our revenues were recurring revenues. We incurred net losses of $49.9 million, $49.0 million and $32.5 million in 2015, 2016 and the nine months ended September 30, 2017, respectively, as we continued to invest for long-term growth.

Our Analytics and Automation Cloud

LOGO

The Rapid7 Insight Platform is at the core of our security and IT analytics product offerings. The platform was built in the cloud using our extensive experience in collecting and analyzing data to enable our customers to create and manage active, analytics-driven cyber security and IT operations management programs. Our robust data collection architecture supports gathering a wide swath of organizational and environmental data from endpoints to the cloud, including key data about user-specific behavior. By utilizing our powerful, proprietary analytics to assess and understand the context and relationships around users, IT assets and cyber threats within a customer’s environment, our solutions can provide our customers with specific, actionable insights critical for their SecOps approach. We designed the Rapid7 Insight Platform to allow customers to collect their data once and leverage that same data across multiple solutions, providing shared visibility across teams, improved and automated workflows, and reducing time to value for additional solutions. The design and development of our Insight Platform includes the following key features and benefits:

Holistic Dataset for Managing IT Operations and Cyber Security. Our Insight Platform collects information from across an organization’s environment into a unified dataset. Our platform also applies context to events, including user and asset level details. We overlay this against our comprehensive and continuously expanding set of known vulnerabilities, exploits and threat intelligence, providing SecOps professionals a holistic view of their IT environment.

Agentless and Agent-Based Architecture. We developed our platform with flexible processing technologies that employ both agentless data collection and our own internally-developed endpoint agent technology, which enables rapid and seamless integration of our products into our customers’ IT environments and provides IT professionals with instant visibility into their dynamic and rapidly-expanding IT ecosystem. This means it is much easier to deploy our Insight agent, potentially increasing the time to value for not just one of our products, but many of them.

Fast Search. Our search technology enables IT and security professionals to search across their entire IT environment including endpoints and, unlike other machine search solutions, provides live access without having to wait for lengthy indexing processes. These capabilities, along with real time and easily accessible search across raw logs and endpoints for known patterns with intuitive search queries, can enable IT security professionals to access their data for operational purposes.

User Behavior Analytics. Our Insight Platform creates a behavior profile for each user in a customer’s IT environment and correlates every event with a user, asset or application. User behavior profiles can then be automatically analyzed to identify suspicious user behavior and compromised user credentials. Our ability to provide rapid context around users and assets involved in an incident can significantly reduce investigation time, enabling organizations to more quickly respond to, contain and mitigate breaches.

Live Dashboards, Remediation Workflows and Automation. Our Insight Platform includes live dashboards which provide customers real-time, dynamic visibility into their risks, potential threats and progress to remediation all based on a shared reporting and visualization service. Remediation workflows enable customers to initiate, manage, prioritize and monitor the progress of vulnerability remediation. We also provide the ability to create automated workflows that can accelerate incident detection, response, and resolution.

Robust Platform and Customer Data Security. Our Insight Platform was designed to provide a secure environment for both our data and that of our customers. We deploy a variety of technologies and industry-leading practices such as physical and logical customer data segregation, network segmentation, audited and monitored access level controls, data anonymization, encryption and separated development-staging-production environments to help ensure that the data collected from a customer’s environment remains proprietary and secure. We have achieved Service Organization Control, or SOC, II Type 2 certification for the foundation of our platform and are continuing to expand the specific compliance regimes for which we are audited.

Enterprise-Grade Scalability. Our Insight Platform provides a high level of horizontal scalability. We leverage on-premise deployment models and Amazon Web Services, or AWS, to achieve a high degree of redundancy, fault tolerance and cost-effective operations. Our automated deployment technologies enable us to add new AWS instances or additional services rapidly. Our infrastructure architecture is designed to process large amounts of data and easily incorporate new data sources, including on premise, cloud and mobile. Our platform is designed to support customers with large numbers of users or with geographically dispersed environments, and we have scaled to meet the needs of customers with over 2.5 million active assets and 700,000 active users as of December 31, 2017.

Extensible Modern Platform. Our Insight Platform provides a rich set of application program interfaces, or APIs, and services that enable customers, partners and developers to import and export data and utilize our analytics capabilities. This allows us to easily integrate with other security tools in the customer’s environment and also enables customers to build bespoke applications and analysis on top of the data that we gather.

Our Market Opportunity

Our estimate, based on International Data Corporation, or IDC, data, is that the overall market for IT and security analytics and automation solutions was a $6.9 billion opportunity in 2017. Included in our estimates are all or a portion of the markets for Vulnerability Assessment, Policy and Compliance, Security Information and Event Management, Forensics and Incident Management, IT Operations Analytics-Public Cloud, IT Automation and Configuration Management Software and IT Operations Management Software. As our solutions expand to address more of the SecOps opportunity, we believe we may be able to address portions of the broader IT Operations Management Software market, as well as the IT Automation and Configuration Management Software market, which would expand our estimated overall market opportunity in 2017 to $22.2 billion, based on IDC data.

Risk Factors

Risks Related to Our Business and Industry

We are a rapidly growing company, which makes it difficult to evaluate our future prospects and may increase the risk that we will not be successful.

We are a rapidly growing company. Our ability to forecast our future operating results is subject to a number of uncertainties, including our ability to plan for and model future growth. We have encountered and will continue to encounter risks and uncertainties frequently experienced by growing companies in rapidly evolving industries. If our assumptions regarding these uncertainties, which we use to plan our business, are incorrect or change in reaction to changes in our markets, or if we do not address these risks successfully, our operating and financial results could differ materially from our expectations, our business could suffer and the trading price of our common stock may decline.

If we are unable to sustain our revenue growth rate, we may not achieve or maintain profitability in the future.

From the year ended December 31, 2012 to the year ended December 31, 2016, our revenue grew from $46.0 million to $157.4 million, which represents a compounded annual growth rate of approximately 36%. Although we have experienced rapid growth historically and currently have high renewal rates, we expect that we may not continue to grow as rapidly in the future and our renewal rates may decline. Any success that we may experience in the future will depend, in large part, on our ability to, among other things:

•

maintain and expand our customer base;

•

successfully manage the transition to a more subscription-based business model;

•

increase revenues from existing customers through increased or broader use of our products and services within their organizations;

•

improve the performance and capabilities of our products through research and development;

•

continue to develop our cloud-based solutions;

•

maintain the rate at which customers purchase our content subscriptions, maintenance and support and managed services;

•

continue to successfully expand our business domestically and internationally; and

•

successfully compete with other companies.

If we are unable to maintain consistent revenue or revenue growth, our stock price could be volatile, and it may be difficult to achieve and maintain profitability. You should not rely on our revenue for any prior quarterly or annual periods as any indication of our future revenue or revenue growth.

We have not been profitable historically and may not achieve or maintain profitability in the future.

We have posted a net loss in each year since inception, including net losses of $49.0 million, $49.9 million, $32.6 million, $32.5 million and $39.2 million in the years ended December 31, 2016, 2015 and 2014 and the nine months ended September 30, 2017 and 2016, respectively. As of September 30, 2017, we had an accumulated deficit of $421.9 million. While we have experienced significant revenue growth in recent periods, we are not certain whether or when we will obtain a high enough volume of sales of our products and services to sustain or increase our growth or achieve or maintain profitability in the future. We also expect our costs to increase in future periods, which could negatively affect our future operating results if our revenue does not increase. In particular, we expect to continue to expend financial and other resources on:

•

research and development related to our offerings, including investments in our research and development team;

•

sales and marketing, including a significant expansion of our sales organization, both domestically and internationally;

•

continued international expansion of our business;

•

expansion of our services organization; and

•

general and administrative expenses as we continue to implement and enhance our administrative, financial and operational systems, procedures and controls.

These investments may not result in increased revenue or growth in our business. If we are unable to increase our revenue at a rate sufficient to offset the expected increase in our costs, our business, financial position and results of operations will be harmed, and we may not be able to achieve or maintain profitability over the long term. Additionally, we may encounter unforeseen operating expenses, difficulties, complications, delays and other unknown factors that may result in losses in future periods. If our revenue growth does not meet our expectations in future periods, our financial performance may be harmed, and we may not achieve or maintain profitability in the future.

If our products or services fail to detect vulnerabilities or incorrectly detect vulnerabilities, or if our products contain undetected errors or defects, our brand and reputation could be harmed, which could have an adverse effect on our business and results of operations.

If our products or services fail to detect vulnerabilities in our customers’ cyber security infrastructure, or if our products or services fail to identify and respond to new and increasingly complex methods of cyber attacks, our business and reputation may suffer. There is no guarantee that our products or services will detect all vulnerabilities, especially in light of the rapidly changing security landscape to which we must respond. Additionally, our products may falsely detect vulnerabilities or threats that do not actually exist. For example, our Metasploit offering relies on information provided by an active community of security researchers who contribute new exploits, attacks and vulnerabilities. If the information from these third parties is inaccurate, the potential for false indications of security vulnerabilities increases. These false positives, while typical in the industry, may impair the perceived reliability of our offerings and may therefore adversely impact market acceptance of our products and services and could result in negative publicity, loss of customers and sales and increased costs to remedy any problem.

Our products may also contain undetected errors or defects when first introduced or as new versions are released. We have experienced these errors or defects in the past in connection with new products and product upgrades and we expect that these errors or defects will be found from time to time in the future in new or enhanced products after commercial release. Defects may cause our products to be vulnerable to attacks, cause them to fail to detect vulnerabilities, or

temporarily interrupt customers’ networking traffic. Any errors, defects, disruptions in service or other performance problems with our products may damage our customers’ business and could hurt our reputation. If our products or services fail to detect vulnerabilities for any reason, we may incur significant costs, the attention of our key personnel could be diverted, our customers may delay or withhold payment to us or elect not to renew or other significant customer relations problems may arise. We may also be subject to liability claims for damages related to errors or defects in our products. A material liability claim or other occurrence that harms our reputation or decreases market acceptance of our products may harm our business and operating results.

An actual or perceived security breach or theft of the sensitive data of one of our customers, regardless of whether the breach is attributable to the failure of our products or services, could adversely affect the market’s perception of our offerings and subject us to legal claims.

The market for Security Operations is new and unproven and may not grow.

We believe our future success will depend in large part on the growth, if any, in the market for Security Operations, or SecOps. This market is nascent, and as such, it is difficult to predict important market trends, including the potential growth, if any. To date, the majority of enterprise spend on cyber security has been on threat protection products, such as network, endpoint and web security that are designed to stop threats from penetrating corporate networks. Organizations that use these security products may believe that their existing security solutions sufficiently protect access to their sensitive business data. Therefore, they may continue allocating their cyber security budgets to these products and may not adopt our products and services in addition to, or in lieu of, such traditional products. Further, sophisticated cyber attackers are skilled at adapting to new technologies and developing new methods of gaining access to organizations’ sensitive business data, and changes in the nature of advanced cyber threats could result in a shift in IT budgets away from products and services such as ours. In addition, while recent high visibility attacks on prominent enterprises and governments have increased market awareness of the problem of cyber attacks, if cyber attacks were to decline, or enterprises or governments perceived that the general level of cyber attacks have declined, our ability to attract new customers and expand our sale to existing customers could be materially and adversely affected. If products and services such as ours are not viewed by organizations as necessary, or if customers do not recognize the benefit of our offerings as a critical layer of an effective cyber security strategy, our revenue may not grow as quickly as expected, or may decline, and the trading price of our stock could suffer. It is therefore difficult to predict how large the market will be for our solutions.

In addition, it is difficult to predict customer adoption and renewal rates, customer demand for our products and services, the size and growth rate of the market for SecOps, the entry of competitive products or the success of existing competitive products. Any expansion in our market depends on a number of factors, including the cost, performance and perceived value associated with our offerings and those of our competitors. If these offerings do not achieve

widespread adoption or there is a reduction in demand for solutions in our market caused by a lack of customer acceptance, technological challenges, competing technologies and products, decreases in corporate spending, weakening economic conditions, or otherwise, it could result in reduced customer orders, early terminations, reduced renewal rates or decreased revenue, any of which would adversely affect our business operations and financial results. You should consider our business and prospects in light of the risks and difficulties we face in this new and unproven market.

If we are unable to successfully hire, train, manage and retain qualified personnel, especially those in sales and marketing and research and development, our business may suffer.

We continue to be substantially dependent on our sales force to obtain new customers and increase sales with existing customers. Our ability to successfully pursue our growth strategy will also depend on our ability to attract, motivate and retain our personnel, especially those in sales, marketing and research and development. We face intense competition for these employees from numerous technology, software and other companies, especially in certain geographic areas in which we operate, and we cannot ensure that we will be able to attract, motivate and/or retain sufficient qualified employees in the future. If we are unable to attract new employees and retain our current employees, we may not be able to adequately develop and maintain new products or services or market our existing products or services at the same levels as our competitors and we may, therefore, lose customers and market share. Our failure to attract and retain personnel, especially those in sales and marketing and research and development positions for which we have historically had a high turnover rate, could have an adverse effect on our ability to execute our business objectives and, as a result, our ability to compete could decrease, our operating results could suffer and our revenue could decrease. Even if we are able to identify and recruit a sufficient number of new hires, these new hires will require significant training before they achieve full productivity and they may not become productive as quickly as we would like or at all.

We believe that our corporate culture has been a critical component to our success. We have invested substantial time and resources in building our team. As we grow and mature as a public company, we may find it difficult to maintain our corporate culture. Any failure to preserve our culture could negatively affect our future success, including our ability to attract, motivate and retain personnel and effectively focus on and pursue our business strategy.

Our sales cycle may be unpredictable.

The timing of sales of our offerings is difficult to forecast because of the length and unpredictability of our sales cycle, particularly with large enterprises and with respect to certain of our products. We sell our products primarily to IT departments that are managing a growing set of user and compliance demands, which has increased the complexity of customer

requirements to be met and confirmed during the sales cycle and prolonged our sales cycle. Further, the length of time that potential customers devote to their testing and evaluation, contract negotiation and budgeting processes varies significantly, depending on the size of the organization and nature of the product or service under consideration. In addition, we might devote substantial time and effort to a particular unsuccessful sales effort, and as a result, we could lose other sales opportunities or incur expenses that are not offset by an increase in revenue, which could harm our business.

Organizations may be reluctant to purchase SecOps offerings that are cloud-based due to the actual or perceived vulnerability of cloud solutions.

Some organizations have been reluctant to use cloud solutions for cyber security, such as our InsightIDR, InsightVM, InsightAppSec, InsightOps and Logentries products, because they have concerns regarding the risks associated with the reliability or security of the technology delivery model associated with this solution. If we or other cloud service providers experience security incidents, breaches of customer data, disruptions in service delivery or other problems, the market for cloud solutions may be negatively impacted, which could harm our business.

Our quarterly operating results may vary from period to period, which could result in our failure to meet expectations with respect to operating results and cause the trading price of our stock to decline.

Our operating results, including the levels of our revenue, billings, cash flow, deferred revenue and gross margins, have historically varied from period to period, and we expect that they will continue to do so as a result of a number of factors, many of which are outside of our control, including:

•

the level of demand for our products and services;

•

customer renewal rates and ability to attract new customers;

•

the extent to which customers purchase additional products, including content subscriptions and maintenance and support related to our Nexpose, Metasploit and AppSpider products, or services;

•

the ability to successfully grow our sales of InsightOps, InsightIDR, InsightVM and InsightAppSec;

•

the level of perceived threats to organizations’ cyber security;

•

network outages, security breaches, technical difficulties or interruptions with our products;

•

changes in the growth rate of the markets in which we compete;

•

variations in our billings and sales of our products and services due to seasonality and customer demand;

•

the announcement or adoption of new regulations and policy mandates or changes to existing regulations and policy mandates;

•

the timing and success of new product or service introductions by us or our competitors or any other changes in the competitive landscape of our industry, including consolidation among our competitors;

•

the introduction or adoption of new technologies that compete with our offerings;

•

the mix of our products and services sold during a period;

•

decisions by potential customers to purchase cyber security products or services from other vendors;

•

the amount and timing of operating costs and capital expenditures related to the operations and expansion of our business;

•

the timing of sales commissions relative to the recognition of revenue and the timing of revenue recognition generally;

•

price competition;

•

our ability to successfully manage and integrate any future acquisitions of businesses, including without limitation the amount and timing of expenses and potential future charges for impairment of goodwill from acquired companies;

•

our ability to increase, retain and incentivize the channel partners that market and sell our products and services;

•

our continued international expansion and associated exposure to changes in foreign currency exchange rates, including any fluctuations caused by uncertainties relating to Brexit;

•

the amount and timing of operating expenses related to the maintenance and expansion of our business, operations and infrastructure;

•

unforeseen litigation and intellectual property infringement;

•

the announcement or adoption of new regulations and policy mandates or changes to existing regulations and policy mandates;

•

the strength of regional, national and global economies;

•

the impact of natural disasters or manmade problems such as terrorism or war; and

•

future accounting pronouncements or changes in our accounting policies.

Each factor above or discussed elsewhere herein or the cumulative effect of some of these factors may result in fluctuations in our operating results. This variability and unpredictability could result in our failure to meet expectations with respect to operating results, or those of securities analysts or investors, for a particular period. If we fail to meet or exceed expectations for our operating results for these or any other reasons, the market price of our stock could fall and we could face costly lawsuits, including securities class action suits.

If we do not continue to innovate and offer products and services that address the dynamic threat landscape, we may not remain competitive, and our revenue and operating results could suffer.

The SecOps market is characterized by rapid technological advances, changes in customer requirements, frequent new product introductions and enhancements and evolving industry standards. Our success also depends, in part, upon our ability to anticipate industry evolution and introduce or acquire new products and services to keep pace with technological developments and market requirements both within our industry and in related industries. While we continue to invest significant resources in research and development in order to ensure that our products continue to address the cyber security risks that our customers face, the introduction of products and services embodying new technologies could render our existing products or services obsolete or less attractive to customers. In addition, developing new products and product enhancements is expensive and time consuming, and there is no assurance that such activities will result in significant cost savings, revenue or other expected benefits. If we spend significant time and effort on research and development and are unable to generate an adequate return on our investment, our business and results of operations may be materially and adversely affected. Further, we may not be able to successfully anticipate or adapt to changing technology or customer requirements or the dynamic threat landscape on a timely basis, in a way that sufficiently differentiates us from competing solutions such that customers choose to purchase our solutions. If any of our competitors implement new technologies before we are able to implement them or better anticipate the innovation opportunities in related industries, those competitors may be able to provide more effective or more cost-effective solutions than ours. In addition, we may experience technical problems and additional costs as we introduce new products and product enhancements, deploy future iterations of our products and integrate new products with existing customer systems. If any of these problems were to arise, our business, financial condition and results of operations could be adversely affected.

To date, we have derived a substantial majority of our revenue from customers using our vulnerability management offerings. If we are unable to renew or increase sales of our vulnerability management offerings, or if we are unable to increase sales of our other offerings, our business and operating results could be adversely affected.

Although we continue to introduce and acquire new products and services, we derive and expect to continue to derive a substantial majority of our revenue from customers using certain of our vulnerability management offerings, Nexpose and Metasploit. Greater than half of our revenue was attributable to Nexpose in each of our last three fiscal years. As a result, our operating results could suffer due to:

•

any decline in demand for our vulnerability management offerings;

•

failure of our vulnerability management offerings to detect vulnerabilities in our customers’ IT environments;

•

the introduction of products and technologies that serve as a replacement or substitute for, or represent an improvement over, our vulnerability management offerings;

•

technological innovations or new standards that our vulnerability management offerings do not address;

•

sensitivity to current or future prices offered by us or competing solutions; and

•

our inability to release enhanced versions of our vulnerability management offerings on a timely basis in response to the dynamic threat landscape.

Our inability to renew or increase sales of our vulnerability management offerings, including content subscriptions, maintenance and support and managed services, or a decline in prices of our vulnerability management offerings would harm our business and operating results more seriously than if we derived significant revenues from a variety of offerings. In addition, we have introduced several cloud-based subscription products, including InsightOps, InsightIDR, InsightVM and InsightAppSec products. These products are relatively new, and it is uncertain whether they will gain market acceptance. We are also investing in the expansion of our security advisory services offerings, which we believe will help drive demand for our other products in addition to being a stand-alone service. Any factor adversely affecting sales of our products or services, including release cycles, market acceptance, competition, performance and reliability, reputation and economic and market conditions, could adversely affect our business and operating results.

Our business and growth depend substantially on customers renewing their content subscriptions and maintenance and support agreements with us. Any decline in our customer renewals could adversely affect our future operating results.

Our maintenance and support agreements are sold on a term basis. In addition, we also enter into content subscription agreements for our offerings. In order for us to improve our operating results, it is important that our existing customers renew their content subscription agreements, if applicable, and maintenance and support agreements when the initial contract term expires. Our customers have no obligation to renew their content subscription or maintenance and support agreements with us after the initial terms have expired. Our customers’ renewal rates may

decline or fluctuate as a result of a number of factors, including their satisfaction or dissatisfaction with our new or current product offerings, our pricing, the effects of economic conditions, competitive offerings or alterations or reductions in our customers’ spending levels. If our customers do not renew their agreements with us or renew on terms less favorable to us, our revenues and results of operations may be adversely impacted.

If we fail to successfully manage the transition to a more subscription-based business model, our results of operations could be negatively impacted.

We offer our solutions through a combination of perpetual and term software licenses, cloud-based subscriptions and managed services offerings. Historically, a substantial majority of our customers have purchased our vulnerability management offerings through a perpetual license. We are currently transitioning to a more subscription-based business model. The subscription pricing model allows customers to use our solutions at a lower initial cost of software acquisition when compared to the more traditional perpetual license sale. It is uncertain whether this transition will prove successful or whether we will be able to successfully transition our sales approach to drive subscription revenue. This transition may have negative revenue implications and our business could be harmed.

This subscription strategy may give rise to a number of risks, including the following:

•

our revenue growth may decline more than anticipated over the short-term;

•

if new or current customers desire only perpetual licenses, our subscription sales may lag behind our expectations or those of market or industry analysts;

•

the shift to a more subscription-based strategy may raise concerns among our customer base, including concerns regarding changes to pricing over time and access to files once a subscription has expired;

•

we may be unsuccessful in maintaining our target pricing, product adoption and projected renewal rates, or we may select a target price that is not optimal and could negatively affect our sales or earnings;

•

our shift to a more subscription-based model may result in confusion among new or existing customers (which could slow adoption rates), partners and investors;

•

our shift to a more subscription-based model may result in lower-than-expected sales performance;

•

if our customers do not renew their subscriptions, our revenue may decline over the long-term and our business may suffer;

•

our relationships with existing channel partners that resell perpetual licenses may be damaged; and

•

we may incur sales compensation costs at a higher than forecasted rate if the pace of our subscription transition is faster than anticipated.

If Metasploit were to be used by attackers to exploit vulnerabilities in the cyber security infrastructures of third parties, our reputation and business could be harmed.

Although Metasploit is a penetration testing tool that is intended to allow organizations to test the effectiveness of their cyber security programs, Metasploit has in the past and may in the future be used to exploit vulnerabilities in the cyber security infrastructures of third parties. While we have incorporated certain features into Metasploit to deter misuse, there is no guarantee that these controls will not be circumvented or that Metasploit will only be used defensively or for research purposes. Any actual or perceived security breach, malicious intrusion or theft of sensitive data in which Metasploit is believed to have been used could adversely affect perception of, and demand for, our offerings. Further, the identification of new exploits and vulnerabilities by the Metasploit community may enhance the knowledge base of cyber attackers or enable them to undertake new forms of attacks. If any of the foregoing were to occur, we could suffer negative publicity and loss of customers and sales, as well as possible legal claims.

We face intense competition in our market.

The market for SecOps solutions is highly fragmented, intensely competitive and constantly evolving. We compete with an array of established and emerging security software and services vendors. With the introduction of new technologies and market entrants, we expect the competitive environment to remain intense going forward. Our competitors include: vulnerability management and assessment vendors, including Qualys and Tenable Network Security; diversified security software and services vendors, including IBM and HPE; legacy compliance and monitoring solutions such as SIEM, provided by vendors including LogRhythm, Alienvault and Sumo Logic; machine data analysis tools such as those provided by Splunk; security services specialists, including Mandiant (a subsidiary of FireEye); and providers of point solutions that compete with some of the features present in our solutions.

Some of our actual and potential competitors have advantages over us, such as longer operating histories, significantly greater financial, technical, marketing or other resources, stronger brand and business user recognition, larger and more mature intellectual property portfolios and broader global distribution and presence. In addition, our industry is evolving rapidly and is

becoming increasingly competitive. Larger and more established companies may focus on security operations and could directly compete with us. Smaller companies could also launch new products and services that we do not offer and that could gain market acceptance quickly.

Our competitors may be able to respond more quickly and effectively than we can to new or changing opportunities, technologies, standards or customer requirements. With the introduction of new technologies, the evolution of our offerings and new market entrants, we expect competition to intensify in the future. In addition, some of our larger competitors have substantially broader product offerings and can bundle competing products and services with other software offerings. As a result, customers may choose a bundled product offering from our competitors, even if individual products have more limited functionality than our solutions. These competitors may also offer their products at a lower price as part of this larger sale, which could increase pricing pressure on our offerings and cause the average sales price for our offerings to decline. These larger competitors are also often in a better position to withstand any significant reduction in capital spending, and will therefore not be as susceptible to economic downturns.

Furthermore, our current and potential competitors may establish cooperative relationships among themselves or with third parties that may further enhance their resources and product and services offerings in the markets we address. In addition, current or potential competitors may be acquired by third parties with greater available resources. As a result of such relationships and acquisitions, our current or potential competitors might be able to adapt more quickly to new technologies and customer needs, devote greater resources to the promotion or sale of their products and services, initiate or withstand substantial price competition, take advantage of other opportunities more readily or develop and expand their product and service offerings more quickly than we do. For all of these reasons, we may not be able to compete successfully against our current or future competitors, or we may be required to expend significant resources in order to remain competitive. If our competitors are more successful than we are in developing new product and service offerings or in attracting and retaining customers, our business, financial condition and results of operations could be adversely affected.

A component of our growth strategy is dependent on our continued international expansion, which adds complexity to our operations.

We market and sell our products and services throughout the world and have personnel in many parts of the world. For the nine months ended September 30, 2017 and 2016, operations located outside of North America generated 15% and 13% of our revenue, respectively. Our growth strategy is dependent, in part, on our continued international expansion. We expect to conduct a significant amount of our business with organizations that are located outside the United States, particularly in Europe and Asia. We cannot assure you that our expansion efforts into international markets will be successful in creating further demand for our products and services or in effectively selling our products and services in the international markets that we enter. Our current international operations and future initiatives will involve a variety of risks, including:

•

increased management, infrastructure and legal costs associated with having international operations;

•

reliance on channel partners;

•

trade and foreign exchange restrictions;

•

economic or political instability or uncertainty in foreign markets and around the world, such as related to the United Kingdom’s referendum in June 2016 in which voters approved an exit from the European Union, commonly referred to as “Brexit”;

•

foreign currency exchange rate fluctuations;

•

greater difficulty in enforcing contracts, accounts receivable collection and longer collection periods;

•

changes in regulatory requirements, including, but not limited to data privacy, data protection and data security regulations;

•

difficulties and costs of staffing and managing foreign operations;

•

the uncertainty and limitation of protection for intellectual property rights in some countries;

•

costs of compliance with foreign laws and regulations and the risks and costs of non-compliance with such laws and regulations;

•

costs of compliance with U.S. laws and regulations for foreign operations, including the U.S. Foreign Corrupt Practices Act, import and export control laws, tariffs, trade barriers, economic sanctions and other regulatory or contractual limitations on our ability to sell or provide our solutions in certain foreign markets, and the risks and costs of non-compliance;

•

heightened risks of unfair or corrupt business practices in certain geographies and of improper or fraudulent sales arrangements that may impact financial results and result in restatements of, and irregularities in, financial statements;

•

the potential for political unrest, acts of terrorism, hostilities or war;

•

management communication and integration problems resulting from cultural differences and geographic dispersion;

•

costs associated with language localization of our products; and

•

costs of compliance with multiple and possibly overlapping tax structures.

Our business, including the sales of our products and services by us and our channel partners, may be subject to foreign governmental regulations, which vary substantially from country to country and change from time to time. Our failure, or the failure by our channel partners, to comply with these regulations could adversely affect our business. Further, in many foreign countries it is common for others to engage in business practices that are prohibited by our internal policies and procedures or U.S. regulations applicable to us. Although we have implemented policies and procedures designed to comply with these laws and policies, there can be no assurance that our employees, contractors, channel partners and agents have complied, or will comply, with these laws and policies. Violations of laws or key control policies by our employees, contractors, channel partners or agents could result in delays in revenue recognition, financial reporting misstatements, fines, penalties or the prohibition of the importation or exportation of our products and could have a material adverse effect on our business and results of operations. If we are unable to successfully manage the challenges of international expansion and operations, our business and operating results could be adversely affected.

We are also monitoring developments related to Brexit, which could have significant implications for our business. Brexit could lead to economic and legal uncertainty, including significant volatility in global stock markets and currency exchange rates, and differing laws and regulations as the United Kingdom determines which European Union laws to replace or replicate. Any of these effects of Brexit, among others, could adversely affect our operations in the United Kingdom and our financial results.

As a cyber security provider, we are a target of cyber attacks that could adversely impact our reputation and operating results.

We sell cyber security and data analytics products. As a result, we have been and will be a target of cyber attacks designed to impede the performance of our products, penetrate our network security or the security of our cloud platform or our internal systems, or that of our customers, misappropriate proprietary information and/or cause interruptions to our services. For example, because Metasploit serves as an introduction to hacking for many individuals, a successful cyber attack on us may be perceived as a victory for the cyber attacker, thereby increasing the likelihood that we may be a target of cyber attacks, even absent financial motives. Further, if our systems are breached, attackers could learn critical information about how our products operate to help protect our customers’ IT infrastructures from cyber risk, thereby making our customers more vulnerable to cyber attacks. In addition, if actual or perceived breaches of our network security occur, they could adversely affect the market perception of our products, negatively affecting our reputation, and may expose us to the loss of our proprietary information or information belonging to our customers, investigations or litigation and possible liability, including injunctive relief and monetary damages. Such security breaches could also divert the efforts of our technical and management personnel. In addition, such security breaches could impair our ability to operate our business and provide products to our customers. If this happens, our reputation could be harmed, our revenue could decline and our business could suffer.

We are dependent on the continued services and performance of our senior management and other key employees, the loss of any of whom could adversely affect our business, operating results and financial condition.

Our future performance depends on the continued services and contributions of our senior management, particularly Corey Thomas, our President and Chief Executive Officer, and other key employees to execute on our business plan and to identify and pursue new opportunities and product innovations. From time to time, there may be changes in our senior management team resulting from the termination or departure of our executive officers and key employees. Our senior management and key employees are generally employed on an at-will basis, which means that they could terminate their employment with us at any time. The loss of the services of our senior management, particularly Mr. Thomas, or other key employees for any reason could significantly delay or prevent our development or the achievement of our strategic objectives and harm our business, financial condition and results of operations.

Our business and operations are experiencing rapid growth, and if we do not appropriately manage our future growth, or are unable to scale our systems and processes, our operating results may be negatively affected.

We are a rapidly growing company. To manage future growth effectively we will need to continue to improve and expand our internal information technology systems, financial infrastructure, and operating and administrative systems and controls, which we may not be able to do efficiently, in a timely manner or at all. Any future growth would add complexity to our organization and require effective coordination across our organization. Failure to manage any future growth effectively could result in increased costs, harm our results of operations and lead to customers or investors losing confidence in our internal systems and processes, which could harm our results of operations and stock price.

We recognize substantially all of our revenue ratably over the term of our agreements with customers and, as a result, downturns or upturns in sales may not be immediately reflected in our operating results.

We recognize substantially all of our revenue ratably over the terms of our agreements with customers, which generally occurs over a one to three-year period. As a result, a substantial portion of the revenue that we report in each period will be derived from the recognition of deferred revenue relating to agreements entered into during previous periods. Consequently, a decline in new sales or renewals in any one period may not be immediately reflected in our revenue results for that period. This decline, however, will negatively affect our revenue in future periods. Accordingly, the effect of significant downturns in sales and market acceptance of our products and potential changes in our rate of renewals may not be fully reflected in our results of operations until future periods. Our model also makes it difficult for us to rapidly increase our revenue through additional sales in any period, as revenue from new customers generally will be recognized over the term of the applicable agreement.

We also intend to increase our investment in research and development, sales and marketing, and general and administrative functions and other areas to grow our business. We are likely to recognize the costs associated with these increased investments earlier than some of the anticipated benefits and the return on these investments may be lower, or may develop more slowly, than we expect, which could adversely affect our operating results.

We may be unable to rapidly and efficiently adjust our cost structure in response to significant revenue declines, which could adversely affect our operating results.

Our brand, reputation and ability to attract, retain and serve our customers are dependent in part upon the reliable performance of our products and network infrastructure.

Our brand, reputation and ability to attract, retain and serve our customers are dependent in part upon the reliable performance of our products and network infrastructure. We have experienced, and may in the future experience, disruptions, outages and other performance problems due to a variety of factors, including infrastructure changes, human or software errors, capacity constraints and fraud or security attacks. In some instances, we may not be able to identify the cause or causes of these performance problems within an acceptable period of time.

We utilize third-party data centers located in Boston, Massachusetts, in addition to operating and maintaining certain elements of our own network infrastructure. We also utilize Amazon Web Services for our Insight platform infrastructure. Some elements of this complex system are operated by third parties that we do not control and that could require significant time to replace. We expect this dependence on third parties to continue. More specifically, certain of our products, in particular our Managed Vulnerability Management (Nexpose), InsightIDR, InsightVM, InsightAppSec, InsightOps and Logentries products, are hosted on Amazon Web Services, which provides us with computing and storage capacity. Interruptions in our systems or the third-party systems on which we rely, whether due to system failures, computer viruses, physical or electronic break-ins, or other factors, could affect the security or availability of our products, network infrastructure and website.

Prolonged delays or unforeseen difficulties in connection with adding capacity or upgrading our network architecture when required may cause our service quality to suffer. Problems with the reliability or security of our systems could harm our reputation. Damage to our reputation and the cost of remedying these problems could negatively affect our business, financial condition, and operating results.

Additionally, our existing data center facilities and third-party hosting providers have no obligations to renew their agreements with us on commercially reasonable terms or at all, and certain of the agreements governing these relationships may be terminated by either party at any time. If we are unable to maintain or renew our agreements with these providers on commercially reasonable terms or if in the future we add additional data center facilities or third-party hosting providers, we may experience costs or downtime as we transition our operations.

Any disruptions or other performance problems with our products could harm our reputation and business and may damage our customers’ businesses. Interruptions in our service delivery might reduce our revenue, cause us to issue credits to customers, subject us to potential liability and cause customers to not renew their purchases or our products.

If we fail to manage our operations infrastructure, our customers may experience service outages and/or delays.

Our future growth is dependent upon our ability to continue to meet the expanding needs of our customers and to attract new customers. As existing customers gain more experience with our products, they may broaden their reliance on our products, which will require that we expand our operations infrastructure. We also seek to maintain excess capacity in our operations infrastructure to facilitate the rapid provision of new customer deployments. In addition, we need to properly manage our technological operations infrastructure in order to support changes in hardware and software parameters and the evolution of our products, all of which require significant lead time. If we do not accurately predict our infrastructure requirements, our existing customers may experience service outages that may subject us to financial penalties, financial liabilities and customer losses. If our operations infrastructure fails to keep pace with increased sales, customers may experience delays as we seek to obtain additional capacity, which could adversely affect our reputation and our revenue.

If our products fail to help our customers achieve and maintain compliance with regulations and/or industry standards, our revenue and operating results could be harmed.

We generate a portion of our revenue from our vulnerability management offerings that help organizations achieve and maintain compliance with regulations and industry standards both domestically and internationally. For example, many of our customers subscribe to our vulnerability management offerings to help them comply with the security standards developed and maintained by the Payment Card Industry Security Standards Council, or the PCI Council, which apply to companies that process, transmit or store cardholder data. In addition, our vulnerability management offerings are used by customers in the health care industry to help them comply with numerous federal and state laws and regulations related to patient privacy. In particular, the Health Insurance Portability and Accountability Act of 1996, or HIPAA, and the 2009 Health Information Technology for Economic and Clinical Health Act include privacy standards that protect individual privacy by limiting the uses and disclosures of individually identifiable health information and implementing data security standards. The foregoing and other state, federal and international legal and regulatory regimes may affect our customers’

requirements for, and demand for, our products and services. Governments and industry organizations, such as the PCI Council, may also adopt new laws, regulations or requirements, or make changes to existing laws or regulations, that could impact the demand for, or value of, our products. If we are unable to adapt our products to changing legal and regulatory standards or other requirements in a timely manner, or if our products fail to assist with, or expedite, our customers’ cyber security defense and compliance efforts, our customers may lose confidence in our products and could switch to products offered by our competitors, or threaten or bring legal actions against us. In addition, if laws, regulations or standards related to data security, vulnerability management and other IT security and compliance requirements are relaxed or the penalties for non-compliance are changed in a manner that makes them less onerous, our customers may view government and industry regulatory compliance as less critical to their businesses, and our customers may be less willing to purchase our products. In any of these cases, our revenue and operating results could be harmed.

In addition, government and other customers may require our products to comply with certain privacy, security or other certifications and standards. If our products are late in achieving or fail to achieve or maintain compliance with these certifications and standards, or our competitors achieve compliance with these certifications and standards, we may be disqualified from selling our products to such customers, or may otherwise be at a competitive disadvantage, either of which would harm our business, results of operations, and financial condition.

If our customers are unable to implement our products successfully, customer perceptions of our offerings may be impaired or our reputation and brand may suffer.

Our products are deployed in a wide variety of IT environments, including large-scale, complex infrastructures. Some of our customers have experienced difficulties implementing our products in the past and may experience implementation difficulties in the future. If our customers are unable to implement our products successfully, customer perceptions of our offerings may be impaired or our reputation and brand may suffer.

In addition, in order for our products to achieve their functional potential, our products must effectively integrate into our customers’ IT infrastructures, which have different specifications, utilize varied protocol standards, deploy products from multiple different vendors and contain multiple layers of products that have been added over time. Our customers’ IT infrastructures are also dynamic, with a myriad of devices and endpoints entering and exiting the customers’ IT systems on a regular basis, and our products must be able to effectively adapt to and track these changes.

Any failure by our customers to appropriately implement our products or any failure of our products to effectively integrate and operate within our customers’ IT infrastructures could result in customer dissatisfaction, impact the perceived reliability of our products, result in negative press coverage, negatively affect our reputation and harm our financial results.

Future acquisitions could disrupt our business and harm our financial condition and operating results.

In order to remain competitive, we have in the past and may in the future seek to acquire additional businesses, products or technologies. The environment for acquisitions in our industry is very competitive and acquisition candidate purchase prices will likely exceed what we would prefer to pay. We also may not find suitable acquisition candidates, and acquisitions we complete may be unsuccessful.

Achieving the anticipated benefits of future acquisitions will depend in part upon whether we can integrate acquired operations, products and technology in a timely and cost-effective manner and successfully market and sell these as new product offerings, including, for example, the operations, products and technology acquired in connection with our acquisition of Komand in July 2017. The acquisition of Komand’s orchestration and automation technology is intended to help our customers automatically identify risks, respond to incidents, and address issues faster and with less human intervention. The process of integrating a new business or technology into our product offerings, such as Komand and its technology, requires, among other things, coordination of administrative, sales and marketing, accounting and finance functions, and expansion of information and management systems. Integration of any future acquisition may prove to be difficult due to the necessity of coordinating geographically separate organizations and integrating personnel with disparate business backgrounds and accustomed to different corporate cultures. The acquisition and integration processes are complex, expensive and time consuming, and may cause an interruption of, or loss of momentum in, product development, sales activities and operations of both companies. Further, we may be unable to retain key personnel of an acquired company following the acquisition, including certain employees which we acquired in connection with our acquisition of Komand. If we are unable to effectively execute or integrate acquisitions, our business, financial condition and operating results could be adversely affected.

In addition, we may only be able to conduct limited due diligence on an acquired company’s operations, or may discover that the products or technology acquired were not as capable as we thought based upon the initial or limited due diligence. Following an acquisition, we may be subject to unforeseen liabilities arising from an acquired company’s past or present operations and these liabilities may be greater than the warranty and indemnity limitations that we negotiate. Any unforeseen liability that is greater than these warranty and indemnity limitations could have a negative impact on our financial condition.

If we are unable to maintain successful relationships with our channel partners, our business operations, financial results and growth prospects could be adversely affected.

Our success is dependent in part upon establishing and maintaining relationships with a variety of channel partners that we utilize to extend our geographic reach and market penetration. We anticipate that we will continue to rely on these partners in order to help facilitate sales of our offerings as part of larger purchases in the United States and to grow our business internationally. For 2016 and 2015, we derived approximately 37% and 39%, respectively, of our revenue from sales of products and services through channel partners, and the percentage of revenue derived from channel partners may increase in future periods. Our agreements with our channel partners are non-exclusive and do not prohibit them from working with our competitors or offering competing solutions, and some of our channel partners may have more established relationships with our competitors. If our channel partners choose to place greater emphasis on products of their own or those offered by our competitors or do not effectively market and sell our products and services, our ability to grow our business and sell our products and services, particularly in key international markets, may be adversely affected. In addition, our failure to recruit additional channel partners, or any reduction or delay in their sales of our products and services or conflicts between channel sales and our direct sales and marketing activities may harm our results of operations. Finally, even if we are successful, our relationships with channel partners may not result in greater customer usage of our products and services or increased revenue.

If we are not able to maintain and enhance our brand, our business and operating results may be adversely affected.

We believe that maintaining and enhancing our brand identity is critical to our relationships with our customers and channel partners and to our ability to attract new customers and channel partners. The successful promotion of our brand will depend largely upon our marketing efforts, our ability to continue to offer high-quality offerings and our ability to successfully differentiate our offerings from those of our competitors. Our brand promotion activities may not be successful or yield increased revenues. In addition, independent industry analysts often provide reviews of our offerings, as well as those of our competitors, and perception of our offerings in the marketplace may be significantly influenced by these reviews. If these reviews are negative, or less positive as compared to those of our competitors’ products and services, our brand may be adversely affected.

Moreover, it may be difficult to maintain and enhance our brand in connection with sales through channel or strategic partners. The promotion of our brand requires us to make substantial expenditures, and we anticipate that the expenditures will increase as our market becomes more competitive, as we expand into new markets and as more sales are generated through our channel partners. To the extent that these activities yield increased revenues, these revenues may not offset the increased expenses we incur. If we do not successfully maintain and enhance our brand, our business may not grow, we may have reduced pricing power relative to competitors with stronger brands, and we could lose customers and channel partners, all of which would adversely affect our business operations and financial results.

Failure to maintain high-quality customer support could have a material adverse effect on our business.

Once our products are deployed within our customers’ networks, our customers depend on our technical and other customer support services to resolve any issues relating to the implementation and maintenance of our products. If we do not effectively assist our customers in deploying our products, help our customers quickly resolve post-deployment issues or provide effective ongoing support, our ability to renew or sell additional products or services to existing customers would be adversely affected and our reputation with potential customers could be damaged. Further, to the extent that we are unsuccessful in hiring, training and retaining adequate technical and customer success personnel, our ability to provide adequate and timely support to our customers will be negatively impacted, and our customers’ satisfaction with our offerings will be adversely affected.

We rely on third-party software to operate certain functions of our business.

We rely on software vendors to operate certain critical functions of our business, including financial management and human resource management. If these services become unavailable due to extended outages or interruptions or because they are no longer available on commercially reasonable terms or prices, our expenses could increase, our ability to manage our finances could be interrupted and our processes for managing sales of our solutions and supporting our customers could be impaired until equivalent services, if available, are identified, obtained and integrated, all of which could harm our business.

We use third-party software and data that may be difficult to replace or that may cause errors or failures of our solutions, which could lead to lost customers or harm to our reputation and our operating results.

We license third-party software and security and compliance data from various third parties that are used in our solutions in order to deliver our offerings. In the future, this software or data may not be available to us on commercially reasonable terms, or at all. Any loss of the right to use any of this software or data could result in delays in the provisioning of our offerings until equivalent technology or data is either developed by us, or, if available, is identified, obtained and integrated, which could harm our business. In addition, any errors or defects in or failures of this third-party software could result in errors or defects in our products or cause our products to fail, which could harm our business and be costly to correct. Many of these providers attempt to impose limitations on their liability for such errors, defects or failures, and if enforceable, we may have additional liability to our customers or third-party providers that could harm our reputation and increase our operating costs.

We will need to maintain our relationships with third-party software and data providers, and to obtain software and data from such providers that do not contain errors or defects. Any failure to do so could adversely impact our ability to deliver effective solutions to our customers and could harm our operating results.

Our products contain third-party open source software components, and our failure to comply with the terms of the underlying open source software licenses could restrict our ability to sell our products.

Our products contain software licensed to us by third parties under so-called “open source” licenses, including the GNU General Public License, or GPL, the GNU Lesser General Public License, or LGPL, the BSD License, the Apache License and others. From time to time, there have been claims against companies that distribute or use open source software in their products and services, asserting that such open source software infringes the claimants’ intellectual property rights. We could be subject to suits by parties claiming that what we believe to be licensed open source software infringes their intellectual property rights. Use and distribution of open source software may entail greater risks than use of third-party commercial software, as open source licensors generally do not provide warranties or other contractual protections regarding infringement claims or the quality of the code. In addition, certain open source licenses require that source code for software programs that are subject to the license be made available to the public and that any modifications or derivative works to such open source software continue to be licensed under the same terms.

Although we monitor our use of open source software in an effort both to comply with the terms of the applicable open source licenses and to avoid subjecting our products to conditions we do not intend, the terms of many open source licenses have not been interpreted by U.S. courts, and there is a risk that these licenses could be construed in a way that could impose unanticipated conditions or restrictions on our ability to commercialize our products. The terms of certain open source licenses require us to release the source code of our applications and to make our applications available under those open source licenses if we combine or distribute our applications with open source software in a certain manner. In the event that portions of our applications are determined to be subject to an open source license, we could be required to publicly release the affected portions of our source code, re-engineer all, or a portion of, those applications or otherwise be limited in the licensing of our applications. Disclosing our proprietary source code could allow our competitors to create similar products with lower development effort and time and ultimately, could result in a loss of sales for us. Disclosing the source code of our proprietary software could also make it easier for cyber attackers and other third parties to discover vulnerabilities in or to defeat the protections of our products, which could result in our products failing to provide our customers with the security they expect. Any of these events could have a material adverse effect on our business, operating results and financial condition.

Our technology alliance partnerships expose us to a range of business risks and uncertainties that could have a material adverse impact on our business and financial results.

We have entered, and intend to continue to enter, into technology alliance partnerships with third parties to support our future growth plans, including with certain of our actual or potential competitors. For example, through these technology alliance partnerships, we integrate with certain third-party application program interfaces, or APIs, which enhance our data collection capabilities in our customers’ IT environments. If these third parties no longer allow us to integrate with their APIs, or if we determine not to maintain these integrations, the functionality of our products may be reduced and our products may not be as marketable to certain potential customers. Technology alliance partnerships require significant coordination between the parties involved, particularly if a partner requires that we integrate its products with our products. Further, we have invested and will continue to invest significant time, money and resources to establish and maintain relationships with our technology alliance partners, but we have no assurance that any particular relationship will continue for any specific period of time, result in new offerings that we can effectively commercialize or result in enhancements to our existing offerings. In addition, while we believe that entering into technology alliance partnerships with certain of our actual or potential competitors is currently beneficial to our competitive position in the market, such partnerships may also give our competitors insight into our offerings that they may not otherwise have, thereby allowing them to compete more effectively against us.

The continued utility of Metasploit depends in part on the continued contributions from security researchers.

Our Metasploit product relies on information provided by an active community of security researchers who contribute new exploits, attacks and vulnerabilities. We expect that the continued contributions from these third parties will both enhance the robustness of Metasploit and also support our sales and marketing efforts. However, to the extent that the information provided by these third parties is inaccurate or malicious, the potential for false indications of security vulnerabilities and susceptibility to attack increases, which could adversely impact market acceptance of our products and services and could result in negative publicity, loss of customers and sales and increased costs to remedy any problem. Further, to the extent that our community of third parties is reduced in size or participants become less active, we may lose valuable insight into the dynamic threat landscape and our ability to quickly respond to new exploits, attacks and vulnerabilities may be reduced.

A portion of our revenue is generated by sales to government entities, which are subject to a number of challenges and risks.

Selling to government entities can be highly competitive, expensive and time consuming, and often requires significant upfront time and expense without any assurance that we will win a sale. Government demand and payment for our products and services may also be impacted by public

sector budgetary cycles and funding authorizations, with funding reductions or delays adversely affecting public sector demand for our offerings. Government entities also have heightened sensitivity surrounding the purchase of cyber security solutions due to the critical importance of their IT infrastructures, the nature of the information contained within those infrastructures and the fact that they are highly-visible targets for cyber attacks. Accordingly, increasing sales of our products and services to government entities may be more challenging than selling to commercial organizations. Further, in the course of providing our products and services to government entities, our employees and those of our channel partners may be exposed to sensitive government information. Any failure by us or our channel partners to safeguard and maintain the confidentiality of such information could subject us to liability and reputational harm, which could materially and adversely affect our results of operations and financial performance.

We are exposed to fluctuations in currency exchange rates, which could negatively affect our financial condition and results of operations.

Our reporting currency is the U.S. dollar and we generate a majority of our revenue in U.S. dollars. However, for the nine months ended September 30, 2017 and 2016, we incurred approximately 16% and 13% of our expenses, respectively, outside of the United States in foreign currencies, primarily the British pound sterling and euro, principally with respect to salaries and related personnel expenses associated with our sales and research and development operations. Additionally, for the nine months ended September 30, 2017 and 2016, approximately 5% of our revenue was generated in foreign currencies. Accordingly, changes in exchange rates may have an adverse effect on our business, operating results and financial condition. The exchange rate between the U.S. dollar and foreign currencies has fluctuated substantially in recent years and may continue to fluctuate substantially in the future. To date, we have not engaged in any hedging strategies, and any such strategies, such as forward contracts, options and foreign exchange swaps related to transaction exposures that we may implement to mitigate this risk may not eliminate our exposure to foreign exchange fluctuations.

Changes in financial accounting standards may adversely impact our reported results of operations.

A change in accounting standards or practices, in particular with respect to revenue recognition, could harm our operating results and may even affect our reporting of transactions completed before the change is effective. New accounting pronouncements and varying interpretations of accounting pronouncements have occurred and may occur in the future. For example, in May 2014, the Financial Accounting Standards Board issued Accounting Standards Update No. 2014-09 (Topic 606), Revenue from Contracts with Customers, which supersedes nearly all existing revenue recognition guidance under generally accepted accounting principles in the United States. We will be required to implement this new revenue standard, as amended by accounting standards update No. 2015-14, in the first quarter of fiscal 2018. While we are still evaluating the

total impact of the new revenue standard, we believe the adoption of this new standard will have an impact on our consolidated financial statements, including the way we account for perpetual software license arrangements where the software license is deemed dependent on our content subscription arrangements, arrangements involving software licenses that are sold with our services and the recognition of direct and incremental commission costs to obtain a contract. These and other changes to existing rules or the questioning of current practices may harm our operating results or the way we conduct our business.

We may require additional capital to support business growth, and this capital might not be available on acceptable terms, if at all.

We intend to continue to make investments to support our business growth and may require additional funds to respond to business challenges, including the need to develop new features or enhance our products, improve our operating infrastructure or acquire complementary businesses and technologies. Accordingly, we may need to engage in equity or debt financings to secure additional funds. If we raise additional funds through future issuances of equity or convertible debt securities, our existing stockholders could suffer significant dilution, and any new equity securities we issue could have rights, preferences and privileges superior to those of holders of our common stock. Any debt financing that we may secure in the future could involve restrictive covenants relating to our capital raising activities and other financial and operational matters, which may make it more difficult for us to obtain additional capital and to pursue business opportunities, including potential acquisitions. We may not be able to obtain additional financing on terms favorable to us, if at all. If we are unable to obtain adequate financing or financing on terms satisfactory to us when we require it, our ability to continue to support our business growth and to respond to business challenges could be significantly impaired, and our business may be adversely affected.

Risks Related to Government Regulation, Data Collection, Intellectual Property, Litigation and Catastrophic Events

We are subject to governmental export and import controls that could impair our ability to compete in international markets and/or subject us to liability if we are not in compliance with applicable laws.

Like other U.S.-based IT security products, our products are subject to U.S. export control and import laws and regulations, including the U.S. Export Administration Regulations and various economic and trade sanctions regulations administered by the U.S. Treasury Department’s Office of Foreign Assets Control. Exports of these products must be made in compliance with these laws and regulations. Compliance with these laws and regulations is complex, and if we were to fail to comply with these laws and regulations, we and certain of our employees could be subject to substantial civil and criminal penalties, including fines for our company and responsible

employees or managers, and, in extreme cases, incarceration of responsible employees and managers and the possible loss of export privileges. Complying with export control laws and regulations, including obtaining the necessary licenses or authorizations, for a particular sale may be time-consuming, is not guaranteed and may result in the delay or loss of sales opportunities. Changes in export or import laws and regulations, shifts in the enforcement or scope of existing laws and regulations, or changes in the countries, governments, persons, products or services targeted by such laws and regulations, could also result in decreased use of our products by, or in our decreased ability to export or sell our products to, existing or potential customers. A decreased use of our products or limitation on our ability to export or sell our products could adversely affect our business, financial condition and results of operations.

We also incorporate encryption technology into our products. These encryption products may be exported outside of the United States only with the required export authorizations, including by a license, a license exception or other appropriate government authorizations, including the filing of a product classification request. In addition, various countries regulate the import and domestic use of certain encryption technology, including through import permitting and licensing requirements, and have enacted laws that could limit our ability to distribute our products or could limit our customers’ ability to implement our products in those countries. Governmental regulation of encryption technology and regulation of imports or exports of encryption products, or our failure to obtain required import or export approval for our products, when applicable, could harm our international sales and adversely affect our revenue. Compliance with applicable laws and regulations regarding the export and import of our products, including with respect to new products or changes in existing products, may create delays in the introduction of our products in international markets, prevent our customers with international operations from deploying our products globally or, in some cases, could prevent the export or import of our products to certain countries, governments, entities or persons altogether.

Further, U.S. export control laws and economic sanctions prohibit the shipment of certain products and services to U.S. embargoed or sanctioned countries, governments or persons. Although we take precautions to prevent our products from being provided to those subject to U.S. sanctions, such measures may be circumvented and we have in the past identified limited instances of non-compliance with these rules. After these instances were disclosed to U.S. authorities, those authorities decided not bring enforcement actions against or impose penalties on us.

Finally, there are currently multinational efforts underway as part of the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, or the Wassenaar Arrangement, to impose additional restrictions on certain cyber security products. Such controls have been implemented by many Wassenaar members, but are not currently in effect in the United States and may undergo substantial modification before becoming effective. To implement the controls under the Wassenaar Arrangement in the United States, the U.S. Department of Commerce’s Bureau of Industry and Security, or BIS, would have to amend the Export Administration Regulations, or the EAR. Such amendments could include changes that impose new licensing, approval and other requirements on our commercial Metasploit products

and thereby put us at a disadvantage in competing for international sales. We are closely monitoring the potential implications of the Wassenaar Arrangement on the commercial versions of Metasploit, and are actively working with BIS and other U.S. government stakeholders in connection with the implementation of the controls under the Wassenaar Arrangement.

Failure to comply with governmental laws and regulations could harm our business.

Our business is subject to regulation by various federal, state, local and foreign governments. In certain jurisdictions, these regulatory requirements may be more stringent than those in the United States. Noncompliance with applicable regulations or requirements could subject us to investigations, sanctions, mandatory product recalls, enforcement actions, disgorgement of profits, fines, damages, civil and criminal penalties, injunctions or other collateral consequences. If any governmental sanctions are imposed, or if we do not prevail in any possible civil or criminal litigation, our business, results of operations, and financial condition could be materially adversely affected. In addition, responding to any action will likely result in a significant diversion of management’s attention and resources and an increase in professional fees. Enforcement actions and sanctions could harm our business, reputation, results of operations and financial condition.

Because our products collect and store user and related information, domestic and international privacy and cyber security concerns, and other laws and regulations, could result in additional costs and liabilities to us or inhibit sales of our products.

We, and our customers, are subject to a number of domestic and international laws and regulations that apply to online services and the internet generally. These laws, rules and regulations address a range of issues including data privacy and cyber security, and restrictions or technological requirements regarding the collection, use, storage, protection, retention or transfer of data. The regulatory framework for online services, data privacy and cyber security issues worldwide can vary substantially from jurisdiction to jurisdiction, is rapidly evolving and is likely to remain uncertain for the foreseeable future. Many federal, state and foreign government bodies and agencies have adopted or are considering adopting laws, rules and regulations regarding the collection, use, storage and disclosure of information, web browsing and geolocation data collection, data analytics, cyber security and breach notification procedures. Interpretation of these laws, rules and regulations and their application to our products and services in the United States and foreign jurisdictions is ongoing and cannot be fully determined at this time.

In the United States, these include rules and regulations promulgated under the authority of the Federal Trade Commission, the Electronic Communications Privacy Act, Computer Fraud and Abuse Act, HIPAA, the Gramm Leach Bliley Act and state breach notification laws, as well as regulator enforcement positions and expectations reflected in federal and state regulatory actions, settlements, consent decrees and guidance documents. Internationally, virtually every jurisdiction

in which we operate has established its own data security and privacy legal frameworks with which we, or our customers, must comply, including the EU Data Protection Directive 95/46/EC (“Directive”) established in the European Union (“EU”) and local EU Member State legislation implementing the Directive, such as the Data Protection Act in the United Kingdom. In addition, in April 2016, the European Union adopted a new General Data Protection Regulation designed to update privacy current privacy laws to better reflect the digital economy and to unify data protection within the European Union under a single law, which will likely result in significantly greater risks, compliance burdens and costs for companies with users and operations in the European Union. Under the General Data Protection Regulation, fines of up to 20 million euros or up to 4% of the annual global turnover of the infringer, whichever is greater, could be imposed for significant non-compliance. These laws are broad in their application and apply when we do business with EU-based customers and our U.S.-based customers that collect and use personal data that originates from individuals resident in the EU. They also apply to transfers of information between us and our EU-based subsidiaries, including employee information. The General Data Protection Regulation will go into effect and apply to us beginning in May 2018. Further, many U.S. federal and state and other foreign government bodies and agencies have introduced, and are currently considering, additional laws and regulations. Non-compliance with these laws could result in penalties or significant legal liability. We could be adversely affected if legislation or regulations are expanded to require changes in our business practices or if governing jurisdictions interpret or implement their legislation or regulations in ways that negatively affect our business, results of operations or financial condition.

In addition, to facilitate the transfer of both customer and personnel data from the European Union to the United States, we signed up to the EU-U.S. Safe Harbor Framework, which required U.S.-based companies to provide assurance that they were adhering to relevant European standards for data protection. On October 6, 2015, the Court of Justice of the European Union, or CJEU, invalidated the EU-U.S. Safe Harbor Framework. In light of CJEU’s decision, we have reviewed our current operations to ensure that our EU-U.S. data transfers comply with EU data protection laws. The available legal basis for such transfers will depend on a number of factors, including, for example, the type of data and the European Economic Area country from which the data is being transferred, and may require that we obtain express consent from the customer or employee whose data is being transferred or include in our agreements with the applicable customer or European Economic Area employing entity the standard contractual clauses that have been approved by the EU Commission or adopt one of the other alternative mechanisms available in order to effect such transfers in compliance with the EU laws (although certain German regulators have expressed concerns in respect of the standard contractual clauses and in October 2017, the Irish High Court referred the question as to whether the standard contractual clauses can be used as a basis for data transfers to the United States to the CJEU). Our compliance actions may involve substantial time and expense; for example, if we enter into the standard contractual clauses with a customer, in some EU countries, including Belgium and Spain, executed clauses need to be lodged with or notified to the country’s data protection

authority prior to the transfer of any data, and in other countries, including Austria, France, Ireland, Romania and Slovenia, the clauses need to be approved by the country’s data protection authority prior to use, although this will no longer be a requirement under the General Data Protection Regulation. Non-compliance could result in the EU data protection authorities imposing a number of different sanctions on us until we do, including fines and, ultimately, a prohibition on transfers.

In addition to government regulation, privacy advocates and industry groups may propose new and different self-regulatory standards that either legally or contractually apply to us. Because the interpretation and application of privacy and data protection laws are still uncertain, it is possible that these laws may be interpreted and applied in a manner that is inconsistent with our existing practices or the features of our products. We may also be subject to claims of liability or responsibility for the actions of third parties with whom we interact or upon whom we rely in relation to various services, including but not limited to vendors and business partners. If so, in addition to the possibility of fines, lawsuits and other claims, we could be required to fundamentally change our business activities and practices or modify our products, which could have an adverse effect on our business. Any inability to adequately address privacy concerns, even if unfounded, or comply with applicable privacy or data protection laws, regulations and policies, could result in additional cost and liability to us, damage our reputation, inhibit sales and adversely affect our business.

The costs of compliance with, and other burdens imposed by, the laws, rules, regulations and policies that are applicable to the businesses of our customers may limit the use and adoption of, and reduce the overall demand for, our software. Privacy or cyber security concerns, whether valid or not valid, may inhibit market adoption of our products particularly in certain industries and foreign countries.

Further, there are active legislative discussions regarding the implementation of laws or regulations that could restrict the manner in which security research is conducted and that could restrict or possibly bar the conduct of penetration testing and the use of exploits, which are an essential component of our Metasploit product and our business strategy more generally. Our failure to comply with existing laws, rules or regulations, changes to existing laws or their interpretation, or the imposition of new laws, rules or regulations, could result in additional costs and may necessitate changes to our business practices and divergent operating models, which may have a material and adverse impact on our business, results of operations, and financial condition.

Failure to protect our proprietary technology and intellectual property rights could substantially harm our business and operating results.

Our future success and competitive position depend in part on our ability to protect our intellectual property and proprietary technologies. To safeguard these rights, we rely on a combination of patent, trademark, copyright and trade secret laws and contractual protections in the United States and other jurisdictions, all of which provide only limited protection and may not now or in the future provide us with a competitive advantage.

We cannot assure you that any patents will issue from any patent applications, that patents that issue from such applications will give us the protection that we seek or that any such patents will not be challenged, invalidated, or circumvented. Any patents that may issue in the future from our pending or future patent applications may not provide sufficiently broad protection and may not be enforceable in actions against alleged infringers. We have registered the “Rapid7,” “Nexpose” and “Metasploit” names and logos in the United States and certain other countries. We have registrations and/or pending applications for additional marks in the United States and other countries; however, we cannot assure you that any future trademark registrations will be issued for pending or future applications or that any registered trademarks will be enforceable or provide adequate protection of our proprietary rights. We also license software from third parties for integration into our products, including open source software and other software available on commercially reasonable terms. We cannot assure you that such third parties will maintain such software or continue to make it available.

In order to protect our unpatented proprietary technologies and processes, we rely on trade secret laws and confidentiality agreements with our employees, consultants, channel partners, vendors and others. Despite our efforts to protect our proprietary technology and trade secrets, unauthorized parties may attempt to misappropriate, reverse engineer or otherwise obtain and use them. In addition, others may independently discover our trade secrets, in which case we would not be able to assert trade secret rights, or develop similar technologies and processes. Further, the contractual provisions that we enter into may not prevent unauthorized use or disclosure of our proprietary technology or intellectual property rights and may not provide an adequate remedy in the event of unauthorized use or disclosure of our proprietary technology or intellectual property rights. Moreover, policing unauthorized use of our technologies, trade secrets and intellectual property is difficult, expensive and time-consuming, particularly in foreign countries where the laws may not be as protective of intellectual property rights as those in the United States and where mechanisms for enforcement of intellectual property rights may be weak. We may be unable to determine the extent of any unauthorized use or infringement of our solutions, technologies or intellectual property rights.

From time to time, legal action by us may be necessary to enforce our patents and other intellectual property rights, to protect our trade secrets, to determine the validity and scope of the intellectual property rights of others or to defend against claims of infringement or invalidity. Such litigation could result in substantial costs and diversion of resources and could negatively affect our business, operating results and financial condition.

Assertions by third parties of infringement or other violations by us of their intellectual property rights, whether or not correct, could result in significant costs and harm our business and operating results.

Patent and other intellectual property disputes are common in our industry. We are periodically involved in disputes brought by non-practicing entities alleging patent infringement and we may, from time to time, be involved in other such disputes in the ordinary course of our business. Some companies, including some of our competitors, own large numbers of patents, copyrights and trademarks, which they may use to assert claims against us. Third parties have in the past and may in the future assert claims of infringement, misappropriation or other violations of intellectual property rights against us. They may also assert such claims against our customers or channel partners, whom we typically indemnify against claims that our solutions infringe, misappropriate or otherwise violate the intellectual property rights of third parties. As the numbers of products and competitors in our market increase and overlaps occur, claims of infringement, misappropriation and other violations of intellectual property rights may increase. Any claim of infringement, misappropriation or other violation of intellectual property rights by a third party, even those without merit, could cause us to incur substantial costs defending against the claim and could distract our management from our business.

The patent portfolios of our most significant competitors are larger than ours. This disparity may increase the risk that they may sue us for patent infringement and may limit our ability to counterclaim for patent infringement or settle through patent cross-licenses. In addition, future assertions of patent rights by third parties, and any resulting litigation, may involve patent holding companies or other adverse patent owners who have no relevant product revenues and against whom our own patents may therefore provide little or no deterrence or protection. There can be no assurance that we will not be found to infringe or otherwise violate any third-party intellectual property rights or to have done so in the past.

An adverse outcome of a dispute may require us to:

•

pay substantial damages, including treble damages, if we are found to have willfully infringed a third party’s patents or copyrights;

•

cease making, licensing or using solutions that are alleged to infringe or misappropriate the intellectual property of others;

•

expend additional development resources to attempt to redesign our solutions or otherwise develop non-infringing technology, which may not be successful;

•

enter into potentially unfavorable royalty or license agreements in order to obtain the right to use necessary technologies or intellectual property rights; and

•

indemnify our partners and other third parties.

In addition, royalty or licensing agreements, if required or desirable, may be unavailable on terms acceptable to us, or at all, and may require significant royalty payments and other expenditures. Some licenses may also be non-exclusive, and therefore, our competitors may have access to the same technology licensed to us. Any of the foregoing events could seriously harm our business, financial condition and results of operations.

Our intercompany relationships are subject to complex transfer pricing regulations, which may be challenged by taxing authorities.

We generally conduct our international operations through wholly-owned subsidiaries and report our taxable income in various jurisdictions worldwide based upon our business operations in those jurisdictions. In 2016, we completed the reorganization of our corporate structure and intercompany relationships to more closely align our corporate organization with the expansion of our international business activities. Although we anticipate achieving a reduction in our overall effective tax rate in the future as a result of this reorganized corporate structure, we may not realize any benefits. Our intercompany relationships are and will continue to be subject to complex transfer pricing regulations administered by taxing authorities in various jurisdictions. The relevant taxing authorities may disagree with our determinations as to the income and expenses attributable to specific jurisdictions. If such a disagreement were to occur, and our position were not sustained, we could be required to pay additional taxes, interest and penalties, which could result in one-time tax charges, higher effective tax rates, reduced cash flows and lower overall profitability of our operations. In addition, if the intended tax treatment of our reorganized corporate structure is not accepted by the applicable taxing authorities, changes in tax law negatively impact the structure or we do not operate our business consistent with the structure and applicable tax laws and regulations, we may fail to achieve any tax advantages as a result of the reorganized corporate structure, and our future operating results and financial condition may be negatively impacted.

Our ability to use net operating losses to offset future taxable income may be subject to certain limitations.

As of December 31, 2016, we had federal and state net operating loss carryforwards, or NOLs, of $93.8 million and $69.2 million, respectively, available to offset future taxable income, which expire in various years beginning in 2023 if not utilized. A lack of future taxable income would adversely affect our ability to utilize these NOLs before they expire. Under the provisions of the Internal Revenue Code of 1986, as amended, or the Internal Revenue Code, substantial changes in our ownership may limit the amount of pre-change NOLs that can be utilized annually in the future to offset taxable income. Section 382 of the Internal Revenue Code imposes limitations on a company’s ability to use NOLs if a company experiences a more-than-50-percent ownership change over a three-year testing period. Based upon our analysis as of December 31, 2016, we determined that although a small limitation on our historical NOLs exists, we do not expect this limitation to impair our ability to use our NOLs prior to expiration. However, if changes in our

ownership occur in the future, our ability to use our NOLs may be further limited. For these reasons, we may not be able to utilize a material portion of the NOLs, even if we achieve profitability. If we are limited in our ability to use our NOLs in future years in which we have taxable income, we will pay more taxes than if we were able to fully utilize our NOLs. This could adversely affect our operating results, cash balances and the market price of our common stock.

Comprehensive tax reform bills could adversely affect our business and financial condition.

The U.S. government recently enacted comprehensive tax legislation that includes significant changes to the taxation of business entities. These changes include, among others, (i) a permanent reduction to the corporate income tax rate, (ii) a partial limitation on the deductibility of business interest expense, (iii) a shift of the U.S. taxation of multinational corporations from a tax on worldwide income to a territorial system (along with certain rules designed to prevent erosion of the U.S. income tax base) and (iv) a one-time tax imposed at lower rates on accumulated offshore earnings held in cash and illiquid assets, with the latter taxed at a further reduced rate. Notwithstanding the reduction in the corporate income tax rate, the overall impact of this tax reform is uncertain, and our business and financial condition could be adversely affected. We urge our stockholders to consult with their legal and tax advisors with respect to any such legislation and the potential tax consequences of investing in our common stock.

Our operating results may be harmed if we are required to collect sales and use or other related taxes for our products and services in jurisdictions where we have not historically done so.

Taxing jurisdictions, including state, local and foreign taxing authorities, have differing rules and regulations governing sales and use or other taxes, and these rules and regulations are subject to varying interpretations that may change over time. In particular, significant judgment is required in evaluating our tax positions and our worldwide provision for taxes. While we believe that we are in material compliance with our obligations under applicable taxing regimes, one or more states, localities or countries may seek to impose additional sales or other tax collection obligations on us, including for past sales. It is possible that we could face sales tax audits and that such audits could result in tax-related liabilities for which we have not accrued. A successful assertion that we should be collecting additional sales or other taxes on our offerings in jurisdictions where we have not historically done so and do not accrue for sales taxes could result in substantial tax liabilities for past sales, discourage customers from purchasing our offerings or otherwise harm our business and operating results.

In addition, our tax obligations and effective tax rates could be adversely affected by changes in the relevant tax, accounting and other laws, regulations, principles and interpretations, including those relating to income tax nexus, by recognizing tax losses or lower than anticipated earnings in jurisdictions where we have lower statutory rates and higher than anticipated earnings in

jurisdictions where we have higher statutory rates, by changes in foreign currency exchange rates, or by changes in the valuation of our deferred tax assets and liabilities. Although we believe our tax estimates are reasonable, the final determination of any tax audits or litigation could be materially different from our historical tax provisions and accruals, which could have a material adverse effect on our operating results or cash flows in the period or periods for which a determination is made.

Our business is subject to the risks of earthquakes, fire, power outages, floods and other catastrophic events, and to interruption by manmade problems such as terrorism.

A significant natural disaster, such as an earthquake, fire or a flood, or a significant power outage could have a material adverse impact on our business, operating results and financial condition. In addition, natural disasters could affect our channel partners’ ability to perform services for us on a timely basis. In the event we or our channel partners are hindered by any of the events discussed above, our ability to provide our products or services to customers could be delayed.

In addition, our facilities and those of our third-party data centers and hosting providers are vulnerable to damage or interruption from human error, intentional bad acts, pandemics, earthquakes, hurricanes, floods, fires, war, terrorist attacks, power losses, hardware failures, systems failures, telecommunications failures and similar events. The occurrence of a natural disaster, power failure or an act of terrorism, vandalism or other misconduct, a decision by a third party to close a facility on which we rely without adequate notice, or other unanticipated problems could result in lengthy interruptions in provision or delivery of our products, potentially leaving our customers vulnerable to cyber attacks. The occurrence of any of the foregoing events could damage our systems and hardware or could cause them to fail completely, and our insurance may not cover such events or may be insufficient to compensate us for the potentially significant losses, including the potential harm to the future growth of our business, that may result from interruptions in our service as a result of system failures.

All of the aforementioned risks may be exacerbated if our disaster recovery plans or the disaster recovery plans established for our third-party data centers and hosting providers prove to be inadequate. To the extent that any of the above results in delayed or reduced customer sales, our business, financial condition and results of operations could be adversely affected.

Risks Related to our Common Stock

The market price of our common stock has been and is likely to continue to be volatile.

The market price of our common stock may be highly volatile and may fluctuate substantially as a result of a variety of factors, some of which are related in complex ways. Since shares of our common stock were sold in our initial public offering, or IPO, in July 2015 at a price of $16.00 per share, our stock price has ranged from an intraday low of $9.05 to an intraday high of $27.45 through January 22, 2018. Factors that may affect the market price of our common stock include:

•

actual or anticipated fluctuations in our financial condition and operating results;

•

variance in our financial performance from expectations of securities analysts;

•

changes in the prices of our products and services;

•

changes in our projected operating and financial results;

•

changes in laws or regulations applicable to our products or services;

•

announcements by us or our competitors of significant business developments, acquisitions or new offerings;

•

our involvement in any litigation;

•

our sale of our common stock or other securities in the future;

•

changes in senior management or key personnel;

•

trading volume of our common stock;

•

changes in the anticipated future size and growth rate of our market; and

•

general economic, regulatory and market conditions.

From time to time, the stock markets have experienced extreme price and volume fluctuations that have affected and continue to affect the market prices of equity securities of many companies. These fluctuations have often been unrelated or disproportionate to the operating performance of those companies. Broad market and industry fluctuations, as well as general economic, political, regulatory and market conditions, may negatively impact the market price of our common stock. In the past, companies that have experienced volatility in the market price of their securities have been subject to securities class action litigation. We may be the target of this type of litigation in the future, which could result in substantial costs and divert our management’s attention.

We may fail to meet our publicly announced guidance or other expectations about our business and future operating results, which would cause our stock price to decline.

We have provided and may continue to provide guidance about our business, other business metrics and future operating results. In developing this guidance, our management must make certain assumptions and judgments about our future performance. Furthermore, analysts and investors may develop and publish their own projections of our business, which may form a consensus about our future performance. Our business results may vary significantly from such guidance or that consensus due to a number of factors, many of which are outside of our control, and which could adversely affect our operations and operating results. Furthermore, if we make downward revisions of our previously announced guidance, or if our publicly announced guidance of future operating results fails to meet expectations of securities analysts, investors or other interested parties, the price of our common stock would decline.

If securities or industry analysts do not publish research or reports about our business, or publish negative reports about our business, our stock price and trading volume could decline.

The trading market for our common stock will depend, in part, on the research and reports that securities or industry analysts publish about us or our business. We do not have any control over these analysts. If our financial performance fails to meet analyst estimates or one or more of the analysts who cover us downgrade our shares or change their opinion of our shares, our share price would likely decline. If one or more of these analysts cease coverage of our company or fail to regularly publish reports on us, we could lose visibility in the financial markets, which could cause our share price or trading volume to decline.

We do not intend to pay dividends for the foreseeable future and, as a result, your ability to achieve a return on your investment will depend on appreciation in the price of our common stock.

We have never declared or paid any cash dividends on our common stock and do not intend to pay any cash dividends in the foreseeable future. We anticipate that we will retain all of our future earnings for use in the development of our business and for general corporate purposes. Any determination to pay dividends in the future will be at the discretion of our board of directors. Accordingly, investors must rely on sales of their common stock after price appreciation, which may never occur, as the only way to realize any future gains on their investments.

Concentration of ownership among our existing directors, executive officers and holders of 10% or more of our outstanding common stock may prevent minority investors from influencing significant corporate decisions.

As of December 31, 2017, our directors, executive officers and holders of more than 10% of our common stock, some of whom are represented on our board of directors, together with their affiliates, beneficially owned 39% of the voting power of our outstanding capital stock. As a result, these stockholders will be able to determine the outcome of matters submitted to our stockholders for approval. This concentration of ownership by itself may have the effect of delaying, deferring or preventing a change in control of our company, impeding a merger, consolidation, takeover or other business combination involving us, or discouraging a potential acquirer from making a tender offer or otherwise attempting to obtain control, which in turn, could materially and adversely affect the market price of our common stock.

Substantial future sales of our common stock in the public market, or the perception that these sales may occur, could cause our share price to decline.

Sales of a substantial amount of shares of our common stock in the public market, or the perception that these sales might occur, could depress the market price of our common stock and could impair our ability to raise capital through the sale of additional equity securities. All outstanding shares of our common stock are freely tradable without restriction under the Securities Act of 1933, as amended, or the Securities Act, except for any shares of our common stock that may be held or acquired by our directors, executive officers and other affiliates, as that term is defined in the Securities Act, which are subject to restrictions under the Securities Act, or that may be issued under our equity incentive plans subject to vesting requirements. We are unable to predict the effect that these sales, particularly sales by our directors, executive officers, and significant stockholders, may have on the prevailing market price of our common stock.

We have filed registration statements on Form S-8 under the Securities Act to register shares of common stock that may be issued under our equity incentive plans from time to time. Shares registered under these registration statements are available for sale in the public market upon issuance subject to vesting arrangements and exercise of options, as well as Rule 144 in the case of our affiliates. We also filed a “shelf” registration statement on Form S-3 under the Securities Act in May 2017 that became effective in June 2017, allowing us, from time to time, to offer up to $50 million of shares of common stock and to cover the resale of up to an aggregate of 18,419,274 shares of our common stock by selling stockholders to be named in the applicable prospectus supplement to the shelf registration statement, from time to time.

Certain existing holders of our common stock have the right, subject to various conditions and limitations, to request we include their shares of our common stock in registration statements we may file relating to our securities, including the effective shelf registration statement described above. If the offer and sale of these shares are registered, they will be freely tradable without restriction under the Securities Act. In the event such registration rights are exercised and a large number of shares of common stock are sold in the public market, such sales could reduce the trading price of our common stock. In June 2017, we filed a prospectus supplement to the effective registration statement described above with respect to the sale of up to 2,800,000 shares of our common stock by two of our significant stockholders, which facilitated the resale by those holders of a portion of the shares of our common stock they hold.

In addition, in the future, we may issue common stock or other securities in connection with a capital raise or acquisitions. The number of new shares of our common stock issued in connection with a capital raise or acquisition could constitute a material portion of our then-outstanding shares of our common stock.

We are an “emerging growth company” and we cannot be certain if the reduced disclosure requirements applicable to emerging growth companies will make our common stock less attractive to investors.

We are an “emerging growth company,” as defined in the JOBS Act. For as long as we qualify as an emerging growth company, we intend to take advantage of certain exemptions from various reporting requirements that are applicable to other public companies that are not “emerging growth companies” including, but not limited to, the auditor attestation requirements of Section 404 of the Sarbanes-Oxley Act, reduced disclosure obligations regarding executive compensation in our periodic reports and proxy statements, and exemptions from the requirements of holding a nonbinding advisory vote on executive compensation and stockholder approval of any golden parachute payments not previously approved. We cannot predict if investors will find our common stock less attractive because we will rely on these exemptions and provide reduced disclosure. If some investors find our common stock less attractive as a result, there may be a less active trading market for our common stock and our stock price may be more volatile.

We are obligated to maintain proper and effective internal controls over financial reporting and any failure to maintain the adequacy of these internal controls may adversely affect investor confidence in our company and, as a result, the value of our common stock.

We are required, pursuant to Section 404 of the Sarbanes-Oxley Act, or Section 404, to furnish a report by management on, among other things, the effectiveness of our internal control over financial reporting on an annual basis. This assessment includes disclosure of any material weaknesses identified by our management in our internal control over financial reporting. During the evaluation and testing process, if we identify one or more material weaknesses in our internal control over financial reporting, we will be unable to assert that our internal controls are effective. While we have established certain procedures and control over our financial reporting processes, we cannot assure you that these efforts will prevent restatements of our financial statements in the future.

Our independent registered public accounting firm will not be required to attest to the effectiveness of our internal control over financial reporting until our first annual report required to be filed with the SEC following the date we no longer qualify as an “emerging growth company,” as defined in the JOBS Act. At such time, our independent registered public accounting firm may issue a report that is adverse in the event it is not satisfied with the level at which our controls are documented, designed or operating. We may not be able to remediate any future material weaknesses, or to complete our evaluation, testing and any required remediation in a timely fashion. We will be required to disclose significant changes made in our internal control procedures on a quarterly basis.

Our compliance with Section 404 will require that we incur substantial accounting expense and expend significant management efforts. We currently do not have an internal audit group, and we may need to hire additional accounting and financial staff with appropriate public company experience and technical accounting knowledge and compile the system and process documentation necessary to perform the evaluation needed to comply with Section 404.

Any failure to maintain internal control over financial reporting could severely inhibit our ability to accurately report our financial condition or results of operations. If we are unable to assert that our internal control over financial reporting is effective or our independent registered public accounting firm is unable to express an opinion on the effectiveness of our internal controls when it is required to issue such opinion, we could lose investor confidence in the accuracy and completeness of our financial reports, the market price of our common stock could decline, and we could be subject to sanctions or investigations by the NASDAQ Stock Market, the SEC or other regulatory authorities. Failure to remedy any material weakness in our internal control over financial reporting, or to implement or maintain other effective control systems required of public companies, could also restrict our future access to the capital markets.

Anti-takeover provisions in our charter documents and under Delaware law could make an acquisition of us more difficult, limit attempts by our stockholders to replace or remove our current management and limit the market price of our common stock.

Provisions in our amended and restated certificate of incorporation and amended and restated bylaws may have the effect of delaying or preventing a change in control or changes in our management. Among other things, our amended and restated certificate of incorporation and amended and restated bylaws include provisions that:

•

authorize our board of directors to issue preferred stock without further stockholder action and with voting liquidation, dividend and other rights superior to our common stock;

•

require that any action to be taken by our stockholders be effected at a duly called annual or special meeting and not by written consent, and limit the ability of our stockholders to call special meetings;

•

establish an advance notice procedure for stockholder proposals to be brought before an annual meeting, including proposed nominations of persons for director nominees;

•

establish that our board of directors is divided into three classes, with directors in each class serving three-year staggered terms;

•

require the approval of holders of two-thirds of the shares entitled to vote at an election of directors to adopt, amend or repeal our amended and restated bylaws or amend or repeal the provisions of our amended and restated certificate of incorporation regarding the election and removal of directors and the ability of stockholders to take action by written consent or call a special meeting;

•

prohibit cumulative voting in the election of directors; and

•

provide that vacancies on our board of directors may be filled only by a majority of directors then in office, even though less than a quorum.

These provisions may frustrate or prevent any attempts by our stockholders to replace or remove our current management by making it more difficult for stockholders to replace members of our board of directors, who are responsible for appointing the members of our management. In addition, because we are incorporated in Delaware, we are governed by the provisions of Section 203 of the Delaware General Corporation Law, which generally prohibits a Delaware corporation from engaging in any of a broad range of business combinations with any “interested” stockholder for a period of three years following the date on which the stockholder became an “interested” stockholder. Any of the foregoing provisions could limit could limit the opportunity for our stockholders to receive a premium for their shares of our common stock, and could also affect the price that some investors are willing to pay for our common stock.

Our amended and restated certificate of incorporation designates the Court of Chancery of the State of Delaware as the exclusive forum for certain litigation that may be initiated by our stockholders, which could limit our stockholders’ ability to obtain a favorable judicial forum for disputes with us.

Pursuant to our amended and restated certificate of incorporation, unless we consent in writing to the selection of an alternative forum, the Court of Chancery of the State of Delaware is the sole and exclusive forum for (1) any derivative action or proceeding brought on our behalf, (2) any action asserting a claim of breach of a fiduciary duty owed by any of our directors, officers or other employees to us or our stockholders, (3) any action asserting a claim arising pursuant to any provision of the Delaware General Corporation Law, our amended and restated certificate of incorporation or our amended and restated bylaws or (4) any action asserting a claim governed by the internal affairs doctrine. Our amended and restated certificate of incorporation further provides that any person or entity purchasing or otherwise acquiring any interest in shares of our common stock is deemed to have notice of and consented to the foregoing provision. The forum selection clause in our amended and restated certificate of incorporation may limit our stockholders’ ability to obtain a favorable judicial forum for disputes with us.

SIGNATURES

Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.


						Jeff Kalowski
						Chief Financial Officer

Rapid7, Inc.

Dated: January 23, 2018

/s/ Jeff Kalowski