Rapid7 Inc (RPD) 2018 Q1 法說會逐字稿

Ladies and gentlemen, thank you for standing by, and welcome to the Rapid7 First Quarter 2018 Financial Results Conference Call.

(Operator Instructions) As a reminder, this conference is being recorded, Tuesday, May 8, 2018.

I would now like to turn the call over to Mr. Jeff Bray, VP of Investor Relations. Please go ahead.

Thank you, operator, and good afternoon, everyone. We appreciate you joining us to discuss Rapid7's Q1 2018 financial and operating results in addition to our financial outlook for the second quarter and full fiscal year 2018.

I'm Jeff Bray, VP of Investor Relations. I'm here today with Corey Thomas, our President and CEO; and Jeff Kalowski, our CFO.

We distributed our Q1 2018 earnings press release over the wire, and it's now posted on our website at investors.rapid7.com. We've also posted our updated company presentation and financial metrics file on our Investor Relations website, which includes additional information to help explain the impact of shifting to 606 on our Q1 financials. This call is being webcast and can be accessed at investors.rapid7.com.

The webcast of this call will be archived, and a telephone replay will be available on our website until May 15, 2018.

We would like to bring the following to your attention. The date this call is May 8, 2018. Our discussion today contains forward-looking statements about events and circumstances that have not yet occurred, including, without limitations, statements regarding our objectives for future operations and future financial and business performance. These forward-looking statements are based on our current expectations and beliefs and on information currently available to us. Statements containing words such as anticipate, believe, continue, estimate, impact, intend, may, will or other similar statements are intended to identify such forward-looking statements. Actual outcomes and results may differ materially from the expectations contained in these statements due to a number of risks and uncertainties, including those contained in the risk factors section of our most recent annual report on Form 10-K filed with the Securities and Exchange Commission and subsequent reports that we file with the Securities and Exchange Commission. The information provided on this conference call should be considered in light of such risks. Actual results and the timing of certain events may differ materially from the results or timing predicted or implied by such forward-looking statements, and reported results should not be considered as an indication of future performance. Rapid7 does not assume any obligation to update the information presented on this conference call except to the extent required by applicable law.

On this call, we will provide and talk about our results using non-GAAP financial measures and provide non-GAAP guidance, and unless otherwise stated, for purposes of comparability, we'll be presenting results in accordance with ASC 605. We believe that the use of these non-GAAP financial measures provides an additional tool for investors to use in understanding company performance and trends, but note that the presentation of non-GAAP financial information is not meant to be considered in isolation or as a substitute for the directly comparable financial measures prepared in accordance with GAAP. We have provided a reconciliation of the historical non-GAAP financial measures to the most comparable GAAP measures in the financial statement tables included in the press release issued today announcing our results. The press release announcing our financial results is available on our website at investors.rapid7.com.

At times in our prepared comments or in our responses to your questions, we may offer incremental metrics to provide greater insight into the dynamics of our business or our quarterly results. Please be advised that this additional detail may be onetime in nature, and we may or may not provide an update in the future on these metrics.

With that, I'd like to turn the call over to Corey.

Thanks, Jeff, and good afternoon, everyone. Thank you all for joining us today on our first quarter 2018 earnings call.

Rapid7 had a strong start to 2018, putting us in a great position to achieve our 2018 goals, our long-term aspirations and our overall SecOps vision. Enterprises are prioritizing cybersecurity in their IT budgets, and products that provide visibility, analytics and automation continue to outgrow the overall market for security software.

With a broad set of market-leading solutions, our SecOps portfolio and platform are resonating with our customers and it's a broader market. The highlight of our first quarter was our annualized recurring revenue, which accelerated to 38% year-over-year growth. In addition, in Q1, we delivered ASC 605 recurring revenue growth of 40%, ASC 605 revenue growth of 29%, and we also made progress towards hitting our 2018 and 2019 profitability goals. Based on the strength of our business so far this year, we are raising our guidance for growth in both ARR and revenue for 2018, maintaining our guidance for 2018 operating loss and reiterating our goal of achieving profitability in 2019.

At the RSA Conference in April, customers, partners and prospects validated our strategy to provide SecOps solutions that are easy to install and easy to use. Today, most security IT and DevOps teams find themselves operating in silos, struggling to work together. This misalignment not only results in poor security practices, it also slows an organization's ability to innovate. SecOps is the practice of aligning security, IT and DevOps teams through a shared set of data and tools. Shared visibility, supported by analytics and automation, creates a common language for teams that breaks down barriers and ultimately accelerates innovation.

The Rapid7 Insight platform unifies data collection and delivers the visibility, analytics and automation needed to power a well-managed SecOps program.

The biggest news of the quarter came in March when Forrester Research recognized Rapid7's InsightVM as a Leader in The Forrester Wave for Vulnerability Risk Management. In Forrester's words, "Rapid7 has already implemented what VRM will look like in the future." InsightVM earned the highest scores in their scorecard across nearly every criteria. Also, in April, InsightVM was recognized as the best vulnerability management solution by SC Magazine. These types of recognitions reinforce InsightVM as a leader in a market that increasingly demands more from vulnerability management solutions, help it to open doors to more and more opportunities. These InsightVM recognitions follow 2 key Gartner reports in 2017: first, where InsightIDR was named a visionary by Gartner in the SIEM Magic Quadrant; and second, when our application security solutions earned the highest scores in Gartner's evaluation of Dynamic Application Security Testing, or DAST. We have always said that we have great technology, but now we're getting third-party validation across our portfolio. You can understand why we are so proud of our R&D teams and why we continue to lead a customer growth and retention rates.

Now let's review the quarter in the context of our 2018 goals. First off, the highlight of the first quarter performance was our ARR, which accelerated to 38% growth, well ahead of our goal of at least 30% growth. ARR growth is being supported by the overall health of the market that we address, our shift from perpetual to subscription across all of our products and strong performance of our go-to-market teams who are quickly transitioning to selling based on ARR. During the quarter, we officially shifted all of our products to subscription pricing, and we saw a dramatic shift to subscription contracts during the quarter. Our customers have quickly embraced the simplicity and ease of subscription pricing and continue to migrate to our cloud platform-based solutions for enhanced visibility, analytics and automation. One metric we are now tracking is ARR per customer, which also saw strong growth, increasing 23% year-over-year to almost $25,000 per customer. The entire Rapid7 organization is aligned to drive ARR growth, and we are enjoying those results today. Our management team is compensated on ARR, our sales quotas are based on ARR, and we now have a full complement of SaaS and subscription products across our product portfolio. Our sales team has done a great job of positioning to an ARR model, and we have also experienced higher-than-expected retention of our sales team during this critical transition, which is helping drive confidence in our plan for ARR growth.

As for our second goal, which is to leverage the expansion of our SecOps portfolio to keep driving new customer growth and cross-selling into our customer base, we had a strong quarter in sales to both new and existing customers. This quarter, we grew customers by 12% year-over-year. The quality of our customer growth continues to be high, with our platform customers going 82% year-over-year and very strong growth in ARR per transaction as we shift to subscription. One effect of our shifting incentive compensation towards ARR is that we are seeing slower growth in overall services customers and revenues, although we are generating higher ASP per services customer. We are now focusing on more strategic services relationships, which also contributes to a stronger, higher-quality customer and revenue base. The net impact is that we believe we are increasingly focused on adding customers that have the greatest lifetime value.

InsightVM continues to be our primary tool for customer acquisition, driving new customers across the Fortune 1000, mid-market and internationally. Once again, we increased our Fortune 100 penetration to 55%. One example of a new InsightVM customer is a Fortune 1000 video game publisher with a small team responsible for a huge vulnerability management environment with over 200,000 assets. Their existing solution had too many manual processes and lacked quality integrations with ServiceNow and other solutions in their SecOps environment.

With InsightVM, the customer is able to quickly improve visibility across a very complex modern infrastructure and can now leverage remediation workflows to integrate directly with their ServiceNow deployment. Our platform approach means that we now have an opportunity to sell them more products and applications such as our application security and Komand. This is a good example of why we have confidence in being able to continue to lead the market in customer acquisition.

Once again, this quarter, we achieved a strong renewal rate of 120%, as our existing customers continue to return to Rapid7 for more coverage and more solutions to solve their security and SecOps challenges. Our cross-selling continues to accelerate, with new ARR cross-selling growth up 83% year-over-year, and cross-selling transactions up plus 50%. We continue to see strong growth for InsightIDR as customers increasingly see value in powerful visibility and analytics solutions that can improve their risk profile by dramatically reducing the time to discover a breach as well as reducing the time to investigate breaches. The market understands that a strong user behavior analytics tool is required for detection and that only a cloud-based solution can quickly and cost-effectively enable detection and response. Our existing customers also recognize the value in consolidating their visibility and analytics solutions with one provider. For example, a $400 billion asset manager with a 3-person security team was looking to upgrade their legacy SIEM, which is only capable of providing them with compliance reporting to date. The customer is already a VM and applications security customer of Rapid7. The team required a strong UBA solution, especially one that can identify a lateral movement by attackers. Not only did InsightIDR perform the best in their evaluation, other deception features and integrations into our cloud platform for vulnerability management proved to be a major differentiator, and the customer was able to experience the excellent time-to-value that InsightIDR can provide.

We also continue to see growing interest in application security as customers increasingly realize that web-facing applications are a major risk for attacks, and also an area where they often lack visibility. We entered this market in 2015 with our AppSpider product, which is an on-premise solution and is offered on a term-licensed basis today. As part of our shift towards cloud-based solutions and ARR, last year, we launched InsightAppSec on our cloud platform. While our AppSpider solution had a great Q1, with overall interest increase in application security and the maturation of our cloud solution, we are beginning to see demand shift towards InsightAppSec. Jeff will go into the accounting impact of this shift a little later.

As an example of the building momentum for InsightAppSec, our largest ARR deal this quarter was a Fortune 500 financial technology customer already relying on Rapid7 for Nexpose, Metasploit and AppSpider. They were looking to consolidate multiple application security solutions with a provider that could quickly and effectively scan their 4,000 apps every month across both legacy and modern applications. The customer's able to consolidate a legacy product with Rapid7, and InsightAppSec proved to be the most flexible and effective solution. And also, clearly, provided the best time-to-value. With only 1.5 solutions per customer on average today, we still have plenty of runway to cross-sell into our existing base.

And to our third goal. We remain committed to improve profitability and to generate operating cash flow in 2018 as well as to generate profit for 2019. In the first quarter, our operating loss was within our guidance range, and we generated $7.3 billion in cash from operations. We were all -- we were able to do this even while we increased some investments in our go-to-market efforts through accelerating hiring of account executives and an accelerated deployment of a new CRM system for improved operational efficiency. We chose to make these investments that to help maintain our momentum in ARR growth, providing a strong foundation for 2019 when we can begin to realize the full leverage of our land-and-expand model and our shift to subscription pricing and the goal of generating non-GAAP operating profit.

Overall, the first quarter was a great start to 2018, and we made good progress on our 2018 operational and financial goals. Our focus on ARR has been embraced by our sales teams and customers, and our SecOps portfolio is meeting a critical need for both new and prospective customers. I am very excited about what is ahead for Rapid7.

With that, I'd like to turn the call over to Jeff to discuss our financial results and our guidance. Jeff?

Thanks, Corey. Before I begin discussing our strong results for the first quarter of 2018, I want to remind everyone that as of January 1, we've adopted ASC 606 on a modified retrospective basis and, therefore, we'll report each quarter's results under both ASC 606 and ASC 605. We've included all of these details in our earnings press release today. When discussing our year-over-year growth rates and other key trends in our business, we'll be comparing our results on an ASC 605 basis as we don't have prior year operating results under 606, and a comparison would not be meaningful.

To summarize Q1, on an ASC 606 basis, total revenue was $54.5 million, and non-GAAP operating loss was $8.9 million. On an ASC 605 basis, total revenue was $58.2 million, and non-GAAP operating loss was $6.9 million. We are pleased with our strong performance in the first quarter. As I just mentioned, total Q1 revenue on an ASC 606 basis was $54.5 million and above the high end of guidance. Product revenue was $35.3 million, maintenance and support revenue was $10.8 million, and our professional services revenue was $8.5 million.

I will now discuss our revenue on an ASC 605 basis and all comparisons are to the prior year. Total revenue for the first quarter of 2018 was $58.2 million, an increase of 29%. Product revenue was $37.8 million, an increase of 46%. Maintenance and support revenue was $11.7 million, an 8% increase. And our professional services revenue was $8.7 million, a 3% increase. Our product revenue was once again driven by strong bookings in both VM and IDR, with accelerating recurring revenue.

As we expected, with the shift towards ARR quotas for our sales force, we did see a slowing in professional services bookings and associated revenues. Going forward, we expect professional services revenues will be closer to flat to down compared to 2017.

During Q1, we also had a benefit from the impact of revenue previously deferred in 2017 that met the criteria for revenue recognition in the first quarter. However, even without this benefit, we would have exceeded the upper end of our guidance.

As a reminder, the major differences in revenue recognition between ASC 606 and ASC 605 are as follows: lower perpetual license revenue in 2018 as we spread those revenues over 5 years under 606; and lower maintenance revenue as we use a different allocation method under 606; finally, as Spider term licenses are recognized upfront under 606, we've provided a benefit in Q1. As Corey mentioned, the shift of our application security business towards a SaaS solution appears to be accelerating, which means that more of our application security revenue may be deferred and recognized over the contract term as opposed to recognized upfront under 606. This is purely income statement accounting and has no impact on cash flow. This is the reason the midpoint of our 2018 revenue guidance under 606 is not increasing as much as it is under 605.

We continue to have very high visibility into our revenue forecast. Recurring revenue was 77% of total revenue under ASC 606. Under ASC 605, recurring revenue was 75% of total revenue in the first quarter of 2018, up from 69% in 2017, which is growth of 40%. 85% of total revenue under ASC 606 and 89% of total revenue under ASC 605 came from deferred revenue on the balance sheet at the beginning of the quarter. Majority of this difference was due to less perpetual revenue being recognized under ASC 606.

The value of our annualized recurring revenue increased to $177.8 million at the end of the first quarter, a 38% increase year-over-year, which we believe is indicative of the success we are having with our shift to subscription.

Calculated Billings for the first quarter were $48 million, or up 9% year-over-year. Average contract lengths were 18 months for total billings, down significantly from 23 months in the prior year period. As we said since we launched InsightVM, given the mixed shift from perpetual to subscription, we've expected our customers to shift towards 1-year contracts, and we saw that materialize in Q1. Also, our 2018 quotas for our sales reps are now based upon new ARR. Consequently, we believe billings and contract lengths are no longer a meaningful comparison to prior periods during this transition as they don't capture the benefit of a higher subscription mix and growth of our new or recurring revenue. The net result is that our billings are resulting in more recurring revenue and greater lifetime customer value.

Looking at the business geographically. In Q1, North America comprised 85% of revenues. Rest of World revenue increased 22% year-over-year and contributed 15% of total revenue in the first quarter. While the West -- while our rest of world revenue growth was a little slower this quarter due to a large services deal recognized in Q1 2017, we did see our international bookings grow faster than overall bookings.

Our customer count increased by 12% year-over-year, and we ended Q1 with more than 7,100 customers globally. Overall, we continue to see strong bookings from new customers, driven by larger deal sizes, multiproduct sales and increased recurring revenue, which we believe are important parts of our growth strategy. And as Corey said, fewer but higher quality services customers. Our renewal rate was 120%, and our expiring revenue renewal rate was 89% in the first quarter. As Corey mentioned, we had a strong cross-sell in the quarter.

Turning back to the P&L. On an ASC 606 basis, non-GAAP total gross margin for Q1 2018 was 72%. Product gross -- non-GAAP gross margin was 79%. Maintenance and support non-GAAP gross margins were 83%. The professional services non-GAAP gross margins were 28%. On an ASC 605 basis, non-GAAP total gross margin for Q1 2018 was 74% compared with 74% also in the prior year period.

Cost of goods sold were essentially the same for both ASC 606 and 605 and, therefore, the gross margin difference is all due to lower revenues in 606. On a 605, non-GAAP product gross margins were 80% in Q1. And as expected, were down from 84% the prior year period due to increased usage of our SaaS platform and its service offerings, although they did improve from Q4 as we realized some of the benefits of increasing scale in our cloud offering.

Our non-GAAP maintenance and support gross margin increased to 84% in Q1 from 83% in the prior period. In aggregate, our product plus maintenance gross margins were 81% in Q1 as compared to 84% the prior period, and we believe it is important to look at product and maintenance gross margins on a combined basis as we migrate more customers to the platform and our maintenance revenues and costs continue to migrate to product revenues and costs. We still expect our combined product and maintenance gross margins to decrease slightly for the full year.

Our non-GAAP professional services gross margin was 31% in Q1 compared to 34% in the prior year period as we have slightly lower services bookings and utilizations this quarter. We would expect professional services gross margins in the mid-30s for the full year 2018. We continue to expect our total gross margin to stay in the low to mid-70s on both an ASC 605 and ASC 606 basis.

For operating expenses, please note that the only difference between 605 and 606 was in sales and marketing expense, which was $1.7 million lower in 606 due to the impact of deferring sales commissions, which is in line with our guidance. As for operating expenses, we saw modest leverage in sales and marketing year-over-year, with sales and marketing decreasing to 50% of revenues.

As Corey mentioned, given the opportunity that we are seeing in 2018, we decided to make 2 incremental investments in Q1 to help drive ARR growth this year. First, we accelerated sales force hires that were planned for later in the year. Second, we accelerated some upgrades to our CRM systems to drive more efficiency in our quoting and forecasting. Without these investments, we believe we would have reported a non-GAAP operating loss better than our guidance range. We intend to make some additional investments again in Q2, but we still expect to see leverage from sales and marketing expense for the full year of 2018.

Our R&D expenses were up slightly as a percentage of revenue this quarter, partly due to the Komand acquisition and some onetime expenses. We continue to expect flat R&D as a percent of revenue for the full year.

Moving to first quarter operating loss. On an ASC 606 basis, non-GAAP operating loss was $8.9 million, which was at the favorable end of our guidance of a loss of $10.1 million to $8.8 million. On an ASC 605 basis, non-GAAP operating loss was $6.9 million, slightly better than the midpoint of our guidance of a loss of $7.4 to $6.5. On a 606 basis, adjusted EBITDA loss for the first quarter was $7.4 million. On a 605 basis, adjusted EBITDA loss was $5.4 million for the first quarter compared to a loss of $4.6 million in the prior year period. On a 606 basis, non-GAAP net loss per share was $0.19 in Q1 2018. At 605 basis, non-GAAP net loss per share was $0.15. We ended Q1 with cash, cash equivalents and investments of $130 million, inclusive of the $31 million raised from our public offering in January of this year. This compared with $92 million as of December 31, 2017. Our operating cash flow for Q1 was positive $7.3 million.

Moving to our second quarter and full year guidance. As for ARR, given our strong momentum coming into 2018 and our strong performance on new bookings entering Q1, we're raising our guidance for full year in Q2 ARR growth to exceed 33%. For Q2 2018, on an ASC 606 basis, we anticipate total revenue to be in the range of $54.3 million to $55.7 million. We anticipate non-GAAP operating loss to be in the range of $9.8 million to $8.4 million. We anticipate non-GAAP net loss per share for Q2 2018 to be in the range of $0.21 to $0.18. This is based on an anticipated 46.5 million weighted average shares outstanding. On an ASC 605 basis, we anticipate total revenue to be in a range of $57.6 million to $59 million. This equates to year-over-year growth of 21% to 24%. We anticipate non-GAAP operating loss to be in the range of $8.7 million to $7.8 million.

As we mentioned, we are increasing some investments in our sales organization in Q2 to take advantage of the momentum that we have built in the business around ARR and our shift to the cloud. For the full year 2018, we are raising our total revenue guidance. On an ASC 606 basis, we are raising our guidance for total revenue to be in the range of $231 million to $236.5 million. This equates to an impact of approximately $12.5 million to $13.5 million from ASC 605. The midpoint of our 606 guidance is increasing by $1 million less than in 605 due to the impact of a mix shift over our application security bookings to Insight app set from our on-premise solutions resulting more radical versus upfront recognition as we mentioned before. This is purely timing of when we recognize the revenue and has no impact on cash flow.

We are maintaining our guidance for non-GAAP operating loss to be in the range of $26 million to $20 million. We anticipate non-GAAP net loss per share for 2018 to be in the range of $0.55 to $0.42 just based on an anticipated 46.7 million weighted average shares outstanding. On an ASC 605 basis, we are raising total revenue to be in the range of $244.5 million to $249 million. This equates to year-over-year growth of 22% to 24%. We are maintaining our guidance for our non-GAAP operating loss to be in the range of $25 million to $21 million. Our full year guidance reflects our plan to increase investment into our sales organization during the first half of the year, but also more leveraged from sales expense in the second half of 2018.

In conclusion, we've built strong momentum with our shift to the cloud and subscription, leading to raised ARR and revenue guidance, and we are maintaining our operating loss guidance for 2018 as well as our plan to generate operating profit for 2019.

With that, we appreciate your time and support, and we'll open the call for any questions. Operator?

(Operator Instructions) And our first question comes from the line of Saket Kalia with Barclays.

Maybe just to start with you, Jeff. Nice acceleration on the ARR. I think this was the -- really the first quarter where we had the sales force all aligned on ARR and also the first quarter or first full quarter where we introduced a subscription version of the product as well. Maybe qualitatively, how do you think about those different drivers to the acceleration of ARR this quarter? And just to make sure we asked the question, were there any onetimers to call out? Because it was a nice acceleration in ARR.

Yes. Saket, I think that we were very careful and we spent a lot of time structuring the comp plans to influence the right behavior. And we talked about it a lot is that we want them focused on ARR. And historically, we've been on TCV plan, so we made sure that, that transition could go as smoothly as possible. And I think that what we saw in Q1 is that they really embraced the opportunity to do well and to be compensated appropriately on that shift to ARR and not have to be dependent on multiyear deals and TCV in the past. And I think that was a pretty big driver. Also, we saw a nice shift from subscription from our perpetual deals when they're on our non-cloud products as well. That also drives more ARR per transaction. I think it's overall enthusiasm for the SecOps platform, I'll let Corey add some commentary there that he talked about in his prepared comments.

Yes. I think one of the benefits we had back, (inaudible) our IDR products have been on an ARR-owned and ARR basis for a while. So when you think about the big shift that was really in our (inaudible) management operate , which had very, very healthy growth for the quarter. A big part of that though was that our sales team is selling to a customer base that was already in a market that was subscription-based. And so that lessens the risk for us as a company and that translated through higher productivity and higher growth rates in ARR.

Saket, I'm sorry, I forgot to answer your question on the onetimers, no, we didn't see any one large -- excessively large deal that would have skewed the results at all.

Got it. That's all really helpful. Maybe for my follow-up for you, Corey. It's been a couple of quarters since we brought Komand into the fold. I guess the question is how are you thinking about that product, enhancing what we have in VM and SIEM versus that is really a standalone tool to make a bigger play sort of into the orchestration market, any thoughts on command and its future would be helpful.

Absolutely. We've always said the Komand orchestration and automation market is huge, and we see more and more customers looking for solutions there, and we will be a major player in that market. Our priorities right now are integrated it into our platform. We believe that data and analytics-driven automation will provide customers a much, much more robust platform, and our goal is to be a dominant player in the market and to add lots of innovations to the market and actually help make orchestration and automation mainstream. That said, you will see both a major product offering in Komand over time. And you'll also see us roll out orchestration and automation capabilities in our products this year that really are focused on solving the customers' (inaudible) problem as well as differentiated our solutions versus others in the market. So the answer is both, it's a massive market, it's also a core capability of the platform. We think it's going to drive -- help drive continued growth.

Our next question comes from the line of Matt Hedberg with RBC Capital Markets.

This is actually Matt Swanson on for Matt. Corey, you started off talking about InsightVM, the success you've seen and some of the accolades you've received recently. Could you just talk a little bit more about some of the specific differentiation in the offering and kind of the competitive landscape you're seeing around it?

Yes, no, absolutely. So if you think about Vulnerability Management, historically, it's been mentioned much more as a tactical solution. And our observation that really started 4-plus years ago that the problem of how people manage and maintain their IT environments was one of the single biggest causes of (inaudible) risk. And if we could actually translate what we were doing in vulnerability management to helping customers better manage, maintain, update, configure and control the environment and to solve the IT complexity problem from a security operations perspective, then we would be doing a great service for our customers and make ourselves wildly successful. That is the core of the translation of how vulnerability management products have been set up vision. It is about not just reporting, it's about taking data about the environment, analyzing the vulnerability state of the environment and then making it easy for people to remediate and shift that state of the environment. And so the big differentiators that we get credit for are our analytics about risk exposure and the environment, our analytics about their remediations in environment, helping people understand not just what the vulnerabilities are but how does that relate to their IT operational practices. And then what we're doing as we go forward is translating that remediation analytics and remediation workflows into remediation orchestration and automation that allows people to much more effectively pass control to maintain the environment. What we're seeing as a natural outcome of that is that vulnerability management will just be managed by a very small subset of the security team focused on compliance. For our customers, it's now becoming a core capability that spans both security and IT and as part of that, they operate -- have made sort of vulnerability management much more operational.

That's great. And then, if I could just ask one more. Another really strong quarter for cross-sell. I was just wondering how efficient you feel the go-to-market motion is right now around cross-selling? Like, are you firing on all cylinders? Or is there additional gains to be made in that?

But we're making -- so, one we made great gains, we're seeing great momentum in cross-selling. And we believe that there are still greater gains to be made. We still are in the early stages of the ARR per customer that we can achieve, the number of products for customers we can achieve, and we're getting positive feedback and momentum from our customer base on our overall SecOps portfolio strategy. So we're optimistic that we actually have sustainable growth in cross-selling, which leads to a much higher rates of ARR.

Our next question comes from the line of Michael Turits with Raymond James.

This is Eric Heath on for Michael. I just -- maybe a couple of questions to follow up on Matt's questions. Could you maybe talk about how your resources between going after new customers versus expanding the existing customer base? Just kind of how you allocate those resources? And then further, to how the sales force is organized to land new customers versus cross-selling and up-selling existing customers, just kind of the dynamic between those 2.

Yes, absolutely. So one, we actually have the luxury to be firing on all cylinders. And so because of that, we actually believe that the best thing is keeping it simple and so we're focused on one thing: ARR growth. And we achieve ARR growth both by adding new customers but also expanding. So it is an (inaudible) for us and the way that we structure our sales team -- we have a team that actually focuses on customer relationship management and account management and the renewals' ecosystem. And then we have a team that's responsible for new ARR growth. And that can come from adding new customers or from expanding existing customers. And we, for the stage that we're at right now, we're fine with either one. We have massive growth in the number of customers that we're going to add to our platform, and we have substantial opportunities to grow the ARR by per customer, by huge multiples. And so because we actually have positive outcomes that we can achieve on either, we've actually left it to our sales team to actually figure out what's the most efficient way to grow. Now we are managing it and we are looking at it until we do put (inaudible) and incentives in place, facts that you can balance. So you should continue to see us both add new customers and expand the ARR for customers, but right now, we're just focused on the overall growth of ARR biggest because both of those are going to grow substantially over time.

Great. That's helpful. And then maybe similarly, on the VM kind of competitive landscape. Could you maybe just talk about what you're seeing with the competition in terms of endpoint vendors that may be moving toward VM? It just seems like kind of a little bit of shift they're -- a little bit of a (inaudible) going on. And just how that impacts you strategically going forward?

Well, it's not really a shift. There's always, I think -- since the history of vulnerability management -- there's always been players that attempt to add VM as a feature. And it's always been -- even in the days of when it was truly compliant, it's always been wildly inadequate like everyone from IBM to Tanium, it's a whole list of people to the current-crop of people who look at it as a feature of just saying, "Hey, I have a small view on the assets. Can I have a small view of a significant subset of vulnerabilities?" If you think about what a modern vulnerability management program which has evolved over time, it's about providing for basic visibility into the environment not just the assets where you actually have agents solve. It's about providing visibility to your cloud infrastructure to all of those hidden assets that have no agents to solve and have never had agents to solve in the environment. And then, understanding every application and service installed in those assets and not just what the -- what the pass level or the vulnerability level is but also understanding the configuration level of those assets. At the end being able to analyze what's the overall risk and exploitability of the environment and then translate that into a remediation workflow and action plan, that in the future, you'll be able to automate. That is a incredible difficult feat of engineering, and most people want to actually get into the details of what it takes to actually run a modern VM program realize that's it's a market differentiator against other endpoint vendors or whatever other market that they're in. But none of those things have proven credible as a true vulnerability management solution.

Our next question comes from the line of Rob Owens with KeyBanc.

This is Liz on for Rob. Was curious if you could comment on the underlying market you're seeing in vulnerability management, whether you're seeing kind of a breadth of -- if you've seen any change in growth in that market, and then whether or not -- whether that change is coming from increasing breadth of scans or sort of scanning more of your environment or more frequency of scans?

Yes. So we're different than lots of other vulnerability management companies because we're selling to the value proposition of how people operationalize their security. And so we're just as much selling into "vulnerability management budget" as we are -- what do you do about it and how you operational security, how do you actually analyze your remediation and your IT processes and then how do you automate those over time and tie those into your workflows. Because we actually have that unique proposition, we're seeing much higher demand because most of the customer that we're talking to and a big part of the growth that we're seeing, they're trying to move past the place of just having visibility into a place where they can actually really start operationalizing security and operationalizing demand for the environment. So we see incredibly strong demand but it's not causing their (inaudible) vulnerability management is tied to our approach around SecOps and our focus on the remediation analytics, the remediation workflows and the upcoming orchestration and automation around that, that it resonates with customers saying, "Okay. I can actually do something about it."

Okay. That's really helpful. And then quickly, just curious if you had any change in sales attrition or turnover based on change in the comp plans. If there were some changes that needed to be made? And clearly, it looks like you didn't see that in the quarter, but just wondering if there is any change there?

We talked earlier, we expect that whenever you change comp plans, you always expect to have slightly higher turnover. We didn't see it. We actually had higher retention and higher productivity of our sales teams that was expected, and that gives us increasing visibility and confidence as we go through the year, which is one of the outcomes of us raising our guidance both in revenue and ARR.

Our next question comes from the line of Gur Talpaz with Stifel.

So ARR per customer, interesting metric to offer here. Looks like it accelerated here for the sixth great quarter, I think as far back to the data I have. If we break down the components here, you talked about 1.5 solutions per customer, still lot of room there. How much of the growth here is InsightIDR, InsightOps, new solutions versus the growth in VM and then, if we can expound upon that. If you think about the VM opportunity, how much -- how far do you think you're penetrated right now in your installed base just for VM?

Yes. so multiple questions there. So the core I'll just break down by how we think about the expanding ARR growth. So a simple one is that expanding the number of customers. And so that clearly has the (inaudible). When you think about on a per-customer basis, there're sort of like 3 main numbers that I point to -- the first number is sort of the amount of coverage of the asset that's driving the environment and a big part of our growth is that we have more assets per customer in the environment. The second thing which you actually are pointing to is the number of products per customer. And what we have there is that we've expanded our product portfolio and our products that we've introduced in the last 2 years have actually done quite well in the market and have been well regarded and well received. We're at the very early stages but we're seeing great adoption on the extension of the profitable customer and that's actually translated into actual both recurring revenue and they are starting to translate in revenue as time progresses on. And so it's not just something they're downloading, it's something they're actually paying significant amount of money for, so that's positive. The second part of that sort of aspect of the number of products per customer, also has to do with the fact that our products have different ASPs. So things like IDR has higher ASPs than vulnerability management has. But you have a number -- so what's happening is that our ASP growth is still in terms (inaudible) as we introduce new products. And then the last aspect is sort of -- is a temporary one, but that's the makeshift as you go from license to perpetual to a subscription basis. That started last year and that's a positive effect that you actually have, but the things that we really focus on sustainably is continuing to sell the increase to customers and then, the really big lever is increasing the products per customer there.

Gur, the other point is that the IDR continued to grow triple digit over 100% again. So to directly answer a question on the mix, but it's a data point. And VM had very strong growth as well this quarter.

That's helpful. And maybe another question here on the shift to recurring. It's obviously a big emphasis for you guys. Can you talk about the response in the installed base as you made these changes this quarter, particularly the legacy base here perpetual customers now being sold into recurring models. How has the response been thus far from those customers?

It's been positive, and a big part of the positivity is one we didn't actually -- we learned from others. Again, we had the benefit of actually doing this transition later and actually taking the time to study what's worked and what hasn't worked. We didn't force it with a stick so to speak. We actually brought a lot of carrots. And so, our cloud-based platform provides really robust capabilities around both analytics and workflow management and we'll continue to actually have capabilities that aren't just possible with the compute power that you typically have in most on-prem environments. And so by taking a benefits approach, we're actually seeing much higher levels of conversion to our (inaudible) platform than we expected.

Our next question comes from the line of Jonathan Ho with William Blair.

I just wanted to start out with some of the commentary that you had around the Forrester placement and sort of what's been the reaction from customers and partners? How has this helped you from a win rate perspective? Does this help you address different portions of the market just wanted to get over the sense of what that's meant so far?

Yes. And we talked earlier, we have achieved and we're achieving strong growth and strong pipeline there. I would say that we got the (inaudible) from Forrester because of the capabilities that we were positioning. And so it came out somewhat later in the quarter so it's too early to tell how much impact that (inaudible) had? But we've been selling that value proposition and it's been resonating with customers and part of that -- you saw the outcome of that in the results. And we definitely see that in our competitive win rates, which were already high and continue to be high. And so I was thinking we're seeing more opportunities. We've become one of those companies that as -- when people are looking to do something, that people look to -- they have to include by default. And I think that, that recognition helped us continue on that track, ensure that we have more deals over time and we have more durability in that sort of vulnerability management aspect of our SecOps business.

Got it. And then just in terms of the additional investments in sales. Can you give us a sense of maybe where those investments are going to go? Is this is going to be more on the international side? Are there certain segments of the market that you're targeting with those investments? Any color would be appreciated.

So our total sales investment is really we invest where we actually see productivity and visibility. And if you look at our performance, we see broad-based productivity, we see broad-based visibility, and so our investments are across the board because we're investing behind demand. And because we see the demand and we see the opportunity, we were able to make the investments, and it really is happening across all aspects of our business.

Our next question comes from the line of Anne Meisner with Susquehanna Financial Group.

Corey, I just wanted to dig into the new strategy around services a bit more. You have a number of different types of services that you guys offer. Are there any that you're deemphasizing more than others that you focus on more strategic customers? I would assume that pen testing and Internet response would remain somewhat strategic for you, so maybe you can just shed some light on how should we be thinking about that?

No. Absolutely. It's a great question especially as we're seeing more demand for ARR and we're seeing -- and we're focused ourselves on what we consider more strategic services. The way that we think about more strategic services is services that have a net higher lifetime value for Rapid7, not just in terms of services but also in terms of ARR. So what we're really looking at is focusing on companies and organizations that are looking to transition and transform their security program and actually really embody that SecOps vision, and we're aligning our services around that. Over time, what that means for us is that we're focused on less, I would say, transactionals, whether it's pen testing or IRR, less of the transactional compliance related work and more of the transformative work that will result in larger engagements, which are already seeing larger ASPs than our services contracts but also more strategic relationship with our customers. That's the focus of what we're doing.

Our next question comes from the line of Melissa Franchi with Morgan Stanley.

Corey, you talked a lot about investing in the direct sales force. So I'm wondering if you could maybe comment on investments in the channel? And how they're being levered to help enable the journey to subscription and if they're fully ramped on that?

That's a great question, Melissa. So one, we're actually increasing channel demand, the demand for channel partners. I think a big part of that is both the recognition that we're receiving in the market from our technology but also this traction that we're getting with customers. And so, engaging with a channel from a position when the channel wants to engage with you has just been a much easier position to engage from. Our strategy -- now that we've actually aligned everything on an ARR and a subscription basis, our strategy with the channel is actually to focus on value-added partners that can really help our customers achieve our SecOps vision. And the vision that we think helps customers be more productive. And so we're not indiscriminate now towards the channel partners, partners. We're actually taking a very thoughtful approach that combines near-term revenue and ARR, but really with long-term customer transformation, that we believe will generate the greatest economics both for the channel and for ourselves over time.

Okay, that's helpful. And then one quick one for Jeff. Jeff, I think last quarter you commented on cash flow for '18. I don't know if I missed it this quarter, but wondering if you could maybe give an updated view on what you expect for cash flow?

Yes. Sure. So we did say that the cash flow this year would approximate 2017 levels. We're not seeing any change there. But having said that, if contract lengths go down further, could be, yes -- could it be a little bit less? Sure. Still be positive operating cash flow, but it's all dependent on really the contract lengths. For a few quarters, we've been talking -- we've been saying that we expected the contract lengths to go down, and it really materialized this quarter, in Q1, with the focus on ARR, so we had less multiyear billings. But at this point, we're still saying in the same range of 2017. As I said, might be a little less if that changes, but we'll have to see how it goes over the course of the year.

Our next question comes from the line of Sarah Hindlian with Macquarie Group.

This is Fred Havemeyer on for Sarah Hindlian. Just wanted to reiterate firstly, what many others have said already here about a very nice reacceleration in ARR during this quarter. And I wanted to better understand some of the dynamics within ARR. Firstly, so on this, would you be able to describe how much of your ARR is related to purely SaaS subscriptions and how much is related to say, perpetual license you sold on a subscription or term basis? And then secondly, around the ASC 605 and 606 guidance in the presentation. Is there any way that you'd be able to help us bridge the difference between ARR reported under 605 and what we should be looking at under 606 as we build our models?

Yes, we don't break out the components of that ARR. But the SaaS portion is increasing, obviously, as we converted the -- our vulnerability management products to InsightVM in the second quarter of last year. So it's becoming a bigger portion. But still, we still have the legacy of over $100 million in that 35% portion from all the perpetual sales still carrying forward. So it's still the majority, but what we can say is that the SaaS portion is growing with the migrations and, of course, our IDR product line is all SaaS. And the way we define ARR is the same across the product line. There's no difference under 605 or 606. It's still the recurring revenue SKUs. Not the perpetual SKUs.

There are no further questions over the phone lines at this time.

Thank you, operator, and thanks for joining us today.

Ladies and gentlemen, that does conclude the call for today. We thank you for your participation and ask that you please disconnect your lines.