Table of Contents

UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
WASHINGTON, DC 20549
FORM 10-Q
(Mark One)
QUARTERLY REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
For the quarterly period ended September 30, 2017March 31, 2022
OR
TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
For the transition period from to
Commission File Number: 001-37496
 
RAPID7, INC.
(Exact Name of Registrant as Specified in its Charter)
Delaware
35-2423994
Delaware
35-2423994
(State or other jurisdiction of

incorporation or organization)
(I.R.S. Employer

Identification No.)
120 Causeway Street
100 Summer Street
Boston, MA
MA0211002114
(Address of principal executive offices)(Zip Code)

Registrant’s telephone number, including area code: (617) 247-1717
Securities registered pursuant to Section 12(b) of the Securities Exchange Act of 1934:
Title of each classTrading symbol(s)Name of each exchange on which registered
Common Stock, $0.01 par value per shareRPDThe Nasdaq Global Market
Indicate by check mark whether the registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days.    Yes      No  
Indicate by check mark whether the registrant has submitted electronically and posted on its corporate Web site, if any, every Interactive Data File required to be submitted and posted pursuant to Rule 405 of Regulation S-T (§ 232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit and post such files).    Yes      No  ☐
Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, a smaller reporting company or an emerging growth company. See the definitions of “large accelerated filer,” “accelerated filer,” “smaller reporting company” and "emerging growth company" in Rule 12b-2 of the Exchange Act.
Large accelerated filerAccelerated filerFiler
Non-accelerated filer☐  (Do not check if a small reporting company)Small reporting companyAccelerated Filer
Non-accelerated FilerSmall Reporting Company
Emerging growth companyGrowth Company
If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act.
Indicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Exchange Act).    Yes     No  
As of November 1, 2017,April 29, 2022, there were 43,881,14058,264,489 shares of the registrant’s common stock, $0.01 par value per share, outstanding.





Table of Contents
Table of Contents
Page
Page
PART I.
Item 1.
Item 2.
Item 3.
Item 4.
PART II.
Item 1.
Item 1A.
Item 2.
Item 3.
Item 4.
Item 5.
Item 6.



i

Table of Contents

PART I—FINANCIAL INFORMATION
Item 1.Financial Statements.

RAPID7, INC.
Consolidated Balance Sheets (Unaudited)
(in thousands, except share and per share data)
 September 30, 2017 December 31, 2016March 31, 2022December 31, 2021
Assets    Assets
Current assets:    Current assets:
Cash and cash equivalents $49,055
 $53,148
Cash and cash equivalents$141,365 $164,582 
Short-term investments 34,825
 18,779
Short-term investments93,155 58,850 
Accounts receivable, net of allowance for doubtful accounts of $1,212 and $1,061 at September 30, 2017 and December 31, 2016, respectively 48,690
 49,154
Accounts receivable, net of allowance for credit losses of $1,879 and $1,978 at March 31, 2022 and December 31, 2021, respectivelyAccounts receivable, net of allowance for credit losses of $1,879 and $1,978 at March 31, 2022 and December 31, 2021, respectively107,320 146,094 
Deferred contract acquisition and fulfillment costs, current portionDeferred contract acquisition and fulfillment costs, current portion30,984 29,974 
Prepaid expenses and other current assets 8,747
 9,152
Prepaid expenses and other current assets38,051 33,236 
Total current assets 141,317
 130,233
Total current assets410,875 432,736 
Long-term investments 1,110
 20,162
Long-term investments28,295 34,068 
Property and equipment, net 7,995
 8,088
Property and equipment, net49,804 50,225 
Operating lease right-of-use assetsOperating lease right-of-use assets89,196 83,751 
Deferred contract acquisition and fulfillment costs, non-current portionDeferred contract acquisition and fulfillment costs, non-current portion59,121 57,191 
Goodwill 83,170
 75,110
Goodwill515,333 515,258 
Intangible assets, net 17,208
 8,946
Intangible assets, net108,246 111,591 
Other assets 640
 764
Other assets13,000 11,191 
Total assets $251,440
 $243,303
Total assets$1,273,870 $1,296,011 
Liabilities and Stockholders’ Equity    
Liabilities and Stockholders’ Equity (Deficit)Liabilities and Stockholders’ Equity (Deficit)
Current liabilities:    Current liabilities:
Accounts payable $3,567
 $4,012
Accounts payable$12,163 $3,521 
Accrued expenses 23,737
 23,499
Accrued expenses56,502 82,620 
Operating lease liabilities, current portionOperating lease liabilities, current portion11,336 9,630 
Deferred revenue, current portion 133,117
 116,903
Deferred revenue, current portion378,338 372,067 
Other current liabilities 1,394
 1,195
Other current liabilities1,264 842 
Total current liabilities 161,815
 145,609
Total current liabilities459,603 468,680 
Convertible senior notes, non-current portion, netConvertible senior notes, non-current portion, net812,995 812,063 
Operating lease liabilities, non-current portionOperating lease liabilities, non-current portion93,954 90,865 
Deferred revenue, non-current portion 55,526
 52,160
Deferred revenue, non-current portion30,616 33,056 
Other long-term liabilities 2,333
 3,496
Other long-term liabilities13,253 17,342 
Total liabilities 219,674
 201,265
Total liabilities1,410,421 1,422,006 
Stockholders’ equity:    
Preferred stock, $0.01 par value per share; 10,000,000 shares authorized at September 30, 2017 and December 31, 2016; 0 shares issued at September 30, 2017 and December 31, 2016 
 
Common stock, $0.01 par value per share; 100,000,000 shares authorized at September 30, 2017 and December 31, 2016; 44,337,203 and 43,018,737 shares issued at September 30, 2017 and December 31, 2016, respectively; 43,857,005 and 42,554,683 shares outstanding at September 30, 2017 and December 31, 2016, respectively 439
 426
Treasury stock, at cost, 480,198 and 464,054 shares at September 30, 2017 and December 31, 2016, respectively (4,645) (4,391)
Stockholders’ equity (deficit):Stockholders’ equity (deficit):
Preferred stock, $0.01 par value per share; 10,000,000 shares authorized at March 31, 2022 and December 31, 2021; 0 shares issued at March 31, 2022 and December 31, 2021Preferred stock, $0.01 par value per share; 10,000,000 shares authorized at March 31, 2022 and December 31, 2021; 0 shares issued at March 31, 2022 and December 31, 2021— — 
Common stock, $0.01 par value per share; 100,000,000 shares authorized at March 31, 2022 and December 31, 2021; 58,728,035 and 58,181,816 shares issued at March 31, 2022 and December 31, 2021, respectively; 58,241,227 and 57,695,008 shares outstanding at March 31, 2022 and December 31, 2021, respectivelyCommon stock, $0.01 par value per share; 100,000,000 shares authorized at March 31, 2022 and December 31, 2021; 58,728,035 and 58,181,816 shares issued at March 31, 2022 and December 31, 2021, respectively; 58,241,227 and 57,695,008 shares outstanding at March 31, 2022 and December 31, 2021, respectively582 577 
Treasury stock, at cost, 486,808 shares at March 31, 2022 and December 31, 2021Treasury stock, at cost, 486,808 shares at March 31, 2022 and December 31, 2021(4,764)(4,764)
Additional paid-in-capital 457,904
 435,360
Additional paid-in-capital650,710 615,032 
Accumulated other comprehensive loss (23) (19)Accumulated other comprehensive loss(2,052)(812)
Accumulated deficit (421,909) (389,338)Accumulated deficit(781,027)(736,028)
Total stockholders’ equity 31,766
 42,038
Total liabilities and stockholders’ equity $251,440
 $243,303
Total stockholders’ equity (deficit)Total stockholders’ equity (deficit)(136,551)(125,995)
Total liabilities and stockholders’ equity (deficit)Total liabilities and stockholders’ equity (deficit)$1,273,870 $1,296,011 
The accompanying notes are an integral part of these unaudited consolidated financial statements.

1


Table of Contents
RAPID7, INC.
Consolidated Statements of Operations (Unaudited)
(in thousands, except share and per share data)
  Three Months Ended September 30, Nine Months Ended September 30,
  2017 2016 2017 2016
Revenue:        
Products $29,626
 $23,108
 $82,736
 $64,709
Maintenance and support 11,654
 9,694
 33,794
 27,037
Professional services 9,241
 7,537
 26,679
 20,657
Total revenue 50,521
 40,339
 143,209
 112,403
Cost of revenue:        
Products 6,888
 3,415
 17,155
 8,700
Maintenance and support 1,739
 1,801
 5,467
 5,240
Professional services 5,740
 4,822
 17,088
 14,103
Total cost of revenue 14,367
 10,038
 39,710
 28,043
Total gross profit 36,154
 30,301
 103,499
 84,360
Operating expenses:        
Research and development 13,570
 11,616
 36,836
 36,890
Sales and marketing 28,224
 21,284
 80,166
 65,732
General and administrative 7,402
 7,605
 21,906
 20,842
Total operating expenses 49,196
 40,505
 138,908
 123,464
Loss from operations (13,042) (10,204) (35,409) (39,104)
Other income (expense), net:        
Interest income (expense), net 198
 44
 585
 55
Other income (expense), net 235
 36
 349
 184
Loss before income taxes (12,609) (10,124) (34,475) (38,865)
Provision for (benefit from) income taxes (2,325) 70
 (2,009) 361
Net loss $(10,284) $(10,194) $(32,466) $(39,226)
Net loss per share, basic and diluted $(0.24) $(0.25) $(0.76) $(0.96)
Weighted-average common shares outstanding, basic and diluted 43,279,025
 41,482,173
 42,693,212
 41,033,080
 Three Months Ended March 31,
 20222021
Revenue:
Products$149,025 $109,285 
Professional services8,359 8,166 
Total revenue157,384 117,451 
Cost of revenue:
Products43,472 29,650 
Professional services7,817 6,639 
Total cost of revenue51,289 36,289 
Total gross profit106,095 81,162 
Operating expenses:
Research and development49,812 33,080 
Sales and marketing75,146 54,978 
General and administrative21,516 16,220 
Total operating expenses146,474 104,278 
Loss from operations(40,379)(23,116)
Other income (expense), net:
Interest income112 96 
Interest expense(2,693)(5,394)
Other income (expense), net(603)(1,068)
Loss before income taxes(43,563)(29,482)
Provision for income taxes1,436 363 
Net loss$(44,999)$(29,845)
Net loss per share, basic and diluted$(0.78)$(0.56)
Weighted-average common shares outstanding, basic and diluted57,724,821 52,904,881 
The accompanying notes are an integral part of these unaudited consolidated financial statements.



2

Table of Contents
RAPID7, INC.
Consolidated Statements of Comprehensive Loss (Unaudited)
(in thousands)

 Three Months Ended March 31,
 20222021
Net loss$(44,999)$(29,845)
Other comprehensive income (loss):
Change in fair value of cash flow hedges(898)(129)
Adjustments for net gains (losses) realized and included in net loss316 (204)
Total change in unrealized losses on cash flow hedges(582)(333)
Change in unrealized (losses) gains on investments(658)(9)
Total other comprehensive loss(1,240)(342)
Comprehensive loss$(46,239)$(30,187)
  Three Months Ended September 30, Nine Months Ended September 30,
  2017 2016 2017 2016
         
Net loss $(10,284) $(10,194) $(32,466) $(39,226)
Other comprehensive loss:        
Change in fair value of investments 23
 
 (7) 
Adjustment for net losses realized and included in net loss 
 
 3
 
Total change in unrealized losses on investments 23
 
 (4) 
Comprehensive loss $(10,261) $(10,194) $(32,470) $(39,226)


The accompanying notes are an integral part of these unaudited consolidated financial statements.





3

Table of Contents
RAPID7, INC.
Consolidated Statements of Cash FlowsChanges in Stockholders' Equity (Deficit) (Unaudited)
(in thousands)
 Common stockTreasury stockAdditional
paid-in-capital
Accumulated
other
comprehensive
gain (loss)
Accumulated
deficit
Total
stockholders’
(deficit)
 SharesAmountSharesAmount
Balance, December 31, 202157,695 $577 487 $(4,764)$615,032 $(812)$(736,028)$(125,995)
Stock-based compensation expense— — — — 32,475 — — 32,475 
Issuance of common stock under employee stock purchase plan81 — — 5,709 — — 5,710 
Vesting of restricted stock units402 — — (4)— — — 
Shares withheld for employee taxes(35)(1)— — (3,460)— — (3,461)
Issuance of common stock upon exercise of stock options99 — — 958 — — 959 
Other comprehensive loss— — — — — (1,240)— (1,240)
Net loss— — — — — — (44,999)(44,999)
Balance, March 31, 202258,242 $582 487 $(4,764)$650,710 $(2,052)$(781,027)$(136,551)
  Nine Months Ended September 30,
  2017 2016
Cash flows from operating activities:    
Net loss $(32,466) $(39,226)
Adjustments to reconcile net loss to net cash provided by operating activities:    
Depreciation and amortization 5,304
 5,330
Stock-based compensation expense 14,738
 13,337
Provision for doubtful accounts 509
 504
Deferred income taxes (2,632) 
Foreign currency re-measurement gain (410) (166)
Other non-cash expenses 214
 168
Changes in operating assets and liabilities:    
Accounts receivable 130
 5,134
Prepaid expenses and other assets 601
 (1,076)
Accounts payable (322) 549
Accrued expenses 803
 (1,607)
Deferred revenue 19,580
 18,948
Other liabilities (965) 166
Net cash provided by operating activities 5,084
 2,061
Cash flows from investing activities:    
Business acquisition, net of cash acquired (14,717) 
Purchases of property and equipment (3,506) (3,307)
Capitalization of internal-use software costs (756) 
Purchases of investments (21,684) 
Sale and maturities of investments 24,522
 
Net cash used in investing activities (16,141) (3,307)
Cash flows from financing activities:    
Deferred business acquisition payment (796) 
Payments of capital lease obligations 
 (68)
Taxes paid related to net share settlement of equity awards (468) (3,826)
Proceeds from employee stock purchase plan 2,914
 3,724
Proceeds from stock option exercises 4,995
 2,518
Net cash provided by financing activities 6,645
 2,348
Effect of exchange rate changes on cash and cash equivalents 319
 60
Net (decrease) increase in cash and cash equivalents (4,093) 1,162
Cash and cash equivalents, beginning of period 53,148
 86,553
Cash and cash equivalents, end of period $49,055
 $87,715
Supplemental cash flow information:    
Cash paid for income taxes $759
 $480
Cash paid for interest $
 $1
 Common stockTreasury stockAdditional
paid-in-capital
Accumulated
other
comprehensive
gain (loss)
Accumulated
deficit
Total
stockholders’
equity (deficit)
 SharesAmountSharesAmount
Balance, December 31, 202052,225 $522 487 $(4,764)$692,603 $454 $(617,279)$71,536 
Stock-based compensation expense— — — — 22,284 — — 22,284 
Issuance of common stock under employee stock purchase plan148 — — 4,466 — — 4,467 
Vesting of restricted stock units374 — — (4)— — — 
Shares withheld for employee taxes(38)— — — (3,324)— — (3,324)
Issuance of common stock upon exercise of stock options170 — — 1,416 — — 1,418 
Purchase of capped calls related to convertible senior notes— — — — (76,020)— — (76,020)
Issuance of common stock in connection with repurchase of convertible senior notes2,177 22 — — (2,720)— — (2,698)
Issuance of common stock in connection with inducement of convertible senior notes35 — — — 2,740 — — 2,740 
Cumulative-effect adjustment for the adoption of ASU 2020-06— — — — (99,026)— 27,585 (71,441)
Other comprehensive loss— — — — — (342)— (342)
Net loss— — — — — — (29,845)(29,845)
Balance, March 31, 202155,091 $551 487 $(4,764)$542,415 $112 $(619,539)$(81,225)

The accompanying notes are an integral part of these unaudited consolidated financial statements.

4

Table of Contents
RAPID7, INC.
Consolidated Statements of Cash Flows (Unaudited)
(in thousands)
 Three Months Ended March 31,
 20222021
Cash flows from operating activities:
Net loss$(44,999)$(29,845)
Adjustments to reconcile net loss to net cash provided by operating activities:
Depreciation and amortization10,169 6,740 
Amortization of debt issuance costs979 658 
Stock-based compensation expense28,922 20,862 
Induced conversion expense— 2,740 
Other526 1,404 
Changes in operating assets and liabilities:
Accounts receivable36,327 34,414 
Deferred contract acquisition and fulfillment costs(2,939)(1,956)
Prepaid expenses and other assets(6,556)(136)
Accounts payable8,673 550 
Accrued expenses(24,048)(15,429)
Deferred revenue3,830 987 
Other liabilities(481)(394)
Net cash provided by operating activities10,403 20,595 
Cash flows from investing activities:
Business acquisition, net of cash acquired— (49,720)
Purchases of property and equipment(3,053)(972)
Capitalization of internal-use software costs(3,522)(1,758)
Purchases of investments(32,136)(6,394)
Sales/maturities of investments2,800 41,900 
Other investments— (1,500)
Net cash used in investing activities(35,911)(18,444)
Cash flows from financing activities:
Proceeds from issuance of convertible senior notes, net of issuance costs paid of $12,900 for the three months ended March 31, 2021— 587,100 
Purchase of capped calls related to convertible senior notes— (76,020)
Payments for repurchase and conversion of convertible senior notes— (182,647)
Payments related to business acquisitions— (2,431)
Taxes paid related to net share settlement of equity awards(3,461)(3,324)
Proceeds from employee stock purchase plan5,710 4,467 
Proceeds from stock option exercises959 1,427 
Net cash provided by financing activities3,208 328,572 
Effect of exchange rate changes on cash, cash equivalents and restricted cash(800)(500)
Net (decrease) increase in cash, cash equivalents and restricted cash(23,100)330,223 
Cash, cash equivalents and restricted cash, beginning of period165,017 173,617 
Cash, cash equivalents and restricted cash, end of period$141,917 $503,840 
Supplemental cash flow information:
Cash paid for interest on convertible senior notes$750 $1,438 
Cash paid for income taxes, net of refunds$15 $64 
Reconciliation of cash, cash equivalents and restricted cash:
Cash and cash equivalents$141,365 $503,804 
Restricted cash included in prepaid expenses and other assets552 $36 
Total cash, cash equivalents and restricted cash$141,917 $503,840 
The accompanying notes are an integral part of these unaudited consolidated financial statements.
5

Table of Contents
RAPID7, INC.
Notes to Consolidated Financial Statements (Unaudited)
Note 1. Description of Business, Basis of Presentation and Consolidation and Significant Accounting Policies
Description of Business
Rapid7, Inc. and subsidiaries (“we,” “us” or “our”) is a leading provider ofare advancing security with visibility, analytics, and automation delivered through our Insight Platform. Our solutions simplify the complex, allowing security teams to work more effectively with IT and development to reduce vulnerabilities, monitor for securitymalicious behavior, investigate and IT operations solutions that enable organizations to implement an active, analytics-driven approach to cyber securityshut down attacks, and IT operations.automate routine tasks.
Basis of Presentation and Consolidation
The accompanying unaudited consolidated financial statements have been prepared by us in accordance with accounting principles generally accepted in the United States of America (GAAP)(“GAAP”), as well as pursuant to the rules and regulations of the Securities and Exchange Commission (SEC)(“SEC”), regarding interim financial reporting. Accordingly, certain information and note disclosures normally included in the financial statements prepared in accordance with GAAP have been condensed or omitted pursuant to such rules and regulations. These consolidated financial statements should be read in conjunction with the consolidated financial statements and related notes included in our Annual Report on Form 10-K for the year ended December 31, 20162021 filed with the SEC on March 9, 2017.February 24, 2022.
The consolidated financial statements include our results of operations and those of our wholly-owned subsidiaries and reflect all adjustments (consisting solely of normal, recurring adjustments) which are, in the opinion of management, necessary for a fair statement of results for the interim periods presented. All intercompany transactions and balances have been eliminated in consolidation. The results of operations for the three and nine months ended September 30, 2017March 31, 2022 are not necessarily indicative of the results to be expected for any future period or the entire fiscal year.

Use of Estimates
The preparation of consolidated financial statements in conformity with GAAP requires management to make estimates, judgments and assumptions that affect the amounts reported in the consolidated financial statements and accompanying notes. The management estimates include, but are not limited to the determination of the estimated economic life of perpetual licenses for revenue recognition, the determination of standalone selling prices in revenue transactions with multiple performance obligations, the estimated period of benefit for deferred contract acquisition and fulfillment costs, the useful lives and recoverability of long-lived assets, the valuation for credit losses, the valuation of stock-based compensation, the fair value of assets acquired and liabilities assumed in business combinations, the incremental borrowing rate for operating leases and the valuation for deferred tax assets. We base our estimates on historical experience and on various other assumptions that we believe are reasonable. Actual results could differ from those estimates.
The COVID-19 pandemic has resulted in a sustained global slowdown of economic activity that has decreased demand for a broad variety of goods and services, including from our customers. While we have not experienced significant disruptions from the COVID-19 pandemic during the three months ended March 31, 2022, we are unable to accurately predict the extent to which the ongoing COVID-19 pandemic may impact our business, results of operations and financial condition going forward. Estimates and assumptions about future events and their effects cannot be determined with certainty and therefore require the exercise of judgment. As of the date of issuance of these financial statements, we are not aware of any specific event or circumstance that would require us to update our estimates, assumptions and judgments or revise the carrying value of our assets or liabilities. These estimates may change as new events occur and additional information is obtained and will be recognized in the consolidated financial statements as soon as they become known. Actual results could differ from those estimates and any such differences may be material to our financial statements.
Significant Accounting Policies

There have been no significant changes to ourOur significant accounting policies asare described in Note 2, Summary of and for the three and nine months ended September 30, 2017, as comparedSignificant Accounting Policies, to the significant accounting policies describedconsolidated financial statements included in our Annual Report on Form 10-K for the year ended December 31, 2016.2021. There have been no changes to the significant accounting policies during the three-month period ended March 31, 2022.
6

Table of Contents
Recent Accounting Pronouncements

Accounting Pronouncements Recently Adopted
In May 2017, the Financial Accounting Standards Board (FASB) issued Accounting Standards Update (ASU) 2017-09, Compensation-Stock Compensation (Topic 718): Scope of Modification Accounting, clarifying when a change to the terms or conditions of a share-based payment award must be accounted for as a modification. The ASU requires modification accounting if the fair value, vesting condition or the classification of the award is not the same immediately before and after a change to the terms and conditions of the award. The ASU will be effective for us on a prospective basis beginning on January 1, 2018, with early adoption permitted. This ASU is not expected to have an impact on our consolidated financial statements.
In October 2016,2021, the FASB issued ASU 2016-16, Income Taxes2021-08, Business Combinations (Topic 740)805): Intra-Entity Transfers ofAccounting for Contract Assets Other Than Inventory. The ASU is intended to improveand Contract Liabilities from Contracts with Customers, which clarified the accounting for the income tax consequences of intra-entity transfers ofacquired revenue contracts with customers in a business combination. ASU 2021-08 requires acquirers to measure contract assets other than inventory. Current GAAP prohibits the recognition of current and deferred income taxes for an intra-entity asset transfer until the asset has been sold to an outside party. The ASU will allow an entity to recognize the income tax consequences of these transfers when the transfers occur. The ASU will be effective for uscontract liabilities acquired in the first quarter of 2018. We are currently evaluating the impact that the adoption of this ASU will have on our consolidated financial statements.
In March 2016, the FASB issued ASU 2016-09, Compensation-Stock Compensation (Topic 718): Improvements to Employee Share-Based Payment Accounting. The ASU is intended to simplify several aspects of the accounting for share-based payment transactions, including the accounting for income taxes, forfeitures and statutory tax withholding requirements, as well as classification on the statement of cash flows. We adopted this ASU on January 1, 2017 and asa business combination in accordance with ASC 606. As a result, we have madeit is generally expected that an accounting policy election to account for forfeitures as they occur. This change has been applied on a modified retrospective basis, resulting in a cumulative-effect adjustment to increase accumulated deficit by $0.1 million as of January 1, 2017. The adoption of this ASU also requires excess tax benefitsacquirer will recognize and tax deficiencies be recorded in the income statement as opposed to additional paid-in capital when the awards vest or are settled, and has been applied on a prospective basis. In connection with the adoption of this ASU, we recorded a cumulative-effect adjustment as of January 1, 2017 to increase gross deferred tax assets and the related valuation allowance against deferred tax assets by $3.4 million. The provisions related to classification of excess tax benefits in the statement of cash flows were adopted prospectively, and as such, the prior periods were not retrospectively adjusted.

In February 2016, the FASB issued ASU 2016-02, Leases (Topic 842). The ASU requires companies to recognize on the balance sheet themeasure contract assets and liabilities forin a manner consistent with how they were recognized by the rights and obligations created by leased assets. The ASU will beacquiree in its preacquisition financial statements. This standard is effective for us in the first quarter of 2019,interim and annual periods beginning after December 15, 2022, with early adoption permitted. We are currently evaluatingearly adopted this standard on January 1, 2022. This guidance will be applied prospectively to all business combinations that occur on or after January 1, 2022.
Accounting Pronouncements Not Yet Effective
In March 2020, the FASB issued ASU 2020-04, Reference Rate Reform (Topic 848): Facilitation of the Effects of Reference Rate Reform on Financial Reporting, which provides temporary optional expedients and exceptions to GAAP guidance on contract modifications to ease the financial reporting burdens related to the expected market transition from the London Interbank Offered Rate (LIBOR) to alternative reference rates. We may elect to apply the amendments prospectively through December 31, 2022. The impact thatto our consolidated financial statements from the adoption of this ASU will have on our consolidated financial statements.standard is expected to be immaterial.
In May 2014, the FASB issued ASU 2014-09,
Note 2. Revenue from Contracts with Customers (Topic 606).
We generate revenue primarily from: (1) subscriptions from the sale of cloud-based subscriptions, managed services, term software licenses, content subscriptions and maintenance and support associated with our software licenses, (2) perpetual software licenses, and (3) professional services from the sale of our deployment and training services related to our solutions, incident response services, penetration testing and security advisory services.
The ASU outlines a single, comprehensive model for accounting forfollowing table summarizes revenue from contracts with customers for the three months ended March 31, 2022 and requires more detailed disclosure to enable users of financial statements to understand the nature, amount, timing and uncertainty2021:
Three Months Ended March 31,
20222021
(in thousands)
Subscriptions$147,467 $107,167 
Perpetual software licenses1,361 2,114 
Professional services8,359 8,166 
Other197 
Total revenue$157,384 $117,451 
Subscriptions
Subscriptions consists of revenue from our cloud-based subscription, managed services offerings, term software licenses, content subscriptions and cash flows arisingmaintenance and support associated with our software licenses.
We generate cloud-based subscription revenue primarily from such contracts. In August 2015,sales of subscriptions to access our cloud platform, together with related support services to our customers. These arrangements do not provide the FASB issued ASU 2015-14,customer with the right to take possession of our software operating on our cloud platform at any time. Instead, customers are granted continuous access to our cloud platform over the contractual period. Revenue is recognized over time on a ratable basis over the contract term beginning on the date that our service is made available to the customer. Our cloud-based subscription contracts generally have annual or multi-year contractual terms which provides a one-year deferralare billed in the effective date of ASU 2014-09. ASU 2014-09 will now be effective for us beginning January 1, 2018; however, early adoption will be permitted asadvance of the original effective date. We plan to adopt ASU 2014-09 in the first quarterannual subscription period and are non-cancellable.
Managed services offerings consist of 2018fees generated when we operate our software and expect to adoptprovide our capabilities on behalf of our customers. Revenue is recognized on a modified retrospective basis. Under this method of adoption, we would recognizeratable basis over the cumulative effect of initially applyingcontract term beginning on the standard as an adjustmentdate that our service is made available to the opening balancecustomer. Our managed services offerings generally have annual or multi-year contractual terms which are billed in advance of retained earnings in the annual subscription period of initial application. Comparative prior year periods would not be adjusted.and are non-cancellable.
We are currently evaluating the potential impact of this standard on our financial position and results of operations. Based on our analysis performed to date, we expect recognition of total revenue related toFor our term software licenses managed services, cloud-based subscriptions and stand-alone professional services to remain substantially unchanged. We expect that revenue relatedwhere the utility to the salecustomer is dependent on the continued delivery of content subscriptions, we recognize the license revenue over the contractual term of the content subscription. For our AppSpider perpetualterm software licenses will be recognized at the time of license delivery because software licenseswhich are not dependent on the continued delivery of content subscriptions. We currentlysubscriptions, the license is considered
7

Table of Contents
distinct from the maintenance and support, and we therefore recognize revenue attributable to the license at the time of delivery.
Content subscriptions and our maintenance and support services are sold with our perpetual and term software licenses. Revenue related to our content subscriptions associated with our software licenses is recognized ratably over the sale ofcontractual period. Maintenance and support services are distinct from the perpetual and term software license and revenue attributable to maintenance and support services is recognized ratably over the contractual period.
Perpetual Software Licenses
For our AppSpider perpetual software licenses overwhere the contractual period of maintenance and support dueutility to the lackcustomer is dependent on the continued delivery of vendor-specific objective evidence (VSOE) of selling price of the maintenance and support. We expect that revenue related to the sale of our Nexpose and Metasploit perpetual software licenses will be combined with their related content subscriptions, as a single performance obligation when our contracts containthe content subscription renewal options result in a material right with respect to renewal options.the perpetual software license. As a result, we expect to recognize the revenue relatedattributable to the sale of Nexpose and Metasploit perpetual software licenseslicense is recognized ratably over the customer'scustomer’s estimated economic life rather than overof five years, which represents a longer period of time in comparison to the initial contractual period of maintenance and support. The estimated economic life of five years represents the period which the customer is expected to benefit from the material right. We estimated this period of benefit by taking into consideration several factors, including the terms and conditions of our customer contracts and renewals and the expected useful life of our technology.
In addition, under the new standard, forFor our perpetual software licenses thatwhich are sold with professional services in a multiple-element arrangement,not dependent on the professional services will likely represent a separate performance obligation and we will recognize revenue associated withcontinued delivery of content subscriptions, the professional services as such services are performed. Revenue associated with professional services in a multiple-element arrangementlicense is currently recognized ratably overconsidered distinct from the related contractual period of maintenance and support, (typically one to three years) dueand we therefore recognize revenue attributable to the lacklicense at the time of VSOEdelivery.
Professional Services
All of sellingour professional services are considered distinct performance obligations when sold stand alone or with other products. These contracts generally have terms of one year or less. For the majority of these contracts, revenue is recognized over time based upon the proportion of work performed to date.
Contracts with Multiple Performance Obligations
If the contract contains a single performance obligation, the entire transaction price is allocated to the single performance obligation. The majority of our contracts with customers contain multiple performance obligations. For these contracts, we account for individual performance obligations separately if they are distinct. The transaction price is allocated to the contractual elements. In addition, under the new standard, we expect the allocation of contract consideration for multiple-element arrangements to beseparate performance obligations on a relative fair valuestandalone selling price (“SSP”) basis. We determine SSP of our products and services based on our overall pricing objectives using all information reasonably available to us, taking into consideration market conditions and other factors, including the geographic locations of our customers, negotiated discounts from price lists and selling method (i.e., partner or direct). When available, we use directly observable stand-alone transactions to determine SSP. When not regularly sold on a stand-alone basis, which may impact bothwe estimate SSP for our products and services utilizing historical sales data, including discounts from list price. The historical data is aggregated and analyzed by geographic location and selling method to establish a median or average price. Once SSP is established it is applied consistently to all transactions including that product or service utilizing a portfolio approach.
Contract Balances
Contract liabilities consist of deferred revenue and include payments received in advance of performance under the timingcontract. Such amounts are recognized as revenue over the contractual period consistent with the above methodology. For the three months ended March 31, 2022 and 2021, we recognized revenue of income recognition$137.3 million and $101.9 million, respectively, that was included in the corresponding contract liability balance at the beginning of the periods presented. Deferred revenue that will be realized during the succeeding 12-month period is recorded as current, and the presentationremaining deferred revenue is recorded as non-current.
We receive payments from customers based upon contractual billing schedules. Accounts receivable are recorded when the right to consideration becomes unconditional. Unbilled receivables include amounts related to our contractual right to consideration for both completed and partially completed performance obligations that have not been invoiced. If the right to consideration is based on satisfaction of revenue by class.
Further, underanother performance obligation in the new standard,contract other than the passage of time, we expect to capitalize certain direct and incremental commission costs to obtainrecord a contract asset. As of March 31, 2022 and amortize such costs overDecember 31, 2021, unbilled receivables of $1.1 million and $1.2 million, respectively, are included in prepaid expenses and other current assets in our consolidated balance sheet. As of March 31, 2022 and December 31, 2021, we had no contract assets recorded on our consolidated balance sheet.
8

Table of Contents
Transaction price allocated to the customer'sremaining performance obligations
The following table includes estimated economic life rather than expensing them as incurredrevenue expected to be recognized in the periodfuture related to performance obligations that the commissions are earned by our employees (which is typically upon signingunsatisfied or partially unsatisfied as of an arrangement).March 31, 2022. The estimated revenues do not include unexercised contract renewals.
Next Twelve MonthsThereafter
 (in thousands)
Subscriptions$409,985 $127,809 
Perpetual software licenses2,522 405 
Professional services15,603 1,651 
Total$428,110 $129,865 
Note 2. Fair Value Measurements3. Business Combinations
We measure certain financial assetsIntSights
On July 16, 2021, we acquired IntSights Cyber Intelligence Ltd. (“IntSights”), a provider of contextualized external threat intelligence and liabilities at fair value. Fair value is determined based upon the exitproactive threat remediation, for a purchase price that would be received to sellwith an asset or paid to transfer a liability in an orderly transaction between market participants, as determined by either the principal market or the most advantageous market. Inputs used in the valuation techniques to derive fair values are classified based on a three-level hierarchy, as follows:
Level 1: Observable inputs that reflect quoted prices (unadjusted) for identical assets or liabilities in active markets.
Level 2: Observable inputs other than Level 1 prices such as quoted prices for similar assets or liabilities; quoted prices in markets with insufficient volume or infrequent transactions (less active markets); or model-derived valuations in which all significant inputs are observable or can be derived principally from or corroborated by observable market data for substantially the full term of the assets or liabilities.
Level 3: Unobservable inputs that are supported by little or no market activity and that are significant to theaggregate fair value of $322.3 million. The purchase consideration consisted of $319.2 million in cash paid at closing, $3.4 million in deferred cash payments and a $0.3 million receivable for purchase price adjustments. The deferred cash payments will be held by us to satisfy indemnification obligations payable within eighteen months of the asset or liability.acquisition date.
We consider an active marketThe assets acquired and liabilities assumed were recorded at their estimated fair values as of the acquisition date. The excess of the purchase price over the assets acquired and liabilities assumed was recorded as goodwill. The fair value of net assets acquired, goodwill and intangible assets were $61.3 million, $260.9 million and $65.2 million, respectively. These preliminary amounts are subject to be one in which transactionssubsequent adjustment as we obtain additional information to finalize certain components of working capital and deferred income taxes. The goodwill was allocated to our 1 reporting unit. The acquired goodwill and intangible assets were not deductible for tax purposes.
Our revenue and net loss attributable to the IntSights business for the asset or liability occur with sufficient frequencythree months ended March 31, 2022 was $6.9 million and volume$10.9 million, respectively.
Pro Forma Financial Information
The unaudited pro forma financial information in the table below summarizes the combined results of our operations and IntSights, on a pro forma basis, as though we had acquired IntSights on January 1, 2020. The unaudited pro forma financial information for all periods presented also includes the effects of business combination accounting resulting from the acquisition, including an adjustment to provide pricing information on an ongoing basis, and consider an inactive market to be one in which there are infrequent or few transactionsrevenue for the deferred revenue fair value adjustment, amortization expense from acquired intangibles assets, reversal of acquisition-related expenses and the stock-compensation expense recorded to retain certain employees.
Three Months Ended March 31, 2021
(in thousands)
Revenue$123,430 
Net loss(41,020)
Velocidex Enterprises Pty Ltd
On April 12, 2021, we acquired Velocidex Enterprises Pty Ltd (“Velocidex”), a leading open-source technology and community used for endpoint monitoring, digital forensics, and incident response. The purchase price consisted of $2.7 million paid in cash and $0.3 million in deferred cash payments. The purchase price was allocated to developed technology intangible asset or liability, the prices are not current, or price quotations vary substantially either over time or among market makers.which has an estimated useful life of 6 years.

Alcide.IO Ltd.
On January 28, 2021, we acquired Alcide.IO Ltd. (“Alcide”), a leading provider of Kubernetes security, for a purchase consideration of $50.5 million, which was funded in cash.
9

Table of Contents
The following table presents our financial assets acquired and liabilities measured andassumed were recorded at their estimated fair values as of the acquisition date. The excess of the purchase price over the assets acquired and liabilities assumed was recorded as goodwill. The fair value on a recurring basis using the above input categories:of net assets acquired, goodwill and intangible assets were $(0.7) million, $40.8 million and $10.4 million, respectively. The goodwill was allocated to our 1 reporting unit. The acquired goodwill and intangible asset were not deductible for tax purposes.
  As of September 30, 2017
  Level 1 Level 2 Level 3 Total
  (in thousands)
Description:        
Assets:        
Money market funds $3,076
 $
 $
 $3,076
U.S. government agencies 12,478
 
 
 12,478
Commercial paper 
 6,729
 
 6,729
Corporate bonds 
 15,455
 
 15,455
Asset-backed securities 
 2,522
 
 2,522
Total assets $15,554
 $24,706
 $
 $40,260

  As of December 31, 2016
  Level 1 Level 2 Level 3 Total
  (in thousands)
Description:        
Assets:        
Money market funds $10,085
 $
 $
 $10,085
U.S. government agencies 14,982
 
 
 14,982
Commercial paper 
 8,078
 
 8,078
Corporate bonds 
 10,314
 
 10,314
Asset-backed securities 
 6,467
 
 6,467
Total assets $25,067
 $24,859
 $
 $49,926
We had no liabilities measured and recorded at fair value on a recurring basis as of September 30, 2017 or December 31, 2016.Note 4. Investments
Our investments, which are all classified as available-for-sale, consisted of the following:
 As of March 31, 2022
 Amortized CostGross Unrealized GainsGross Unrealized LossesFair Value
 (in thousands)
Description:
U.S. government agencies$51,912 $— $(433)$51,479 
Commercial paper34,997 — — 34,997 
Corporate bonds34,513 — (270)34,243 
Agency bonds$750 $— $(19)$731 
Total$122,172 $— $(722)$121,450 
 As of September 30, 2017 As of December 31, 2021
 Amortized Cost Gross Unrealized Gains Gross Unrealized Losses Fair Value Amortized CostGross Unrealized GainsGross Unrealized LossesFair Value
 (in thousands) (in thousands)
Description:        Description:
U.S. government agencies $12,494
 $
 $(16) $12,478
Commercial paper 6,729
 
 
 6,729
Commercial paper$37,778 $— $— $37,778 
Corporate bonds 15,463
 
 (8) 15,455
Corporate bonds32,059 — (32)32,027 
Asset-backed securities 2,521
 1
 
 2,522
Total assets $37,207
 $1
 $(24) $37,184
U.S government agenciesU.S government agencies22,396 — (31)22,365 
Agency bondsAgency bonds749 — (1)748 
TotalTotal$92,982 $— $(64)$92,918 
OurAs of March 31, 2022, our available-for-sale investments ashad maturities ranging from 1 to 20 months. As of September 30, 2017 includes $1.2 million of commercial paperDecember 31, 2021, our available-for-sale investments which are classified as cash and cash equivalents as the original maturity was less than threehad maturities ranging from 2 to 23 months.

  As of December 31, 2016
  Amortized Cost Gross Unrealized Gains Gross Unrealized Losses Fair Value
  (in thousands)
Description:        
U.S. government agencies $14,992
 $3
 $(13) $14,982
Commercial paper 7,178
 
 
 7,178
Corporate bonds 10,326
 1
 (13) 10,314
Asset-backed securities 6,464
 4
 (1) 6,467
Total assets $38,960
 $8
 $(27) $38,941
For all of our investments for which the amortized cost basis was greater than the fair value at September 30, 2017March 31, 2022 and December 31, 2016,2021, we have concluded that there is no plan to sell the security nor is it more likely than not that we would be required to sell the security before its anticipated recovery.maturity. In making the determination as to whether the unrealized loss is other-than-temporary, we considered the length of time and extent the investment has been in an unrealized loss position, the financial condition and near-term prospects of the issuers, the issuers’ credit rating and the time to maturity.

Note 3. Business Combination5. Fair Value Measurements
On July 12, 2017, we acquired Komand, Inc. (Komand),We measure certain financial assets and liabilities at fair value. Fair value is determined based upon the exit price that would be received to sell an asset or paid to transfer a security orchestrationliability in an orderly transaction between market participants, as determined by either the principal market or the most advantageous market. Inputs used in the valuation techniques to derive fair values are classified based on a three-level hierarchy, as follows:
Level 1: Observable inputs that reflect quoted prices (unadjusted) for identical assets or liabilities in active markets.
Level 2: Observable inputs other than Level 1 prices such as quoted prices for similar assets or liabilities; quoted prices in markets with insufficient volume or infrequent transactions (less active markets); or model-derived valuations in which all significant inputs are observable or can be derived principally from or corroborated by observable market data for substantially the full term of the assets or liabilities.
Level 3: Unobservable inputs that are supported by little or no market activity and automation company based in Boston, Massachusetts for total cash consideration of $14.8 million. We expensed the related acquisition costs of $0.2 million in general and administrative expense.
The following table summarizes the cash consideration paid for Komand and the preliminary allocation of purchase pricethat are significant to the estimated fair value of the asset or liability.
We consider an active market to be one in which transactions for the asset or liability occur with sufficient frequency and volume to provide pricing information on an ongoing basis, and we consider an inactive market to be one in which there are
10

Table of Contents
infrequent or few transactions for the asset or liability, the prices are not current, or price quotations vary substantially either over time or among market makers.
The following table presents our financial assets acquired and liabilities assumedmeasured and recorded at fair value on a recurring basis using the acquisition date (in thousands):
above input categories:
Cash consideration$14,781
  
Recognized amount of identifiable assets acquired and liabilities assumed: 
Net working capital(27)
Deferred tax liability(2,632)
Intangible assets9,380
Total identifiable net assets assumed6,721
Goodwill8,060
Total purchase price allocation$14,781
 As of March 31, 2022
 Level 1Level 2Level 3Total
 (in thousands)
Description:
Assets:
Money market funds$49,136 $— $— $49,136 
U.S. Government agencies51,479 — — 51,479 
Commercial paper— 34,997 — 34,997 
Corporate bonds— 34,243 — 34,243 
Agency bonds— 731 — 731 
Foreign currency forward contracts designated as cash flow hedges (prepaid expenses and other current assets)— 13 — 13 
Total$100,615 $69,984 $— $170,599 
Liabilities:
Foreign currency forward contracts designated as cash flow hedges (other current liabilities and other liabilities)$— $1,345 $— $1,345 
Total$— $1,345 $— $1,345 
The
 As of December 31, 2021
 Level 1Level 2Level 3Total
 (in thousands)
Description:
Assets:
Money market funds$86,835 $— $— $86,835 
Commercial paper— 37,778 — 37,778 
Corporate bonds— 32,027 — 32,027 
U.S. Government agencies22,365 — — 22,365 
Agency bonds— 748 — 748 
Foreign currency forward contracts designated as cash flow hedges (prepaid expenses and other current assets)— 73 — 73 
Total assets$109,200 $70,626 $— $179,826 
Liabilities:
Foreign currency forward contracts designated as cash flow hedges (other current liabilities and other liabilities)$— $843 $— $843 
Total liabilities$— $843 $— $843 
As of March 31, 2022, the fair value of identifiable intangible assets wereour 2.25% and 0.25% convertible senior notes due 2025 and 2027, as further described in Note 10, Debt, was $435.1 million and $669.7 million, respectively, based on valuations using a combinationupon quoted market prices. We consider the fair value of the income and cost approach. The estimated fair value and useful life of identifiable intangible assets are as follows:
 Amount Weighted Average Amortization Life (years)
 (in thousands)  
Developed technology$9,380
 5
Identifiable intangible assets$9,380
  
The excessNotes to be a Level 2 measurement due to limited trading activity of the purchase price over the tangible assets acquired, identifiable intangible asset acquired and assumed liabilities was recorded as goodwill. We believe that the amountNotes.
11

Table of goodwill reflects the expected synergistic benefits of being able to leverage the integration of our existing product offerings and services with the products and technology acquired in connection with our acquisition of Komand and to be able to successfully market and sell these new products to our customer base. The goodwill was allocated to our one reporting unit. The acquired goodwill and intangible asset will not be deductible for tax purposes. Accordingly, a $2.6 million deferred tax benefit was recorded during the three months ended September 30, 2017 resulting from a partial release of our valuation allowance to account for the creation of a deferred tax liability for the developed technology intangible asset acquired which is not deductible for tax purposes.Contents
These preliminary amounts are subject to subsequent adjustment as we obtain additional information to finalize certain components of working capital.

Following the acquisition, certain retained employees of Komand (i) received an aggregate of 295,600 restricted stock units which will vest over four years and (ii) shall be eligible for an aggregate of up to $5.0 million of incentive payments contingent on achievement of certain milestones within four years of the acquisition date. The vesting of the restricted stock units and eligibility to receive the incentive payments are each subject to the employee's continued service with us. Accordingly, compensation expense associated with the restricted stock units and incentive payments will be expensed as incurred in our post-acquisition financial statements.
Proforma results of operations have not been included, as the acquisition of Komand was not material to our results of operations for any periods presented.

Note 4.6. Property and Equipment
Property and equipment are recorded at cost and consist of the following:
 As of
September 30, 2017
 As of
December 31, 2016
As of March 31, 2022As of December 31, 2021
 (in thousands) (in thousands)
Computer equipment and software $15,024
 $12,844
Computer equipment and software$21,818 $19,879 
Furniture and fixtures 3,629
 3,131
Furniture and fixtures10,629 10,360 
Leasehold improvements 8,737
 8,077
Leasehold improvements52,552 51,983 
Total 27,390
 24,052
Total84,999 82,222 
Less accumulated depreciation (19,395) (15,964)Less accumulated depreciation(35,195)(31,997)
Property and equipment, net $7,995
 $8,088
Property and equipment, net$49,804 $50,225 
Depreciation expense was $1.2$3.3 million and $1.1$3.0 million for the three months ended September 30, 2017March 31, 2022 and 2016, respectively and $3.4 million for the nine months ended September 30, 2017 and 2016.2021, respectively.
Note 5.7. Goodwill and Intangible Assets
Goodwill was $83.2 million and $75.1$515.3 million as of September 30, 2017March 31, 2022 and December 31, 2016, respectively.2021. The following table displays the changes in the gross carrying amount of goodwill:
 Amount
 (in thousands)
Balance at December 31, 2016$75,110
Komand acquisition8,060
Balance at September 30, 2017$83,170
Amount
(in thousands)
Balance at December 31, 2021$515,258 
IntSights acquisition purchase receivable adjustment75 
Balance at March 31, 2022$515,333 
The following table presents details of our intangible assets, which include acquired identifiable intangible assets and capitalized internal-use software costs:
  As of September 30, 2017 As of December 31, 2016  As of March 31, 2022As of December 31, 2021
Weighted-
Average
Life (years)
 
Gross Carrying
Amount
 
Accumulated
Amortization
 Net Book Value 
Gross Carrying
Amount
 
Accumulated
Amortization
 Net Book Value Weighted-
Average
Life (years)
Gross Carrying
Amount
Accumulated
Amortization
Net Book ValueGross Carrying
Amount
Accumulated
Amortization
Net Book Value
  (in thousands)  (in thousands)
Intangible assets subject to amortization:            Intangible assets subject to amortization:
Developed technology5.7 $20,611
 $(4,848) $15,763
 $11,231
 $(3,118) $8,113
Developed technology5.2$122,555 $(44,996)$77,559 $122,555 $(40,152)$82,403 
Customer relationships6.7 1,000
 (312) 688
 1,000
 (197) 803
Customer relationships4.512,000 (3,120)8,880 12,000 (2,436)9,564 
Trade names6.1 519
 (507) 12
 519
 (496) 23
Trade names3.12,619 (1,289)1,330 2,619 (1,094)1,525 
Non-compete agreements2.0 40
 (40) 
 40
 (33) 7
Total acquired intangible assets 22,170
 (5,707) 16,463
 12,790
 (3,844) 8,946
Total acquired intangible assets137,174 (49,405)87,769 137,174 (43,682)93,492 
Internal-use software 756
 (11) 745
 
 
 
Internal-use software3.029,378 (8,901)20,477 25,857 (7,758)18,099 
Total intangible assets $22,926
 $(5,718) $17,208
 $12,790
 $(3,844) $8,946
Total intangible assets$166,552 $(58,306)$108,246 $163,031 $(51,440)$111,591 
Amortization expense was $0.9$6.9 million and $0.8$3.7 million for the three months ended September 30, 2017March 31, 2022 and 2016, respectively, and $1.9 million for the nine months ended September 30, 2017 and 2016.2021, respectively.
12

Table of Contents
Estimated future amortization expense of the acquired identifiable intangible assets and completed capitalized internal-use software costs as of September 30, 2017 isMarch 31, 2022 was as follows (in thousands):
2017 (for the remaining three months)$970
20183,840
20193,813
20203,760
20213,208
2022 and thereafter1,095
Total$16,686

2022 (for the remaining nine months)$19,395 
202323,111 
202418,587 
202516,076 
202612,478 
2027 and thereafter5,206 
Total$94,853 
The table above excludes the impact of $0.5$13.4 million of capitalized internal-use software costs for projects that have not been completed as of September 30, 2017,March 31, 2022, and therefore, we have not determined the useful life of the software, nor have all the costs associated with these projects been incurred.
Note 8. Deferred Contract Acquisition and Fulfillment Costs
The following table summarizes the activity of the deferred contract acquisition and fulfillment costs for the three months ended March 31, 2022 and 2021:
Three Months Ended March 31,
20222021
 (in thousands)
Beginning balance$87,165 $64,639 
Capitalization of contract acquisition and fulfillment costs11,248 7,865 
Amortization of deferred contract acquisition and fulfillment costs(8,309)(5,909)
Ending balance$90,104 $66,595 

Note 9. Derivatives and Hedging Activities
To mitigate our exposure to foreign currency fluctuations resulting from certain expenses denominated in certain foreign currencies, we enter into forward contracts that are designated as cash flow hedging instruments. These forward contracts have contractual maturities of nineteen months or less, and as of March 31, 2022 and December 31, 2021, outstanding forward contracts had a total notional value of $48.2 million and $34.7 million, respectively. The notional value represents the gross amount of foreign currency that will be bought or sold upon maturity of the forward contract. During the three months ended March 31, 2022, all cash flow hedges were considered effective. Refer to Note 5, Fair Value Measurements, for the fair values of our outstanding derivative instruments.
Note 10. Debt
Convertible Senior Notes
In May 2020, we issued $230.0 million aggregate principal amount of convertible senior notes due May 1, 2025 (the “2025 Notes”) and in March 2021, we issued $600.0 million aggregate principal amount of convertible senior notes due March 15, 2027 (the “2027 Notes”) (collectively, the “Notes”). Further details of the Notes are as follows:
IssuanceMaturity DateInterest RateFirst Interest Payment DateEffective Interest RateSemi-Annual Interest Payment DatesInitial Conversion Rate per $1,000 PrincipalInitial Conversion PriceNumber of Shares (in millions)
2025 NotesMay 1, 20252.25 %November 1, 20202.88 %May 1 and November 116.3875$61.02 3.8 
2027 NotesMarch 15, 20270.25 %September 15, 20210.67 %March 15 and September 159.6734$103.38 5.8 
The 2025 Notes and the 2027 Notes are senior unsecured obligations, do not contain any financial covenants and are governed by indentures between the Company, as issuer, and U.S. Bank National Association, as trustee (the “Indentures”). The total net proceeds from the 2025 Notes and the 2027 Notes offerings, after deducting initial purchase discounts and estimated debt issuance costs, were $222.8 million and $585.0 million, respectively.
13

Table of Contents
Terms of the Notes
The holders of the Notes may convert their respective Notes at their option at any time prior to the close of business on the business day immediately preceding their respective convertible dates only under the following circumstances:
during any calendar quarter commencing after the calendar quarter ending on September 30, 2020 for the 2025 Notes and March 20, 2024 for the 2027 Notes (and only during such calendar quarter), if the last reported sale price of our common stock for at least 20 trading days (whether or not consecutive) during a period of 30 consecutive trading days ending on, and including, the last trading day of the immediately preceding calendar quarter is greater than or equal to 130% of the conversion price of the respective Notes on each applicable trading day;
during the 5 business day period after any 5 consecutive trading day period for the 2025 Notes and any 10 consecutive trading day period for the 2027 Notes (“measurement periods”) in which the trading price (as defined in the Indentures) per $1,000 principal amount of the applicable series of Notes for each trading day of the measurement period was less than 98% of the product of the last reported sale price of our common stock and the conversion rate of the respective Notes on each such trading day;
if we call any or all of the respective Notes for redemption, at any time prior to the close of business on the scheduled trading day immediately preceding the respective redemption date; or
upon the occurrence of specified corporate events (as set forth in the Indentures).
As of March 31, 2022, the conversion features of the 2025 Notes were triggered as the last reported price of our common stock was greater than or equal to 130% of the conversion prices for at least 20 trading days in the period of 30 consecutive trading days ending on, and including, the last trading day of the immediately preceding calendar quarter, and therefore the 2025 Notes were convertible, in whole or in part, at the option of the holders from April 1, 2022 through June 30, 2022.
Whether the 2025 Notes will be convertible following such period will depend on the continued satisfaction of this condition or another conversion condition in the future. Since we may elect to repay the 2025 Notes in cash, shares of our common stock, or a combination of both, we have continued to classify the 2025 Notes as long-term debt on our consolidated balance sheet as of March 31, 2022. As of March 31, 2022, the 2027 Notes are not convertible at the option of the holder.
As of March 31, 2022, an immaterial principal amount of the 2025 Notes was requested for conversion, which is expected to be settled during the quarter ended June 30, 2022. No additional conversion requests for the Notes have been received.
The holders may convert the 2025 Notes and the 2027 Notes at any time on or after November 1, 2024 and December 15, 2026, respectively, until the close of business on the second scheduled trading day immediately preceding the maturity date, regardless of the circumstances set forth above. Upon conversion, we will pay or deliver, as the case may be, cash, shares of our common stock or a combination of cash and shares of our common stock, at our election, in the manner and subject to the terms and conditions provided in the Indentures.
If we undergo a fundamental change (as set forth in the Indentures) at any time prior to the maturity date, holders of the Notes will have the right, at their option, to require us to repurchase for cash all or any portion of their Notes at a repurchase price equal to 100% of the principal amount of the Notes to be repurchased, plus accrued and unpaid interest to, but excluding, the fundamental change repurchase date. In addition, following certain corporate events that occur prior to the maturity date or following our issuance of a notice of redemption, in each case as described in the Indentures, we will increase the conversion rate for a holder of the Notes who elects to convert its Notes in connection with such a corporate event or during the related redemption period in certain circumstances.
The 2025 Notes and the 2027 Notes are redeemable after May 6, 2023 and March 20, 2024 (the “Redemption Dates”), respectively. On or after the respective Redemption Dates, we may redeem for cash all or any portion of the 2025 Notes or the 2027 Notes, at our option, if the last reported sale price of our common stock has been at least 130% of the conversion price then in effect for at least 20 trading days (whether or not consecutive) during any 30 consecutive trading day period (including the last trading day of such period) ending on, and including the trading day immediately preceding, the date on which we provide the redemption notice at a redemption price equal to 100% principal amount of the 2025 Notes or the 2027 Notes to be redeemed, plus accrued and unpaid interest to, but excluding, the redemption date.
Accounting for the Notes
In accounting for the issuance of the Notes, the principal less debt issuance costs are recorded as debt on our consolidated balance sheet. The debt issuance costs are amortized to interest expense using the effective interest method over the contractual term of the Notes.
14

Table of Contents
The net carrying amount of the Notes as of March 31, 2022 and December 31, 2021 was as follows (in thousands):
2025 Notes2027 Notes
PrincipalUnamortized debt issuance costsTotalPrincipalUnamortized debt issuance costsTotal
Net Carrying Amount at December 31, 2021$230,000 $(4,905)$225,095 $600,000 $(13,032)$586,968 
Amortization of debt issuance costs— 330 330 — 602 602 
Net Carrying Amount at March, 31, 2022$230,000 $(4,575)$225,425 $600,000 $(12,430)$587,570 
Interest expense related to the Notes was as follows (in thousands):
Three Months Ended March 31,
20222021
2025 Notes2027 NotesTotal2023 Notes2025 Notes2027 NotesTotal
Contractual interest expense$1,294 $375 $1,669 $558 $1,294 $50 $1,902 
Amortization of debt issuance costs330 602 932 221 319 80 620 
Induced conversion expense— — — 2,740 — — 2,740 
Total interest expense$1,624 $977 $2,601 $3,519 $1,613 $130 $5,262 
During the first quarter of 2021, we used a portion of the proceeds from the issuance of the 2027 Notes, together with 2.2 million shares of our common stock, to repurchase and retire $182.6 million aggregate principal amount of the 2023 Notes, and paid accrued and unpaid interest thereon. In addition, during the first quarter of 2021, holders of the 2023 Notes elected to convert Notes with a principal amount of $2.0 million. Cash was paid for the principal and the excess conversion spread was paid in 23,123 shares of our common stock. During the fourth quarter of 2021, we redeemed the remaining $45.4 million aggregate principal amount outstanding of the 2023 Notes. We paid $43.4 million in cash and issued 697,262 shares of our common stock to the holders of the 2023 Notes who submitted conversion notices, and the remaining $2.0 million of 2023 Notes were redeemed in cash, plus accrued and unpaid interest.
Capped Calls     
In connection with the offering of the 2023 Notes, the 2025 Notes and the 2027 Notes, we entered into privately negotiated capped call transactions with certain counterparties (the “2023 Capped Calls, “2025 Capped Calls” and “2027 Capped Calls”) (collectively, the “Capped Calls”).
The Capped Calls are expected to reduce potential dilution to our common stock upon conversion of a given series of notes and/or offset any cash payments that we are required to make in excess of the principal amount of converted notes of such series, as the case may be, with such reduction and/or offset subject to a cap. The Capped Calls are subject to adjustment upon the occurrence of certain specified extraordinary events affecting us, including merger events, tender offers and announcement events. In addition, the Capped Calls are subject to certain specified additional disruption events that may give rise to a termination of the Capped Calls, including nationalization, insolvency or delisting, changes in law, failures to deliver, insolvency filings and hedging disruptions.
The following table sets forth other key terms and premiums paid for the Capped Calls related to each series of Notes:
Capped Calls Entered into in Connection with the Issuance of the 2023 NotesCapped Calls Entered into in Connection with the Issuance of the 2025 NotesCapped Calls Entered into in Connection with the Issuance of the 2027 Notes
Initial strike price, subject to certain adjustments$41.59 $61.02 $103.38 
Cap price, subject to certain adjustments$63.98 $93.88 $159.04 
Total premium paid (in thousands)$26,910 $27,255 $76,020 
The 2023 Capped Calls were not redeemed with the repayment of the 2023 Notes and remain outstanding.
For accounting purposes, the 2023 Capped Calls, the 2025 Capped Calls and the 2027 Capped Calls are separate transactions, and not part of the terms of the 2023 Notes, the 2025 Notes and the 2027 Notes. The 2023 Capped Calls, the 2025 Capped Calls and the 2027 Capped Calls are recorded in stockholders' equity and are not accounted for as derivatives.
15

Table of Contents
Credit Agreement
In April 2020, we entered into a Credit and Security Agreement (the “Credit Agreement”), with KeyBank National Association that provides for a $30.0 million revolving credit facility, with a letter of credit sublimit of $15.0 million and an accordion feature under which we can increase the credit facility to up to $70.0 million. In May 2020, we utilized the accordion feature to increase the credit facility to $50.0 million.
In December 2021, we entered into an Amendment Agreement (the “Amendment”) in respect of our Credit and Security Agreement (as amended by the Amendment, the “Credit Agreement”), with KeyBank National Association, to, among other things, increase the credit facility from $50.0 million to $100.0 million and extend the maturity date to December 22, 2024. The Credit Agreement provides for a $100.0 million revolving credit facility, with a letter of credit sublimit of $15.0 million, and an accordion feature under which we can increase the credit facility to up to $150.0 million. We incurred fees of $0.4 million in connection with entering into the Credit Agreement. The fees are recorded in other current assets on the consolidated balance sheet and are amortized on a straight-line basis over the contractual term of the arrangement. The commitment fee of 0.2% per annum on the unused portion of the credit facility is expensed as incurred and included within interest expense on the consolidated statement of operations. The Credit Agreement contains certain financial covenants including a requirement that we maintain specified minimum recurring revenue and liquidity amounts.
The borrowings under the Credit Agreement bear interest, at our option, at a rate equal to either (i) term SOFR plus a credit spread adjustment of 0.10% per annum plus a margin of 2.50% per annum or (ii) the alternate base rate (subject to a floor), plus an applicable margin equal to 0% per annum.
As of March 31, 2022, we did not have any outstanding borrowings and we were in compliance with all covenants under the Credit Agreement.
As of March 31, 2022, we had a total of $9.3 million in letters of credit outstanding as collateral for certain office space leases and corporate credit card programs which reduce the amount of borrowing available under our Credit Agreement.
Note 11. Leases
Our leases primarily relate to office facilities that have remaining terms of up to 10.0 years, some of which include one or more options to renew with renewal terms of up to 5 years and some of which include options to terminate the leases within the next 5.5 years. All of our leases are classified as operating leases.
The components of lease expense were as follows:
Three Months Ended March 31,
20222021
 (in thousands)
Operating lease cost$5,013 $3,766 
Short-term lease costs391 165 
Variable lease costs2,385 1,463 
Total lease costs$7,789 $5,394 
Supplemental balance sheet information related to the operating leases was as follows:
As of March 31, 2022As of December 31, 2021
Weighted average remaining lease term (in years) - operating leases7.17.2
Weighted average discount rate - operating leases6.1 %6.2 %
Supplemental cash flow information related to leases was as follows:
Three Months Ended March 31,
20222021
 (in thousands)
Cash paid for amounts included in the measurement of lease liabilities$3,128 $4,147 
ROU assets obtained in exchange for new lease obligations$8,864 $152 
16

Table of Contents
Maturities of operating lease liabilities as of March 31, 2022 were as follows (in thousands):
2022 (for the remaining nine months)$12,812 
202316,600 
202418,757 
202517,947 
202616,551 
2027 and thereafter49,066 
Total lease payments$131,733 
Less: imputed interest(26,443)
Total$105,290 

Note 6.12. Stock-Based Compensation Expense
(a)General
(a)General
Stock-based compensation expense for restricted stock, restricted stock units,RSUs, performance-based PSUs, stock options and issuances of common stock pursuant to our employee stock purchase plan was classified in the accompanying consolidated statements of operations as follows:
 Three Months Ended September 30, Nine Months Ended September 30, Three Months Ended March 31,
 2017 2016 2017 2016 20222021
 (in thousands) (in thousands)
Stock-based compensation expense:        Stock-based compensation expense:
Cost of revenue $305
 $166
 $815
 $445
Cost of revenue$2,090 $1,554 
Research and development 1,986
 1,600
 5,188
 4,617
Research and development13,024 7,815 
Sales and marketing 1,512
 1,328
 4,694
 5,453
Sales and marketing6,774 5,746 
General and administrative 1,485
 1,083
 4,041
 2,822
General and administrative7,034 5,747 
Total stock-based compensation expense $5,288
 $4,177
 $14,738
 $13,337
Total stock-based compensation expense$28,922 $20,862 
We recognize compensation cost of all awards on a straight-line basis over the applicable vesting period, which is generally four years.
(b)Restricted Stock and Restricted Stock Units
Our Compensation Committee adopted and approved the performance goals, targets and payout formulas for our 2022 and 2021 bonus plans, including permitting our executive officers and certain other employees the opportunity to receive payment of their earned bonuses in the form of common stock (in lieu of cash). During each of the three months ended March 31, 2022 and 2021, we recognized stock-based compensation expense related to such bonuses in the amount of $1.0 million, based on the probable expected performance against the pre-established corporate financial objectives as of March 31, 2022 and 2021. For all employees, including executive officers, who elect to receive their bonuses in the form of common stock (in lieu of cash), the payouts are expected to be made in the form of fully vested stock awards in the first quarter of the following year pursuant to our 2015 Equity Incentive Plan, as amended. The number of shares underlying such awards is determined by dividing the dollar value of the actual bonus award payment by the closing price per share of our common stock on the date of grant.
17

Table of Contents
(b)Restricted stockStock Units and restricted stock unitPerformance-Based Restricted Stock Units
RSUs and PSUs activity during the ninethree months ended September 30, 2017March 31, 2022 was as follows:
  Restricted Stock Restricted Stock Units
  Shares 
Weighted-Average
Grant Date
Fair Value
 Shares Weighted-Average
Grant Date
Fair Value
Unvested balance as of December 31, 2016 585,004
 $18.05
 734,577
 $13.47
Granted 
 
 1,863,510
 14.83
Vested (292,210) 17.36
 (320,724) 13.77
Forfeited (14,093) 23.01
 (207,740) 14.02
Unvested balance as of September 30, 2017 278,701
 $18.52
 2,069,623
 $14.59
SharesWeighted-Average
Grant Date
Fair Value
Unvested balance as of December 31, 20212,778,877 $74.40 
Granted1,761,259 96.60 
Vested(402,008)49.84 
Forfeited(190,751)77.52 
Unvested balance as of March 31, 20223,947,377 $86.65 
As of September 30, 2017,March 31, 2022, the unrecognized compensation expense related to our unvested restricted stockRSUs and restricted stock units expected to vestPSUs was $32.5$319.5 million. This unrecognized compensation expense will be recognized over an estimated weighted-average amortization period of 3.0 years.

(c)Stock Options
During the nine months ended September 30, 2017, we repurchased 16,144 shares of our common stock in settlement of employee tax withholding obligations due upon the vesting of restricted stock.
(c)Stock Options
Stock option activity during the ninethree months ended September 30, 2017March 31, 2022 was as follows:
  Shares 
Weighted
Average
Exercise
Price
 
Weighted
Average
Remaining
Contractual Life
(in years)
 
Aggregate
Intrinsic
Value
(in thousands)
Outstanding as of December 31, 2016 4,580,375
 $8.20
    
Granted 1,274,238
 13.41
    
Exercised (785,550) 6.38
   $8,598
Forfeited/cancelled (290,813) 12.73
    
Outstanding as of September 30, 2017 4,778,250
 $9.61
 7.3 $38,422
Vested and exercisable as of September 30, 2017 2,714,463
 $6.90
 6.0 $29,173
As of September 30, 2017, the unrecognized compensation expense related to our unvested stock options expected to vest was $12.0 million. This unrecognized compensation expense will be recognized over an estimated weighted-average amortization period of 2.7 years.
SharesWeighted
Average
Exercise
Price
Weighted
Average
Remaining
Contractual Life
(in years)
Aggregate
Intrinsic
Value
(in thousands)
Outstanding as of December 31, 20211,411,387 $10.74 3.4$150,951 
Granted— — 
Exercised(98,783)9.71 $8,847 
Forfeited/cancelled— — 
Outstanding as of March 31, 20221,312,604 $10.81 3.2$131,818 
Vested and exercisable as of March 31, 20221,312,604 $10.81 3.2$131,818 
The total fair value of stock options vested in the ninethree months ended September 30, 2017March 31, 2022 was $5.9$0.1 million. The weighted-average grant date fair value of stock options granted in the nine months ended September 30, 2017 was $6.66 per share.

(d)Employee Stock Purchase Plan
(d)Employee Stock Purchase Plan
Under the Rapid7, Inc. 2015 Employee Stock Purchase Plan (ESPP)(“ESPP”), employees may set aside up to 15% of their gross earnings, on an after-tax basis, to purchase our common sharesstock at a discounted price, which is calculated at 85% of the lesser of: (i) the market value of our common stock at the beginning of each offering period and (ii) the market value of our common stock on the applicable purchase date.
On March 15, 2017,2022, we issued 138,08580,747 shares of common stock to employees, with purchase prices of $67.59 or $81.37 per share, for aggregate proceeds of $1.5$5.7 million. The purchase prices of the shares of common stock were $10.60 and $12.79 per share, which were discounted in accordance with the terms of the ESPP from the closing prices of our common stock on March 16, 2016 of $12.47 and on March 15, 2017 of $15.05, respectively.
On September 15, 2017, we issued 109,144 shares of common stock to employees for aggregate proceeds of $1.4 million. The purchase price of the shares of common stock was $12.96 per share, which was discounted in accordance with the terms of the ESPP from the closing price of our common stock on March 16, 2017 of $15.25.
Note 7.13. Net Loss per Share
The following table summarizes the computation of basic and diluted net loss per share of our common stock for the three and nine months ended September 30, 2017March 31, 2022 and 2016:2021:
Three Months Ended March 31,
 20222021
 (in thousands, except share and per share data)
Numerator:
Net loss$(44,999)$(29,845)
Denominator:
Weighted-average common shares outstanding, basic and diluted57,724,821 52,904,881 
Net loss per share, basic and diluted$(0.78)$(0.56)
18

Table of Contents
 Three Months Ended September 30, Nine Months Ended September 30,
 2017 2016 2017 2016
 (in thousands, except share and per share data)
Numerator:       
Net loss$(10,284) $(10,194) $(32,466) $(39,226)
Denominator:       
Weighted-average common shares outstanding, basic and diluted43,279,025
 41,482,173
 42,693,212
 41,033,080
Net loss per share attributable to common stockholders, basic and diluted$(0.24) $(0.25) $(0.76) $(0.96)
We intend to settle any conversion of our 2025 Notes and 2027 Notes in cash, shares, or a combination thereof. The dilutive impact of the Notes for our calculation of diluted net income (loss) per share is considered using the if-converted method. For the three months ended March 31, 2022 and 2021, the shares underlying the Notes were not considered in the calculation of diluted net loss per share as the effect would have been anti-dilutive.

In connection with the issuance of the 2023 Notes, the 2025 Notes and the 2027 Notes, we entered into 2023 Capped Calls, 2025 Capped Calls and 2027 Capped Calls, which were not included for the purpose of calculating the number of diluted shares outstanding, as their effect would have been anti-dilutive. As further described in Note 10, Debt, the 2023 Capped Calls were not redeemed with the redemption of the 2023 Notes.
The following potentially dilutive securities outstanding prior to the use of the treasury stock method or if-converted method, have been excluded from the computation of diluted weighted-average shares outstanding for the respective periods below because they would have been anti-dilutive:
Three Months Ended March 31,
 20222021
Options to purchase common stock1,312,604 1,763,007 
Unvested restricted stock units3,947,377 3,953,263 
Common stock to be issued to DivvyCloud founders66,865 200,596 
Common stock issued to IntSights founders206,608 — 
Shares to be issued under ESPP15,742 7,889 
Convertible senior notes9,573,087 15,103,262 
Total15,122,283 21,028,017 

 Three and Nine Months Ended September 30,
 2017 2016
Options to purchase common stock4,778,250
 4,520,062
Unvested restricted stock278,701
 696,187
Unvested restricted stock units2,069,623
 657,427
Shares to be issued under ESPP9,614
 15,087
Total7,136,188
 5,888,763
Note 8.14. Commitments and Contingencies
(a)Warranty
(a)Warranty
We provide limited product warranties. Historically, any payments made under these provisions have been immaterial.
(b)Litigation and Claims
From(b)Litigation and Claims
In October 2018, Finjan, Inc. (“Finjan”) filed a complaint against us and our wholly-owned subsidiary, Rapid7 LLC, in the United States District Court, District of Delaware, alleging patent infringement of 7 patents held by them. In the complaint, Finjan sought unspecified damages, attorneys' fees and injunctive relief. We intend to vigorously contest Finjan's claims. The final outcome, including our liability, if any, with respect to Finjan's claims, is uncertain. Regardless of the outcome, litigation can have an adverse impact on us because of defense and settlement costs, diversion of management resources and other factors.
In addition, from time to time, we may be a party to litigation or subject to claims incident to the ordinary course of business. Although the results of litigation and claims cannot be predicted with certainty, we currently believe that the final outcome of these ordinary course matters will not have a material adverse effect on our business. Regardless of the outcome, litigation can have an adverse impact on us because of defense and settlement costs, diversion of management resources and other factors.
(c)Indemnification Obligations
(c)Indemnification Obligations
We agree to standard indemnification provisions in the ordinary course of business. Pursuant to these provisions, we agree to indemnify, hold harmless and reimburse the indemnified party for losses suffered or incurred by the indemnified party, generally our customers, in connection with any United States patent, copyright or other intellectual property infringement claim by any third party arising from the use of our products or services in accordance with the agreement or arising from our gross negligence, willful misconduct or violation of the law (provided that there is not gross or willful misconduct on the part of the other party) with respect to our products or services. The term of these indemnification provisions is generally perpetual from the time of execution of the agreement. We carry insurance that covers certain third-party claims relating to our services and limits our exposure. We have never incurred costs to defend lawsuits or settle claims related to these indemnification provisions.
19

Table of Contents
As permitted under Delaware law, we have entered into indemnification agreements with our officers and directors, indemnifying them for certain events or occurrences while they serve as officers or directors of the company.
Note 9.15. Segment Information and Information about Geographic Areas
We operate in one1 segment. Our chief operating decision maker is our chief executive officer,Chief Executive Officer, who makes operating decisions, assesses performance and allocates resources on a consolidated basis.
Net revenues by geographic area presented based upon the location of the customer were as follows:
 Three Months Ended September 30, Nine Months Ended September 30,
 2017 2016 2017 2016
 (in thousands)
North America$42,966
 $34,538
 $121,177
 $96,957
Other7,555
 5,801
 22,032
 15,446
Total$50,521
 $40,339
 $143,209
 $112,403
Of the total net revenues generated in North America, 93% and 94% of the revenues were generated in the United States for the three months ended September 30, 2017 and 2016, respectively, and 93% and 96% of the revenues were generated in the United States for the nine months ended September 30, 2017 and 2016, respectively.
 Three Months Ended March 31,
 20222021
 (in thousands)
United States$119,123 $92,509 
Other38,261 24,942 
Total$157,384 $117,451 
Property and equipment, net by geographic area was as follows:

As of March 31, 2022As of December 31, 2021
 (in thousands)
United States$36,380 $37,682 
Other13,424 12,543 
Total$49,804 $50,225 
20
 As of September 30, 2017 As of December 31, 2016
 (in thousands)
United States$6,646
 $7,063
Other1,349
 1,025
Total$7,995
 $8,088

Note 10. Related Party Transactions
In October 2015, McAfee LLC (formerly known as Intel Security) announced the end-of-sale for the McAfee Vulnerability Manager to customers and partners, effective January 11, 2016, with end-of-life to follow, and announced that we were named their exclusive vulnerability management partner. Under the termsTable of the commercial agreement, we incur partner referral fees as customers transition from McAfee Vulnerability Manager to Nexpose. During the three and nine months ended September 30, 2017, we recognized sales and marketing expense of $0.4 million and $2.3 million, respectively, related to partner referral fees payable to McAfee LLC. On February 6, 2017, Michael Berry, a member of our Board of Directors, became the Chief Financial Officer of McAfee LLC.Contents
Note 11. Subsequent Event

In October 2017, we entered into a lease agreement for a new facility in Austin, Texas for approximately 26,000 square feet.  We expect to occupy the new office space in September 2018 and the lease term is 86 months.  Our total obligation for the rent is approximately $7.6 million over the term of the lease.  







Item 2.    Management's Discussion and Analysis of Financial Condition and Results of Operations.
The following discussion and analysis of our financial condition and results of operations should be read in conjunction with (1) our unaudited consolidated financial statements and related notes appearing elsewhere in this Quarterly Report on Form 10-Q and (2) the audited consolidated financial statements and the related notes and management’s discussionManagement’s Discussion and analysisAnalysis of financial conditionFinancial Condition and resultsResults of operationsOperations for the fiscal year ended December 31, 20162021 included in our Annual Report on Form 10-K, filed with the SEC on March 9, 2017.February 24, 2022. Forward-looking statements in this review are qualified by the cautionary statement included under the next sub-heading, “Special Note Regarding Forward-Looking Statements”.
Special Note Regarding Forward-Looking Statements
This Quarterly Report on Form 10-Q, including the sections entitled “Risk Factors,” and “Management’s Discussion and Analysis of Financial Condition and Results of Operations,” contains “forward-looking statements”forward-looking statements that involve risks and uncertainties, as well as assumptions that, if they never materialize or prove incorrect, could cause our results to differ materially from those expressed or implied by such forward-looking statements. Statements that are not purely historical are forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended, or the Securities Act, and Section 21E of the Securities Exchange Act of 1934, as amended, or the Exchange Act. Theseamended. Forward-looking statements are often identified by the use of words such as, but not limited to, “anticipate,” “believe,” “can,” “continue,” “could,” “estimate,” “expect,” “intend,” “may,” “plan,” “project,” “seek,” “should,” “target,” “will,” “would” or the negative or plural of these words orand similar expressions or variations.variations intended to identify forward-looking statements. These forward-looking statements include, but are not limited to, statements concerning the following:
• our ability to continue to add new customers, maintain existing customers and sell new products and professional services to new and existing customers;
• uncertain impacts that the ongoing COVID-19 pandemic may have on our business, strategy, operating results, financial condition and cash flows, as well as changes in overall level of software spending and volatility in the global economy;
• the effects of increased competition as well as innovations by new and existing competitors in our market;
• our ability to adapt to technological change and effectively enhance, innovate and scale our solutions;
• our ability to effectively manage or sustain our growth and to attain and sustain profitability;
• our ability to diversify our sources of revenue;
• potential acquisitions and integration of complementary business and technologies;
• our expected use of proceeds from future issuances of equity or convertible debt securities;
• our ability to maintain, or strengthen awareness of, our brand;
• perceived or actual security, integrity, reliability, quality or compatibility problems with our solutions, including related to security breaches in our customers; systems, unscheduled downtime or outages;
• statements regarding future revenue, hiring plans, expenses, capital expenditures, capital requirements and stock performance;
• our ability to meet publicly announced guidance or other expectations about our business, key metrics and future operating results;
• our ability to maintain an adequate annualized recurring revenue growth;
• our ability to attract and retain qualified employees and key personnel and further expand our overall headcount;
• our ability to grow, both domestically and internationally;
• our ability to stay abreast of new or modified laws and regulations that currently apply or become applicable to our business both in the United States and internationally;
• our ability to maintain, protect and enhance our intellectual property;
• costs associated with defending intellectual property infringement and other claims; and
• the future trading prices of our common stock and the impact of securities analysts’ reports on these prices.
These statements represent the beliefs and assumptions of our management based on information currently available to us. Such forward-looking statements are subject to a number of risks, uncertainties assumptions and other important factors that could cause actual results and the timing of certain events to differ materially from future results expressed or implied by thesuch forward-looking statements. Factors that could cause or contribute to such differences include, but are not limited to, those identified herein,below, and those discussed in the section titled “Risk Factors,” set forth inFactors” included under Part II, Item 1A of this Quarterly Report on Form 10-Q and in our other SEC filings. You should not rely upon forward-looking statements as predictions of future events.1A. Furthermore, such forward-looking statements
21

Table of Contents
speak only as of the date of this report. Except as required by law, we undertake no obligation to update any forward-looking statements to reflect events or circumstances that occur after the date of such statements.this report.
As used in this report, the terms “Rapid7,” the “company,” “we,” “us,” and “our” mean Rapid7, Inc. and its subsidiaries unless the context indicates otherwise.
Overview
Rapid7 is advancing security with visibility, analytics, and automation delivered through our Insight Platform. Our solutions simplify the complex, allowing security teams to work more effectively with IT and development to reduce vulnerabilities, monitor for misconfigurations and malicious behavior, investigate and shut down attacks, and automate routine tasks.
In the over 20 years that Rapid7 has been in business, security companies and trends have come and gone, while broader technology innovation continues to advance rapidly. Every company is now a leading providertechnology company, and rampant innovation inevitably creates security risk. The migration of analytics forbusinesses to the cloud, more distributed workforces, and ubiquitous connected devices present security and IT operations that enable organizations to implementteams with an active, analytics-driven approach to cyber security and IT operations. Our data and analytics platform was purpose-built for today’s increasingly complex, ever-changing, and chaotic IT environment. We make it simple to collect and unify operational data from across the entire IT infrastructure, and our advanced analytics unlock the information required to securely operate, manage and develop today's sophisticated applications and services.unpredictable attack surface.
We combinebelieve as cybersecurity challenges continue to rise exponentially, two key factors can prevent organizations from effectively managing their growing security exposure. First, the tools to manage complex security problems are often equally complicated to use. Second, there is a scarcity of cybersecurity professionals who are qualified to successfully manage these sophisticated tools. These two factors compound the difficulties that resource-constrained organizations face when attempting to minimize their security exposure, meet security compliance regulations and provide visibility to their leadership. We call the expanding divide between risk created through innovation and risk effectively managed by security teams the security achievement gap.
We believe Rapid7 is uniquely positioned to improve how security challenges are addressed. Our solutions and services are built with and supported by the expertise of our extensive experiencededicated team of security researchers, expert SOC analysts and consultants, who bring knowledge of attacker behavior and emerging vulnerabilities directly to customers. We also continue to invest in collecting disparate data, deep insight into attacker behaviorsfurther simplifying our technology to improve usability, lowering the barrier for teams and techniques andorganizations who lack resources to manage their security posture.
While our purpose-driven analyticssecurity technology is the foundation of our mission to make sensesuccessful security accessible to all, technology alone will not solve today’s cybersecurity challenges. Our ongoing commitment to researching and partnering with the technology community helps to curb new security risks born through innovation. We are also investing in under-served, at risk communities, like non-profits and hospitals, to better understand their needs and make security technology and services accessible. By continuously improving our technology, stemming the creation of risk in the wealth of data availablecommunity, and making security more usable and accessible, Rapid7 aims to organizations about their IT environments and users. Our powerful and proprietary analytics enable organizations to contextualize and prioritizeclose the threats facing their physical, virtual and cloud assets, including those posed by the behaviors of their users. Leveraging our IT data and analytics platform, our solutions enable organizations to strategically and dynamically manage their cyber security exposure and manage IT operations. Our solutions empower organizations to prevent attacks by providing visibility into vulnerabilities, and allow them to rapidly detect compromises, respond to breaches and correct the underlying causes of attacks. By providing a unified IT and security platform, with automated workflow, we enable IT and security to work together more effectively to develop, operate and secure their environment. For example, our platform and proprietary technologies were developed to help customers identify the weaknesses and exposures in their environment and are designed to enable them to detect and respond to breaches immediately. We help them troubleshoot performance issues across their infrastructure, applications and endpoints. Our platform approach enables organizations to collect data once and use it for ongoing unlimited use and access to solve the specific problems their organization faces, reducing the costs and overhead associated with relying on point solutions, and enabling workflow between organizations that must work together to resolve issues, reduce risk and increase resiliency.achievement gap.
We market and sell our products and professional services to global organizations of all sizes globally, including mid-market businesses, enterprises, non-profits, educational institutions and government agencies. Our customers span a wide variety of industries such as technology, energy, financial services, healthcare and life sciences, manufacturing, media and entertainment, retail, education, real estate, transportation, government and professional services. As of September 30, 2017,March 31, 2022, we had over 6,70010,400 customers in 125141 countries, including 39%49% of the Fortune 1000.100. Our revenue was not concentrated with any individual customer or group of customers, and no customer represented more than 2%1% of our revenue for the three or nine months ended September 30, 2017March 31, 2022 or 2016.2021.
Recent Developments
COVID-19 Response
Rapid7 remains focused on supporting its customers, partners, employees and communities during the ongoing COVID-19 pandemic. The impact of COVID-19 on the global economy and on our business continues to be a fluid situation. As a result of the COVID-19 pandemic, we have modified certain aspects of our business, including restricting employee travel, adopting a virtual sales strategy to enable our employees to work productively from home, transitioning our employee onboarding and training processes to remote or online programs, and canceling certain events and meetings, among other modifications. We sellreopened our productsoffices in a phased approach and services through direct insidecontinue to hold in-person or hybrid meetings, on a voluntary basis, taking into consideration government restrictions and fieldemployee safety.
We will continue to actively monitor the at times rapidly evolving situation related to COVID-19 and may take further actions that alter our business operations, including those that may be required by federal, foreign, state or local authorities, or that we determine are in the best interests of our employees, customers, partners, suppliers, vendors and stockholders. At this point, the extent to which the COVID-19 pandemic may impact our business, results of operations and financial condition is uncertain.
22

While we have not experienced significant disruptions from the COVID-19 pandemic during the three months ended March 31, 2022, we are unable to accurately predict the full impact that COVID-19 will have due to numerous uncertainties, including the duration of the outbreak, the result of vaccination efforts, resurgence of the virus, actions that may be taken by governmental authorities, the impact on our business including our sales teamscycle, sales execution and indirect channel partner relationships. Our global sales teams focus on both new customer acquisitionmarketing efforts, and up-sellingthe impact to the business of our customers, vendors and cross-selling additional offeringspartners. Furthermore, due to our existing customers. Our sales teams are organized by geography, consistingsubscription model, any effect of the Americas; Europe,COVID-19 pandemic may not be fully reflected in our results of operations until future periods. For further discussion of the Middle Eastchallenges and Africa; and Asia Pacific, or APAC, as well as by target organization size. Our inside sales team focusesrisks we confront related to the COVID-19 pandemic, please refer to Part II, Item 1A Risk Factors of this Quarterly Report on small and middle-market transactions, while larger or more complex transactions are generally handled by our globally distributed direct field sales teams. Our highly technical sales engineers help define customer use cases, manage solution evaluations and train channel partners.Form 10-Q.


Our Business Model
We have three offerings:offerings in six key areas: (1) threat exposure management, which includes our Nexpose, InsightVM, Metasploit, AppSpider, InsightAppSec and Komand products, (2) incident detection and response, which includes our InsightIDR, ManagedIncident Detection and Response, (formerly known as "Analytic Response"), InsightOps(2) Cloud Security, (3) Vulnerability Risk Management, (4) Application Security, (5) Threat Intelligence and Logentries products as well as our incident response services(6) Security Orchestration and (3) security advisory services.Automation Response.
We offer our products through a variety of delivery models to meet the needs of our diverse customer base, including:
Cloud-based subscriptions, which provide our software capabilities to our customers through cloud access and on a subscription basis. Our InsightIDR, InsightCloudSec, InsightVM, InsightAppSec, InsightConnect and Threat Intelligence products are offered as cloud-based subscriptions, generally with a one-year term.
Managed services, through which we operate our products and provide our capabilities on behalf of our customers. Our Managed Vulnerability Management, Managed Application Security and Managed Detection and Response products are offered on a managed service basis, generally pursuant to one-year agreements.
Licensed software including bothconsists of term and perpetual licenses and the sale ofto a lesser extent perpetual licenses. When a term license is purchased, maintenance and support.support and content subscriptions, as applicable, are bundled with the license for the term period. Our Nexpose, Metasploit, AppSpider and AppSpiderInsightCloudSec products are offered through perpetual or term software licenses, with a majority of our customers selectinglicenses. When a perpetual license. Our customers who purchase software licenses also purchaselicense is purchased, a customer typically purchases maintenance and support whichand content subscriptions, as applicable. Our maintenance and support provides our customers with telephone and web-based support and ongoing bug fixes and repairs during the term of the maintenance and support agreement, and our customers who purchase our Nexpose and Metasploit products also purchase content subscriptions, which provide our customersthem with real-time access to the latest vulnerabilities and exploits. Our maintenance and support and content subscription agreements are typically for one to three-yearone-year terms. In addition, our Komand product offering is offered through term licenses.
Cloud-based subscriptions, which provide our software capabilities to our customers through cloud access and on a Software as a Service, or SaaS, basis. Our InsightIDR, InsightVM, InsightAppSec, Logentries and InsightOps products are offered on cloud-based subscriptions, generally with one to three-year terms.
Managed services, through which we operate our products and provide our capabilities on behalf of our customers. Our Managed Vulnerability Management (Nexpose), Managed Application Security (AppSpider) and Managed Detection and Response (InsightIDR) products are offered on a managed service basis, generally pursuant to one to three-year agreements.
We also offer various professional services across all of our offerings, including deployment and training services related to our software and cloud-based products, incident response services, penetration testing and security advisory services. Customers can purchase our professional services together with our product offerings or on a stand-alone basis pursuant to fixed fee or time-and-materials agreements.
An important component of our revenue growth strategy is to have our existing customers renew their agreements with us and purchase additional products from us. To assess our performance against this objective, we monitor the renewal rates of our existing customers. We calculate our renewal rate by dividing the dollar value of renewed customer agreements, including upsells and cross-sells of additional products, but excluding professional services and Logentries, in a trailing 12-month period by the dollar value of the corresponding customer agreements. We also calculate an expiring renewal rate that does not take into account any upsells or cross-sells. As a result of this methodology, we would not expect our expiring renewal rate to exceed 100%. Our renewal rate was 119% and 121% for the third quarter of 2017 and 2016, respectively, and our expiring renewal rate was 89% for the third quarter of 2017 and 2016. Our goal is to maintain what we believe are strong renewal rates, and work to increase them over time. However, our renewal rates may decline or fluctuate as a result of a number of factors, including customers’ satisfaction or dissatisfaction with our products and professional services, pricing, competitive offerings, economic conditions or overall changes in our customers’ spending levels.
We generate revenue from selling products, maintenance and support, and professional services. For the three months ended September 30, 2017March 31, 2022 and 2016, 82% and 81% of our revenue, respectively, was derived from sales of products and associated maintenance and support, while the remaining 18% and 19%, respectively, was derived from the sale of professional services. For the nine months ended September 30, 2017 and 2016, 81% and 82% of our revenue, respectively, was derived from sales of products and associated maintenance and support, while the remaining 19% and 18%, respectively, was derived from the sale of professional services.
For the three months ended September 30, 2017 and 2016,2021, recurring revenue, defined as revenue from term software licenses, content subscriptions, managed services, cloud-based subscriptions and maintenance and support, was 70.5%94% and 67.7%91%, respectively, of total revenue. For
23

Table of Contents
Key Metrics
We monitor the nine months ended September 30, 2017following key metrics to help us measure and 2016, recurring revenue was 69.8% and 67.4%, respectively, of total revenue. In prior years, we did not include term software licenses inevaluate the calculation of recurring revenue. As a result, for the three and nine months ended September 30, 2016, our recurring revenue was recast from 62.0%, as previously disclosed, to 67.7% and 67.4%, respectively.
For the three months ended September 30, 2017 and 2016, 86% and 85%, respectively,effectiveness of our total revenue came from deferred revenue on the balance sheet at the beginning of the respective periods. For the nine months ended September 30, 2017 and 2016,

66% and 64%, respectively, of our total revenue came from deferred revenue on the balance sheet at the beginning of the respective periods. We have made adjustments to the historical calculation of revenue from deferred revenueoperations and as a result, for the threemeans to evaluate period-to-period comparisons. We believe that both management and nine months ended September 30, 2016,investors benefit from referring to these key metrics as supplemental information in assessing our total revenue from deferred revenue was recast from 87% and 65%, respectively, as previously disclosed, to 85% and 64%, respectively. We generally bill customers and collect payment for both our products and services up front.
Other Business Metrics
We regularly monitor a number of financial and operating metrics in order to measure our current performance and estimatewhen planning, forecasting, and analyzing future periods. These key metrics also facilitate management's internal comparisons to our future performance. Our other businesshistorical performance as well as comparisons to certain competitors' operating results. We believe these key metrics may be calculated in a manner different than similar other businessare useful to investors both because they allow for greater transparency with respect to key metrics used by other companies.management in its financial and operational decision-making and also because they are used by institutional investors and the analyst community to help evaluate the health of our business:
 Three Months Ended March 31,
 20222021
 (dollars in thousands)
Total revenue$157,384 $117,451 
Year-over-year revenue growth34.0 %24.5 %
Non-GAAP (loss) income from operations$(5,619)$1,906 
Free cash flow$3,828 $17,865 
 As of March 31,
 20222021
(dollars in thousands)
Number of customers10,407 8,945 
Year-over-year customer growth16 %11 %
Annualized recurring revenue (ARR)$627,122 $455,797 
Year-over-year ARR growth37.6 %29.9 %
  Three Months Ended
September 30,
 Nine Months Ended
September 30,
  2017 2016 2017 2016
  (dollars in thousands)
Total revenue $50,521
 $40,339
 $143,209
 $112,403
Year-over-year growth 25.2% 42.5% 27.4% 44.7%
Calculated billings (non-GAAP) $58,735
 $44,881
 $162,789
 $131,350
Operating cash flow $5,744
 $1,790
 $5,084
 $2,061
  As of September 30,
  2017 2016
Deferred revenue $188,643
 $149,264
Number of customers 6,735
 5,873
Total Revenue and Growth. We are focused on driving continued revenue growth through increased sales of our products and professional services to new and existing customers. We monitor total revenue and believe it is useful to investors as a measure of the overall success of our business.
Calculated Billings (non-GAAP)Non-GAAP Income (Loss) from Operations.We monitor non-GAAP income (loss) from operations, a non-GAAP financial measure, to analyze our financial results. We believe non-GAAP income (loss) from operations is useful to investors, as a supplement to GAAP measures, in evaluating our ongoing operational performance and enhancing an overall understanding of our past financial performance and allowing for greater transparency with respect to metrics used by our management in its financial and operational decision-making. See Non-GAAP Financial Results below for further information on non-GAAP income (loss) from operations and a reconciliation of non-GAAP income (loss) from operations to the comparable GAAP financial measure.
Free Cash Flow. Calculated billingsFree cash flow is a non-GAAP measure that we define as totalnet cash provided by operating activities less purchases of property and equipment and capitalization of internal-use software costs. We consider free cash flow to be a liquidity measure that provides useful information to management and investors about the amount of cash generated by the business after necessary capital expenditures. See Non-GAAP Financial Results below for a reconciliation of non-GAAP free cash flow to the comparable GAAP financial measure.
Annualized Recurring Revenue and Growth. Annualized Recurring Revenue (“ARR”) is defined as the annual value of all recurring revenue recognizedrelated to contracts in accordance with generally accepted accounting principles, or GAAP, plus the change in deferred revenue from the beginning toplace at the end of the period. We consider calculated billingsquarter. ARR should be viewed independently of revenue and deferred revenue as ARR is an operating metric and is not intended to be combined with or replace these items. ARR is not a useful metric for management and investors, as a supplement to the corresponding GAAP measureforecast of total revenue, because billings drive deferredfuture revenue, which is an important indicator of the healthcan be impacted by contract start and visibility of trendsend dates and renewal rates and does not include revenue reported as perpetual license or professional services revenue in our business,consolidated statement of operations. We use ARR and represents a significant percentage of future revenue. We regularly monitor calculated billings because we believe the measure offers valuable information regarding the performance of our business and will help investors better understand the sales activity and performance of our business for a particular period. With the expansion of our subscription, cloud-based product offerings (InsightVM, InsightIDR, InsightAppSec, and InsightOps) on the Insight platform, we may realize a shortening of our average contract duration, which should be taken into consideration when evaluating calculated billings. Our use of calculated billings has limitations as an analytical tool and should not be considered in isolation or as a substitute for revenue recognition or revenue measurement, or an analysis of our results as reported under GAAP. Also, it is importantuseful to note that other companies, including companies in our industry, may not use calculated billings, may compute billings differently, may have different billing frequencies, or may use other financial measures to evaluate their performance, all of which could reduce the usefulness of calculated billings as a comparative measure.
  Three Months Ended September 30, Nine Months Ended September 30,
  2017 2016 2017 2016
  (in thousands)
Total revenue $50,521
 $40,339
 $143,209
 $112,403
Add: Deferred revenue, end of period 188,643
 149,264
 188,643
 149,264
Less: Deferred revenue, beginning of period 180,429
 144,722
 169,063
 130,317
Calculated billings $58,735
 $44,881
 $162,789
 $131,350

Operating Cash Flow. We monitor our operating cash flowinvestors as a measure of the overall success of our overall business performance, which enables us to analyze our financial performance without the effects of certain non-cash items such as stock-based compensation expenses and depreciation and amortization. Additionally, operating cash flow takes into account the increase in deferred revenue as a result of increases in sales of products and services, which reflects the receipt of cash payment for products before they are recognized into revenue. Our operating cash flow is significantly impacted by the timing of commission and bonus payments, accounts payable payments and collections of accounts receivable.business.
Deferred Revenue. We believe that deferred revenue is an important metric as it provides visibility into the revenue to be recognized in future periods. Our deferred revenue consists of amounts that have been invoiced to customers but that have not yet been recognized as revenue. Our deferred revenue balance primarily consists of the portion of products, maintenance and support and professional services revenue that will be recognized ratably over the applicable maintenance and support contract period. Revenue from professional services that are sold on a stand-alone basis is recognized as those services are rendered.
Number of Customers. We believe that the size of our customer base is an indicator of our global market penetration and that our net customer additions are an indicator of the growth of our business. We define a customer as any entity that has (1) an active Rapid7 recurring revenue contract or a contract that expired within 90 days or lessas of the applicablespecified measurement date;date, excluding InsightOps and for Logentries products, thoseonly customers with a contract value equal to or greaterless than $2,400 per year, or (2) purchased Rapid7 professional services within the 12 months preceding the applicable measurement date.year.

24

Table of Contents
Non-GAAP Financial Results
To supplement our consolidated financial statements, which are prepared and presented in accordance with GAAP, we provide investors with certain non-GAAP financial measures, including non-GAAP gross profit, non-GAAP operating loss,income (loss) from operations, non-GAAP net loss, andincome (loss), non-GAAP net lossincome (loss) per share, which we collectively refer to as non-GAAP financial measures. These non-GAAP financial measures exclude all or a combination of the following (as reflected in the following reconciliation tables): stock-based compensation expense, amortization of acquired intangible assets, certain acquisition-related expensesadjusted EBITDA and certain non-recurring items.free cash flow. The presentation of the non-GAAP financial measures is not intended to be considered in isolation or as a substitute for, or superior to, the financial information prepared and presented in accordance with GAAP. We use these non-GAAP financial measures for financial and operational decision-making purposes and as a means to evaluate period-to-period comparisons, and use certain non-GAAP financial measures as performance measures under our executive bonus plan. We believe that these non-GAAP financial measures provide useful information about our operating results, enhance the overall understanding of past financial performance and future prospects and allow for greater transparency with respect to metrics used by our management in its financial and operational decision-making. While our non-GAAP financial measures are an important tool for financial and operational decision-making and for evaluating our own operating results over different periods of time, you should review the reconciliation of our non-GAAP financial measures to the comparable GAAP financial measures included below, and not rely on any single financial measure to evaluate our business.
We define non-GAAP gross profit, non-GAAP income (loss) from operations, non-GAAP net income (loss) and non-GAAP net income (loss) per share as the respective GAAP balances excluding the effect of stock-based compensation expense, amortization of acquired intangible assets, amortization of debt issuance costs and certain other items such as acquisition-related expenses, litigation-related expenses and induced conversion expense. Non-GAAP net income (loss) per basic and diluted share is calculated as non-GAAP net income (loss) divided by the weighted average shares used to compute net income (loss) per share, with the number of weighted average shares decreased, when applicable, to reflect the anti-dilutive impact of the capped call transactions entered into in connection with our convertible senior notes.
We believe these non-GAAP financial measures are useful to investors in assessing our operating performance due to the following factors:
Stock-based compensation expense. We exclude stock-based compensation expense because of varying available valuation methodologies, subjective assumptions and the variety of equity instruments that can impact our non-cash expense. We believe that providing non-GAAP financial measures that exclude stock-based compensation expense allowallows for more meaningful comparisons between our operating results from period to period.
Amortization of acquired intangible assets. We believe that excluding the impact of amortization of acquired intangible assets allows for more meaningful comparisons between operating results from period to period as the intangiblesintangible assets are valued at the time of acquisition and are amortized over several years after the acquisition. We also exclude
Amortization of debt issuance costs. The expense for the impactamortization of certaindebt issuance costs directly related to acquisitionsour convertible senior notes and asset impairments as these costs are unrelated torevolving credit facility is a non-cash item and we believe the current operationsexclusion of this interest expense provides a more useful comparison of our operational performance in different periods.
Induced conversion expense. In conjunction with the first quarter of 2021 partial repurchase of our 1.25% convertible senior notes due 2023, we incurred an induced conversion expense of $2.7 million. We exclude induced conversion expense because this amount is not indicative of the performance of, or trends in, our business and is neither comparable to the prior period nor predictive of future results, whichresults.
Litigation-related expenses. We exclude certain litigation-related expenses consisting of professional fees and related costs incurred by us related to significant litigation outside the ordinary course of business. We believe it is useful to exclude such expenses because we believe allowsdo not consider such amounts to be part of our ongoing operations.
Acquisition-related expenses. We exclude acquisition-related expenses that are unrelated to the current operations and neither are comparable to the prior period nor predictive of future results.
Anti-dilutive impact of capped call transaction. Our capped calls transactions are intended to offset potential dilution from the conversion features in our convertible senior notes. Although we cannot reflect the anti-dilutive impact of the capped call transactions under GAAP, we do reflect the anti-dilutive impact of the capped call transactions in non-GAAP net income (loss) per diluted share, when applicable, to provide investors with useful information in evaluating our financial performance on a per share basis.
We define adjusted EBITDA as net loss before (1) interest income, (2) interest expense, (3) other income (expense), net, (4) provision for a more meaningful comparison between the operating results from period to period. Accordingly, weincome taxes, (5) depreciation expense, (6) amortization of intangible assets, (7) stock-based compensation expense, and (8) certain other items. We believe that excluding these expenses providesthe use of adjusted EBITDA is useful to investors and managementother users of our
25

Table of Contents
financial statements in evaluating our operating performance because it provides them with greater visibility into the underlyingan additional tool to compare business performance of our business operations, facilitates comparison of our results with other periodsacross companies and may also facilitate comparison with the results of other companies in our industry.across periods.
Our non-GAAP financial measures may not provide information that is directly comparable to that provided by other companies in our industry, as other companies in our industry may calculate non-GAAP financial results differently, particularly related to non-recurring, unusual items. In addition, there are limitations in using non-GAAP financial measures because the non-GAAP financial measures are not prepared in accordance with GAAP, may be different from non-GAAP financial measures used by other companies and exclude expenses that may have a material impact upon our reported financial results. Further, stock-based compensation expense has been and will continue to be for the foreseeable future a significant recurring expense in our business and an important part of the compensation provided to our employees.
The following tables reconcile GAAP gross profit to non-GAAP gross profit in total and by revenue class for the three and nine months ended September 30, 2017March 31, 2022 and 2016:2021:

 Three Months Ended September 30, Nine Months Ended September 30, Three Months Ended March 31,
 2017 2016 2017 2016 20222021
 (in thousands) (in thousands)
GAAP total gross profit $36,154
 $30,301
 $103,499
 $84,360
GAAP total gross profit$106,095 $81,162 
Stock-based compensation expense 305
 166
 815
 445
Stock-based compensation expense2,090 1,554 
Amortization of acquired intangible assets 853
 447
 1,731
 1,338
Amortization of acquired intangible assets4,844 2,741 
Non-GAAP total gross profit $37,312
 $30,914
 $106,045
 $86,143
Non-GAAP total gross profit$113,029 $85,457 
        
 Three Months Ended September 30, Nine Months Ended September 30, Three Months Ended March 31,
 2017 2016 2017 2016 20222021
 (in thousands) (in thousands)
GAAP gross profit – products $22,738
 $19,693
 $65,581
 $56,009
GAAP gross profit – products$105,553 $79,635 
Stock-based compensation expense 92
 11
 242
 42
Stock-based compensation expense1,495 1,018 
Amortization of acquired intangible assets 853
 447
 1,731
 1,338
Amortization of acquired intangible assets4,844 2,741 
Non-GAAP gross profit – products $23,683
 $20,151
 $67,554
 $57,389
Non-GAAP gross profit – products$111,892 $83,394 
        
 Three Months Ended September 30, Nine Months Ended September 30, Three Months Ended March 31,
 2017 2016 2017 2016 20222021
 (in thousands) (in thousands)
GAAP gross profit – maintenance and support $9,915
 $7,893
 $28,327
 $21,797
Stock-based compensation expense 71
 41
 212
 154
Non-GAAP gross profit – maintenance and support $9,986
 $7,934
 $28,539
 $21,951
        
 Three Months Ended September 30, Nine Months Ended September 30,
 2017 2016 2017 2016
 (in thousands)
GAAP gross profit – professional services $3,501
 $2,715
 $9,591
 $6,554
GAAP gross profit – professional services$542 $1,527 
Stock-based compensation expense 142
 114
 361
 249
Stock-based compensation expense595 536 
Non-GAAP gross profit – professional services $3,643
 $2,829
 $9,952
 $6,803
Non-GAAP gross profit – professional services$1,137 $2,063 
The following table reconciles GAAP loss from operations to non-GAAP loss(loss) income from operations for the three and nine months ended September 30, 2017March 31, 2022 and 2016:2021:
 Three Months Ended March 31,
 20222021
 (in thousands)
GAAP loss from operations$(40,379)$(23,116)
Stock-based compensation expense28,922 20,862 
Amortization of acquired intangible assets5,723 2,889 
Acquisition-related expenses— 1,168 
Litigation-related expenses115 103 
Non-GAAP (loss) income from operations$(5,619)$1,906 
26

  Three Months Ended September 30, Nine Months Ended September 30,
  2017 2016 2017 2016
  (in thousands)
GAAP loss from operations $(13,042) $(10,204) $(35,409) $(39,104)
Stock-based compensation expense 5,288
 4,177
 14,738
 13,337
Amortization of acquired intangible assets 894
 769
 1,863
 1,935
Acquisition-related expenses 87
 
 167
 
Non-GAAP loss from operations $(6,773) $(5,258) $(18,641) $(23,832)
Table of Contents
The following table reconciles GAAP net loss to non-GAAP net loss for the three and nine months ended September 30, 2017March 31, 2022 and 2016:2021:

 Three Months Ended March 31,
 20222021
 (in thousands, except share and per share data)
GAAP net loss$(44,999)$(29,845)
Stock-based compensation expense28,922 20,862 
Amortization of acquired intangible assets5,723 2,889 
Acquisition-related expenses— 1,168 
Litigation-related expenses115 103 
Amortization of debt issuance costs979 658 
Induced conversion expense— 2,740 
Non-GAAP net loss$(9,260)$(1,425)
Reconciliation of net loss per share, basic and diluted:
GAAP net loss per share, basic$(0.78)$(0.56)
Non-GAAP adjustments to net loss0.62 0.53 
Non-GAAP net loss per share, basic and diluted$(0.16)$(0.03)
Weighted average shares used in GAAP and non-GAAP per share calculation, basic and diluted57,724,821 52,904,881 
The following table reconciles GAAP net loss to adjusted EBITDA for the three months ended March 31, 2022 and 2021:
 Three Months Ended March 31,
 20222021
(in thousands)
GAAP net loss$(44,999)$(29,845)
Interest income(112)(96)
Interest expense2,693 5,394 
Other (income) expense, net603 1,068 
Provision for income taxes1,436 363 
Depreciation expense3,303 2,994 
Amortization of intangible assets6,866 3,746 
Stock-based compensation expense28,922 20,862 
Acquisition-related expenses— 1,168 
Litigation-related expenses115 103 
Adjusted EBITDA$(1,173)$5,757 


The following table reconciles net cash provided by operating activities to free cash flow for the three months ended March 31, 2022 and 2021:
 Three Months Ended March 31,
 20222021
(in thousands)
Net cash provided by operating activities$10,403 $20,595 
Purchases of property and equipment(3,053)(972)
Capitalized internal-use software costs(3,522)(1,758)
Free cash flow$3,828 $17,865 

27
  Three Months Ended September 30, Nine Months Ended September 30,
  2017 2016 2017 2016
  (in thousands, except share and per share data)
GAAP net loss (10,284) (10,194) (32,466) (39,226)
Stock-based compensation expense 5,288
 4,177
 14,738
 13,337
Amortization of acquired intangible assets 894
 769
 1,863
 1,935
Acquisition-related expenses 87
 
 167
 
Release of valuation allowance, acquisition-related (2,632) 
 (2,632) 
Non-GAAP net loss $(6,647) $(5,248) $(18,330) $(23,954)
Non-GAAP net loss per share, basic and diluted $(0.15) $(0.13) $(0.43) $(0.58)
Weighted-average common shares outstanding, basic and diluted 43,279,025
 41,482,173
 42,693,212
 41,033,080


Table of Contents
Components of Results of Operations
Revenue
We generate revenue primarily from selling products maintenance and support and professional services through a variety of delivery models to meet the needs of our diverse customer base. We generally bill customers and collect payment for both our products and services up front.
Products
We generate products revenue from the sale of (1) perpetual or term software licenses for our Nexpose, Metasploit and AppSpider products, term licenses for our product offering recently acquired from Komand, as well as associated contentcloud-based subscriptions, for our Nexpose and Metasploit products, (2) managed services forofferings, which utilize our Nexpose, AppSpider and InsightIDR products and (3) cloud-based subscriptions for our InsightVM, InsightIDR, InsightAppSec, InsightOps, AppSpider and Logentries products. We also generate an immaterial amount of appliance revenue that is included in our products revenue and is associated with hardware sold as part of our Nexpose product to certain customers. Revenue for perpetual software licenses andwith related services that are sold along with the software license is deferred on our balance sheet and recognized as revenue on our consolidated statements of operations ratably over the contractual period of the maintenance and support whichand content subscription, as applicable. Software license revenue consist of revenues from term licenses, and to a lesser extent perpetual licenses. When a term license is typically one to three years. Revenue for our managed services and cloud-based subscription offerings is recognized on our consolidated statements of operations ratably over the term of the managed service agreement or subscription, provided that all other revenue recognition criteria have been met.
Maintenance and Support
We generatepurchased, maintenance and support revenue when customers purchase or renew agreementsand content subscription, as applicable, is bundled with the license for the term period. When a perpetual license is purchased, a customer typically purchases maintenance and support of their Nexpose, Metasploit and AppSpider software licenses. Substantially all of our customers purchase an agreement for maintenance and support in connection with their purchase of a Nexpose, Metasploit or AppSpider software license. Revenue from maintenance and support is recognized ratably over the term of the applicable agreement.content subscription, as applicable.
Professional Services
We generate professional service revenue from the sale of deployment and training services related to our products, incident response services and security advisory services. Revenue from professional services sold together with our perpetual and term software licenses product offerings is recognized ratably over the term of the applicable agreement. Revenue from professional services sold on a stand-alone basis or with non-software products is recognized as those services are rendered.
Cost of Revenue
Our total cost of revenue consists of the costs of products maintenance and support and professional services, revenue.

as noted below. In addition, cost of revenue includes overhead costs for depreciation, facilities, IT, information security, and recruiting. Our IT overhead costs include IT personnel compensation costs and costs associated with our IT infrastructure. All overhead costs are allocated based on relative headcount.
Cost of Products
Cost of products consists of personnel and related costs for our content, support, managed service and cloud operations team,teams, including salaries and other payroll related costs, bonuses, stock-based compensation and allocated overhead costs, which consist of IT, information security, recruiting, facilities and depreciation and are allocated based on relative headcount.costs. Also included in cost of products are software license fees, hardware, cloud computing costs and internet connectivity expenses directly related to delivering our products, amortization of contract fulfillment costs, as well as amortization of certain intangible assets.
Cost of Maintenance and Support
Cost of maintenance and support consists of personnel and related costs for our support team,assets including salaries and other payroll related costs, bonuses, stock-based compensation and allocated overhead.internally developed software.
Cost of Professional Services
Cost of professional services consists of personnel and related costs for our professional services team, including salaries and other payroll related costs, bonuses, stock-based compensation, costs of contracted third-party vendors, travel and entertainment expenses and allocated overhead.overhead costs.
We expect our cost of revenue to increase on an absolute dollar basis as we continue to grow our revenue.
Gross Margin
Gross margin, or gross profit as a percentage of revenue, has been and will continue to be affected by a variety of factors, including the average sales price of our products and services, transaction volume growth, the mix of revenue between software licenses, cloud-based subscriptions, managed services and professional services and changes in cloud computing costs.
We expect our gross margins to decrease slightly as we expect revenue from our cloud-based subscriptions and managed services to increase as a percentage of total revenue, each of which generally have a lower gross margin than our software licenses.fluctuate over time depending on the factors described above.
Operating Expenses
Operating expenses consist of research and development, sales and marketing, and general and administrative expenses. Operating expenses include allocated overhead costs for depreciation, facilities, IT, information security and recruiting. Our allocatedIT overhead costs forinclude IT includepersonnel compensation costs for compensation of IT personnel and costs associated with our IT infrastructure. All allocated overhead costs are allocated based on relative headcount.
Research and Development Expense
Research and development expense consists of personnel costs for our research and development team, including salaries and other payroll related costs, bonuses and stock-based compensation. Additional expenses include subcontracting, third-party infrastructure costs,
28

Table of Contents
travel and entertainment, consulting and professional fees for third-party development resources as well as allocated overhead.overhead costs.
We expect research and development expense to increase on an absolute dollar basis in the near term as we continue to increase investments in our products and technology platform innovation, but to decreaseremain relatively consistent as a percentage of total revenue.
Sales and Marketing Expense
Sales and marketing expense consists of personnel costs for our sales and marketing team, including salaries and other payroll related costs, commissions, including amortization of deferred commissions, bonuses and stock-based compensation. Additional expenses include marketing activities and promotional events, travel and entertainment, training costs, amortization of certain intangible assets and allocated overhead.overhead costs.
We expect sales and marketing expense to increase on an absolute dollar basis in the near term as we continue to increase investments to drive our revenue growth, but to decrease as a percentage of total revenue.
General and Administrative Expense
General and administrative expense consists of personnel costs for our administrative,executive, legal, human resources, and finance and accounting teams,departments, including salaries and other payroll related costs, bonuses and stock-based compensation. Additional expenses include travel and entertainment, subcontracting, professional fees, litigation-related expenses, insurance, acquisition-related expenses, amortization of certain intangible assets and allocated overhead.

overhead costs.
We expect general and administrative expense to increase on an absolute dollar basis in the near term as we continue to increase investments to support our growth, but to decreaseremain relatively consistent as a percentage of total revenue.
Interest Income (Expense), Net
Interest income (expense), net consists primarily of interest income on our cash and cash equivalents and our short and long-term investments.
Interest Expense
Interest expense consists primarily of contractual interest expense, amortization of debt issuance costs related to our convertible senior notes and revolving credit facility and induced conversion expense. We expect interest expense in the near term to represent contractual interest expense and amortization of debt issuance costs related to our convertible senior notes and revolving credit facility.
Other Income (Expense), Net
Other income (expense), net consists primarily of unrealized and realized gains and losses related to changes in foreign currency exchange rates and realized gains and losses on the sale of investments.rates.
Provision for (Benefit from) Income Taxes
Provision for (benefit from) income taxes relates to U.S. federalconsists of income taxes in foreign jurisdictions where we conduct business, withholding taxes, and state as well as certain foreign jurisdiction, income taxes. Historically, we have generated net lossestaxes in the U.S., U.K and Ireland and recorded a full valuation allowance against our U.S., U.K. and Ireland deferred tax assets.United States. We expect to maintain a full valuation allowance on our U.S., Irelandfor domestic and U.K.certain foreign deferred tax assets, inincluding net operating loss carryforwards and tax credits. Based on our history of losses, we expect to maintain this full valuation allowance for the near term. Realizationforeseeable future as it is more likely than not that some or all of our U.S., Ireland and U.K.those deferred tax assets depends upon future earnings, the timing and amountmay not be realized.
29

Table of which are uncertain.Contents

Results of Operations
The following table sets forth our selected consolidated statements of operations data:
 Three Months Ended March 31,
 20222021
 (in thousands)
Consolidated Statement of Operations Data:
Revenue:
Products$149,025 $109,285 
Professional services8,359 8,166 
Total revenue157,384 117,451 
Cost of revenue:(1)
Products43,472 29,650 
Professional services7,817 6,639 
Total cost of revenue51,289 36,289 
Operating expenses:(1)
Research and development49,812 33,080 
Sales and marketing75,146 54,978 
General and administrative21,516 16,220 
Total operating expenses146,474 104,278 
Loss from operations(40,379)(23,116)
Interest income112 96 
Interest expense(2,693)(5,394)
Other income (expense), net(603)(1,068)
Loss before income taxes(43,563)(29,482)
Provision for income taxes1,436 363 
Net loss$(44,999)$(29,845)
(1)Cost of revenue and operating expenses include stock-based compensation expense and depreciation and amortization expense as follows:
 Three Months Ended March 31,
 20222021
 (in thousands)
Stock-based compensation expense:
Cost of revenue$2,090 $1,554 
Research and development13,024 7,815 
Sales and marketing6,774 5,746 
General and administrative7,034 5,747 
Total stock-based compensation expense$28,922 $20,862 
 Three Months Ended March 31,
 20222021
 (in thousands)
Depreciation and amortization expense:
Cost of revenue$6,595 $4,151 
Research and development993 858 
Sales and marketing1,934 1,269 
General and administrative647 462 
Total depreciation and amortization expense$10,169 $6,740 
30

 Three Months Ended September 30, Nine Months Ended September 30,
 2017 2016 2017 2016
 (in thousands)
Consolidated Statement of Operations Data:       
Revenue:       
Products$29,626
 $23,108
 $82,736
 $64,709
Maintenance and support11,654
 9,694
 33,794
 27,037
Professional services9,241
 7,537
 26,679
 20,657
Total revenue50,521
 40,339
 143,209
 112,403
Cost of revenue:(1)       
Products6,888
 3,415
 17,155
 8,700
Maintenance and support1,739
 1,801
 5,467
 5,240
Professional services5,740
 4,822
 17,088
 14,103
Total cost of revenue14,367
 10,038
 39,710
 28,043
Operating expenses:(1)       
Research and development13,570
 11,616
 36,836
 36,890
Sales and marketing28,224
 21,284
 80,166
 65,732
General and administrative7,402
 7,605
 21,906
 20,842
Total operating expenses49,196
 40,505
 138,908
 123,464
Loss from operations(13,042) (10,204) (35,409) (39,104)
Interest income (expense), net198
 44
 585
 55
Other income (expense), net235
 36
 349
 184
Loss before income taxes(12,609) (10,124) (34,475) (38,865)
Provision for (benefit from) income taxes(2,325) 70
 (2,009) 361
Net loss$(10,284) $(10,194) $(32,466) $(39,226)
(1)Cost of revenue and operating expenses include stock-based compensation expense and depreciation and amortization expense as follows:

 Three Months Ended September 30, Nine Months Ended September 30,
 2017 2016 2017 2016
 (in thousands)
Stock-based compensation expense:       
Cost of revenue$305
 $166
 $815
 $445
Research and development1,986
 1,600
 5,188
 4,617
Sales and marketing1,512
 1,328
 4,694
 5,453
General and administrative1,485
 1,083
 4,041
 2,822
Total stock-based compensation expense$5,288
 $4,177
 $14,738
 $13,337

 Three Months Ended September 30, Nine Months Ended September 30,
 2017 2016 2017 2016
 (in thousands)
Depreciation and amortization expense:       
Cost of revenue1,067
 648
 2,387
 1,916
Research and development277
 262
 782
 875
Sales and marketing475
 497
 1,446
 1,450
General and administrative248
 504
 689
 1,089
Total depreciation and amortization expense$2,067
 $1,911
 $5,304
 $5,330


The following table sets forth our selected consolidated statements of operations data expressed as a percentage of revenue:
 Three Months Ended March 31,
 20222021
Consolidated Statement of Operations Data:
Revenue:
Products94.7 %93.0 %
Professional services5.3 7.0 
Total revenue100.0 100.0 
Cost of revenue:
Products27.6 25.2 
Professional services5.0 5.7 
Total cost of revenue32.6 30.9 
Operating expenses:
Research and development31.7 28.2 
Sales and marketing47.7 46.8 
General and administrative13.7 13.8 
Total operating expenses93.1 88.8 
Loss from operations(25.7)(19.7)
Interest income0.1 0.1 
Interest expense(1.7)(4.6)
Other income (expense), net(0.4)(0.9)
Loss before income taxes(27.7)(25.1)
Provision for income taxes0.9 0.3 
Net loss(28.6)%(25.4)%
 Three Months Ended September 30, Nine Months Ended September 30,
 2017 2016 2017 2016
Consolidated Statement of Operations Data:       
Revenue:       
Products58.6 % 57.3 % 57.8 % 57.6 %
Maintenance and support23.1
 24.0
 23.6
 24.0
Professional services18.3
 18.7
 18.6
 18.4
Total revenue100.0
 100.0
 100.0
 100.0
Cost of revenue:       
Products13.6
 8.5
 12.0
 7.7
Maintenance and support3.4
 4.5
 3.8
 4.7
Professional services11.4
 11.9
 11.9
 12.5
Total cost of revenue28.4
 24.9
 27.7
 24.9
Operating expenses:       
Research and development26.9
 28.8
 25.7
 32.8
Sales and marketing55.9
 52.8
 56.0
 58.5
General and administrative14.6
 18.8
 15.3
 18.5
Total operating expenses97.4
 100.4
 97.0
 109.8
Loss from operations(25.8) (25.3) (24.7) (34.7)
Interest income (expense), net0.4
 0.1
 0.4
 
Other income (expense), net0.5
 0.1
 0.2
 0.1
Loss before income taxes(24.9) (25.1) (24.1) (34.6)
Provision for (benefit from) income taxes(4.5) 0.2
 (1.4) 0.3
Net loss(20.4)% (25.3)% (22.7)% (34.9)%
Comparison of the Three Months Ended September 30, 2017March 31, 2022 and 20162021
Revenue
 Three Months Ended September 30, Change
 2017 2016 $ %
 (dollars in thousands)
Revenue:       
Products$29,626
 $23,108
 $6,518
 28.2%
Maintenance and support11,654
 9,694
 1,960
 20.2
Professional services9,241
 7,537
 1,704
 22.6
Total revenue$50,521
 $40,339
 $10,182
 25.2%
 Three Months Ended March 31,Change
 20222021$%
 (dollars in thousands)
Revenue:
Products$149,025 $109,285 $39,740 36.4 %
Professional services8,359 8,166 193 2.4 
Total revenue$157,384 $117,451 $39,933 34.0 %
Total revenue increased by $10.2$39.9 million in the three months ended September 30, 2017March 31, 2022 compared to the same period in 2016.2021 and consisted of $33.0 million of organic growth and $6.9 million related to the acquisition of IntSights in July 2021. The $33.0 million increase in revenue included a $4.2 millionrelated to organic growth was primarily due to an increase in revenue from new customers,renewals, upsells and cross-sells. The increase in new customers revenue included 862 new customers added since September 30, 2016cross-sells as a result of our growing base of existing customers. All renewals, upsells and a full fiscal quarter of revenue related to new customers added in the three months ended September 30, 2016. Revenue also increased in the three months ended September 30, 2017 compared to the same period in 2016 due to $6.0 million in additionalcross-sells are considered revenue from existing customer renewals. customers.
The increase in total revenue in the three months ended September 30, 2017March 31, 2022 compared to the same period in 20162021 was comprised of $8.4$28.5 million generated from sales in North America and $1.8$11.4 million generated from sales from the rest of the world.

31

Cost of Revenue
 Three Months Ended September 30, Change
 2017 2016 $ %
 (dollars in thousands)
Cost of revenue:       
Products$6,888
 $3,415
 $3,473
 101.7 %
Maintenance and support1,739
 1,801
 (62) (3.4)
Professional services5,740
 4,822
 918
 19.0
Total cost of revenue$14,367
 $10,038
 $4,329
 43.1 %
Gross margin %:       
Products76.8% 85.2%    
Maintenance and support85.1
 81.4
    
Professional services37.9
 36.0
    
Total gross margin %71.6% 75.1%    
 Three Months Ended March 31,Change
 20222021$%
 (dollars in thousands)
Cost of revenue:
Products$43,472 $29,650 $13,822 46.6 %
Professional services7,817 6,639 1,178 17.7 
Total cost of revenue$51,289 $36,289 $15,000 41.3 %
Gross margin %:
Products70.8 %72.9 %
Professional services6.5 18.7 
Total gross margin %67.4 %69.1 %
Total cost of revenue increased by $4.3$15.0 million in the three months ended September 30, 2017March 31, 2022 compared to the same period in 2016,2021, primarily due to a $2.0$4.9 million increase in cloud computing costs related to growing cloud-based subscription and managed services revenue and a $4.8 million increase in personnel costs, inclusive of a $0.1$0.5 million increase in stock-based compensation expense, resulting from an increase in headcount from 160 as of September 30, 2016 to 213 as of September 30, 2017, as well as the timing effect of when our headcount additions were hired in 2017 and 2016, to support our growing customer base.base as well as $0.6 million of additional costs attributable to the employees acquired in the IntSights acquisition in July 2021. Our increase in total cost of revenue also included a $1.2 million increase in cloud computing costs related to growing cloud-based subscription revenue, a $0.5$2.4 million increase in allocated overhead driven largely by an increase in IT and facilities costs, a $0.4$2.1 million increase in amortization expense for acquired intangible assets, amortization primarily due to the Komand acquisition, a $0.2$0.3 million increase in travel and entertainmentamortization expense andfor capitalized internally-developed software, a $0.2$0.5 million increase in third-party professional service consulting costs, partially offset by a decrease of $0.2 million of other expenses.
Total gross margin percentage decreased for the three months ended September 30, 2017March 31, 2022 compared to the same period in 2016,2021 primarily due to the decrease in gross margin for products, partially offset by the increase in gross margin for maintenance and support and professional services. The decrease in products gross margin for the three months ended September 30, 2017 was due to an increase in revenue from cloud-based subscriptions and managed services, which have lower gross margins than our licensed software products. Theproducts as well as an increase in maintenance and support gross marginamortization expense for the three months ended September 30, 2017 was driven by our abilitydeveloped technology acquired intangible asset related to scale as our revenue continues to grow.the acquisition of IntSights. The increasedecrease in professional services gross margin for the three months ended September 30, 2017March 31, 2022 was primarily due to increased demand for our assessment services and strategic services.an increase in personnel costs.
Operating Expenses
Research and Development Expense
 Three Months Ended September 30, Change
 2017 2016 $ %
 (dollars in thousands)
Research and development$13,570
 $11,616
 $1,954
 16.8%
% of revenue26.9% 28.8%    
 Three Months Ended March 31,Change
 20222021$%
 (dollars in thousands)
Research and development$49,812 $33,080 $16,732 50.6 %
% of revenue31.7 %28.2 %
Research and development expense increased by $2.0$16.7 million in the three months ended September 30, 2017March 31, 2022 compared to the same period in 2016,2021, primarily due to a $0.9$12.8 million increase in personnel costs, an increase of $0.7 million in allocated overhead driven largely by an increase in IT and facilities costs and an increase of $0.4 million in other expenses. The $0.9 million increase in personnel costs was primarily due to a $0.7 million increase in salaries and related costs driven by growth in headcount from 240 as of September 30, 2016 to 250 as of September 30, 2017 which included 12 employees acquired in the Komand acquisition, as well as the timing effect of when our headcount additions were hired in 2017 and 2016, a $0.4 million increase in stock-based compensation expense and the impact of proceeds from a 2016 government grant received in Northern Ireland of $0.5 million. These increases in personnel costs were partially offset by $0.3 million of acquisition-related bonus recorded in the three months ended September 30, 2016 and $0.4 million of personnel costs that were capitalized as internal-use software costs in the three months ended September 30, 2017.

Sales and Marketing Expense
 Three Months Ended September 30, Change
 2017 2016 $ %
 (dollars in thousands)
Sales and marketing$28,224
 $21,284
 $6,940
 32.6%
% of revenue55.9% 52.8%    
Sales and marketing expense increased by $6.9 million in the three months ended September 30, 2017 compared to the same period in 2016, primarily due to a $3.5 million increase in personnel costs due to an increase in headcount from 350 as of September 30, 2016 to 413 as of September 30, 2017, inclusive of a $0.2 million increase in stock-based compensation expense, as well as the timing effect of when our headcount additions were hired in 2017 and 2016 to drive additional sales of our products and services and higher commissions expense recorded as a result of increased customer orders. Our increase in sales and marketing expense also included a $1.3 million increase in marketing costs resulting from an increase in event marketing including expenses related to our user conference and general advertising costs, a $0.9$3.2 million increase in allocated overhead driven largely by an increase in IT and facilities costs, a $0.7 million increase in travel and entertainment expense and a $0.5other expenses. The $12.8 million increase in other expenses.personnel costs was primarily due to a $7.6 million increase in salaries and related costs driven by growth in headcount, inclusive of $2.7 million in additional salaries and related costs attributable to the employees acquired in the acquisition of IntSights in July 2021, and a $5.2 million increase in stock-based compensation expense, including $3.3 million of stock-based compensation expense related to the RSUs issued to retained employees and common stock issued to the IntSights founders as part of the acquisition.
GeneralSales and AdministrativeMarketing Expense
 Three Months Ended March 31,Change
 20222021$%
 (dollars in thousands)
Sales and marketing$75,146 $54,978 $20,168 36.7 %
% of revenue47.7 %46.8 %
 Three Months Ended September 30, Change
 2017 2016 $ %
 (dollars in thousands)
General and administrative$7,402
 $7,605
 $(203) (2.7)%
% of revenue14.6% 18.8%    
GeneralSales and administrativemarketing expense decreasedincreased by $0.2$20.2 million in the three months ended September 30, 2017March 31, 2022 compared to the same period in 2016,2021, primarily due to a $0.4 million decrease in costs associated with a settlement and licensing agreement with a third party in 2016, a $0.3 million decrease in amortization and a $0.3 million decrease in other expenses. These decreases were partially offset by a $0.6$8.4 million increase in personnel costs, inclusive of a $0.4 million increase in stock-based compensation expense, as a result of an increase in headcount from 118 as of September 30, 2016 to 124 as of September 30, 2017 as well as the timing effect of when our headcount additions were hired in 2017 and 2016, in order to support our overall company growth and a $0.2 million increase in allocated overhead, driven largely by an increase in IT and facilities costs.
Interest Income (Expense), Net
 Three Months Ended September 30, Change
 2017 2016 $ %
 (dollars in thousands)
Interest income (expense), net$198
 $44
 $154
 NM
% of revenue0.4% 0.1%    
Interest income (expense), net increased by $0.2 million in the three months ended September 30, 2017 compared to the same period in 2016 primarily due to higher interest income as a result of our investments in higher-yield securities. In the three months ended September 30, 2016, net interest income was partially offset by interest expense due to non-cash interest charges related to the accretion of the liability associated with deferred acquisition payments.
Other Income (Expense), Net
 Three Months Ended September 30, Change
 2017 2016 $ %
 (dollars in thousands)
Other income (expense), net$235
 $36
 $199
 NM
% of revenue0.5% 0.1%    

Other income (expense), net increased by $0.2 million in the three months ended September 30, 2017 compared to the same period in 2016 primarily due to changes in realized and unrealized foreign currency gains and losses, specifically related to the euro and British pound sterling.
Provision for (Benefit from) Income Taxes
 Three Months Ended September 30, Change
 2017 2016 $ %
 (dollars in thousands)
Provision for (benefit from) income taxes$(2,325) $70
 $(2,395) NM
% of revenue(4.5)% 0.2%    
Provision for (benefit from) income taxes decreased by $2.4 million in the three months ended September 30, 2017 compared to the same period in 2016 primarily due to a $2.6 million deferred tax benefit resulting from a partial release of our valuation allowance to account for the creation of a deferred tax liability for the developed technology intangible asset acquired in the acquisition of Komand which is not deductible for tax purposes. This deferred tax benefit was partially offset by an increase of $0.2 million provision for income taxes due to our increased operations in foreign jurisdictions.
Comparison of the Nine Months Ended September 30, 2017 and 2016
Revenue
 Nine Months Ended September 30, Change
 2017 2016 $ %
 (dollars in thousands)
Revenue:       
Products$82,736
 $64,709
 $18,027
 27.9%
Maintenance and support33,794
 27,037
 6,757
 25.0
Professional services26,679
 20,657
 6,022
 29.2
Total revenue$143,209
 $112,403
 $30,806
 27.4%
Total revenue increased by $30.8 million in the nine months ended September 30, 2017 compared to the same period in 2016. The increase in revenue included a $12.5 million increase from new customers, upsells and cross-sells. The increase in new customers revenue includes 862 new customers added since September 30, 2016 and a full nine months of revenue related to new customers added in the nine months ended September 30, 2016. Revenue also increased in the nine months ended September 30, 2017 compared to the same period in 2016 due to $18.3 million in additional revenue from existing customer renewals. The increase in total revenue in the nine months ended September 30, 2017 compared to the same period in 2016 was comprised of $24.2 million generated from sales in North America and $6.6 million generated from sales from the rest of the world.

Cost of Revenue
 Nine Months Ended September 30, Change
 2017 2016 $ %
 (dollars in thousands)
Cost of revenue:       
Products$17,155
 $8,700
 $8,455
 97.2%
Maintenance and support5,467
 5,240
 227
 4.3
Professional services17,088
 14,103
 2,985
 21.2
Total cost of revenue$39,710
 $28,043
 $11,667
 41.6%
Gross margin %:       
Products79.3% 86.6%    
Maintenance and support83.8
 80.6
    
Professional services35.9
 31.7
    
Total gross margin %72.3% 75.1%    

Total cost of revenue increased by $11.7 million in the nine months ended September 30, 2017 compared to the same period in 2016, primarily due to a $6.3 million increase in personnel costs, inclusive of a $0.4 million increase in stock-based compensation expense, resulting from an increase in headcount from 160 as of September 30, 2016 to 213 as of September 30, 2017, as well as the timing effect of when our headcount additions were hired in 2017 and 2016, to support our growing customer base. Our increase in total cost of revenue also included a $3.9 million increase in cloud computing costs related to growing cloud-based subscription revenue, a $1.2$4.0 million increase in allocated overhead driven largely by an increase in IT and facilities costs, a $0.5$3.3 million increase in travel and entertainmentcommission expense, a $0.4$2.2 million increase in marketing and advertising costs, a $0.6 million increase in in amortization expense for acquired intangible assets amortization primarily due to the Komand acquisition and a $0.2 $1.7
32

million increase in other expenses, partially offsetexpenses. The $8.4 million increase in personnel costs was primarily due to a $7.4 million increase in salaries and related costs driven by growth in headcount, inclusive of $2.8 million of additional costs attributable to the employees acquired in the IntSights acquisition in July 2021, and a decrease$1.0 million increase in stock-based compensation expense, inclusive of $0.8$0.4 million in third-party professional service consulting costs.stock-based compensation expense related to RSUs issued to retained employees acquired in the acquisition of IntSights.
Total gross margin percentage decreased forGeneral and Administrative Expense
 Three Months Ended March 31,Change
 20222021$%
 (dollars in thousands)
General and administrative$21,516 $16,220 $5,296 32.7 %
% of revenue13.7 %13.8 %
General and administrative expense increased by $5.3 million in the ninethree months ended September 30, 2017March 31, 2022 compared to the same period in 2016,2021, primarily due to the decreasea $3.3 million increase in gross margin for products, partially offset by the increases in gross margin for professional services and maintenance and support. The decrease in products gross margin for the nine months ended September 30, 2017 waspersonnel costs due to an increase in revenue from cloud-based subscriptions and managed services, which have lower gross margins than our licensed software products. Theheadcount, inclusive of a $1.3 million increase in maintenance and support gross margin for the nine months ended September 30, 2017 was driven by our ability to scale as our revenue continues to grow. Thestock-based compensation expense, a $0.9 million increase in professional services gross margin for the nine months ended September 30, 2017 was primarily due to increased demand for our assessment services and deployment and training services.
Operating Expenses
Research and Development Expense
 Nine Months Ended September 30, Change
 2017 2016 $ %
 (dollars in thousands)
Research and development$36,836
 $36,890
 $(54) (0.1)%
% of revenue25.7% 32.8%    
Research and development expense decreased by $0.1 million in the nine months ended September 30, 2017 compared to the same period in 2016, primarily due to a $1.4 million decrease in personnel costs, partially offset by an increase of $1.1 million in allocated overhead driven largely by an increase in IT and facilities costs and an increase of $0.2 million in other expenses. The $1.4 million decrease in personnel costs was primarily due to a $1.3 million acquisition-related bonus recorded in the nine months ended September 30, 2016, $0.7 million of certain departmental costs in the nine months ended September 30, 2016 that have been eliminated in 2017 and $0.8 million of personnel costs that were capitalized as internal-use software costs in the nine months ended September 30, 2017, partially offset by a $0.9 million increase in personnel costs, inclusive of a $0.6 million increase in stock-based compensation expense, resulting from an increase in headcount from 240 as of September 30, 2016 to 250 as of September 30, 2017 which included 12 employees acquired in the Komand acquisition, as well as the timing effect of when our headcount additions were hired in 2017 and 2016, to support our product innovation and the impact of proceeds from a 2016 government grant received in Northern Ireland of $0.5 million.

Sales and Marketing Expense
 Nine Months Ended September 30, Change
 2017 2016 $ %
 (dollars in thousands)
Sales and marketing$80,166
 $65,732
 $14,434
 22.0%
% of revenue56.0% 58.5%    
Sales and marketing expense increased by $14.4 million in the nine months ended September 30, 2017 compared to the same period in 2016, primarily due to a $7.2 million increase in personnel costs due to an increase in headcount from 350 as of September 30, 2016 to 413 as of September 30, 2017 as well as the timing effect of when our headcount additions were hired in 2017 and 2016 to drive additional sales of our products and services and higher commissions expense recorded as a result of increased customer orders. The $7.2 million increase in personnel costs was inclusive of a $0.7 decrease in million in stock-based compensation expense attributable to the Logentries acquisition in the prior period. Our increase in sales and marketing expense also included a $2.6 million increase in marketing costs resulting from an increase in event marketing including expenses related to our user conference and general advertising costs, a $2.3 million increase in allocated overhead driven largely by an increase

in IT and facilities costs, a $1.0 million increase in travel and entertainment expense, a $0.5 million increase in partner referral fees and a $0.8$1.7 million increase in other expenses.
General and Administrative Expense
 Nine Months Ended September 30, Change
 2017 2016 $ %
 (dollars in thousands)
General and administrative$21,906
 $20,842
 $1,064
 5.1%
% of revenue15.3% 18.5%    
General and administrative expense increased by $1.1 million in the nine months ended September 30, 2017 compared to the same period in 2016, primarily due to a $1.9 million increase in personnel costs, inclusive of a $1.2 million increase in stock-based compensation expense, as a result of an increase in headcount from 118 as of September 30, 2016 to 124 as of September 30, 2017 as well as the timing effect of when our headcount additions were hired in 2017 and 2016, in order to support our overall company growth. Our increase in general and administrative expense also included a $0.3 million increase in allocated overhead driven largely by an increase in IT and facilities costs. These increases were partially offset by a $0.6 million decrease of $0.5 million of amortization expense, $0.4 million of costs associated with a settlementin professional fees primarily due to acquisition-related expenses and licensing agreement with a third party in 2016 and $0.3 million of other expenses.professional consulting fees.
Interest Income (Expense), Net
 Nine Months Ended September 30, Change
 2017 2016 $ %
 (dollars in thousands)
Interest income (expense), net$585
 $55
 $530
 NM
% of revenue0.4% %    
 Three Months Ended March 31,Change
 20222021$%
 (dollars in thousands)
Interest income$112 $96 $16 16.7 %
% of revenue0.1 %0.1 %
Interest income (expense), net increasedin the three months ended March 31, 2022 remained consistent with the same period in 2021.
Interest Expense
 Three Months Ended March 31,Change
 20222021$%
 (dollars in thousands)
Interest expense$(2,693)$(5,394)$2,701 (50.1)%
% of revenue(1.7)%(4.6)%
Interest expense decreased by $0.5$2.7 million in the ninethree months ended September 30, 2017March 31, 2022 compared to the same period in 2016,2021 primarily due to higher interest income as a result$2.7 million decrease of our investmentsinduced conversion expense incurred in higher-yield securities. Inconjunction with the nine months ended September 30, 2016, net interest income was partially offset by interest expense due to non-cash interest charges related to the accretionpartial repurchase of the liability associated with deferred acquisition payments.2023 Notes in March 2021.
Other Income (Expense), Net
 Nine Months Ended September 30, Change
 2017 2016 $ %
 (dollars in thousands)
Other income (expense), net$349
 $184
 $165
 89.7%
% of revenue0.2% 0.1%    
 Three Months Ended March 31,Change
 20222021$%
 (dollars in thousands)
Other income (expense), net$(603)$(1,068)$465 (43.5)%
% of revenue(0.4)%(0.9)%
Other income (expense), net increaseddecreased by $0.2$0.5 million in the ninethree months ended September 30, 2017March 31, 2022 compared to the same period in 2016 primarily2021 due to changes in realized and unrealized foreign currency gains and losses, specificallyprimarily related to the euro and British pound sterling.
33

Provision for (Benefit from) Income Taxes
 Nine Months Ended September 30, Change
 2017 2016 $ %
 (dollars in thousands)
Provision for (benefit from) income taxes$(2,009) $361
 $(2,370) NM
% of revenue(1.4)% 0.3%    
 Three Months Ended March 31,Change
 20222021$%
 (dollars in thousands)
Provision for income taxes$1,436 $363 $1,073 295.6 %
% of revenue0.9 %0.3 %
Provision for (benefit from) income taxes decreasedincreased by $2.4$1.1 million in the ninethree months ended September 30, 2017March 31, 2022 compared to the same period in 2016,2021 primarily due to a $2.6 million deferred tax benefit resulting from a partial release of our valuation allowance to account for the creation of a deferred tax liability for the developed technology intangible asset acquired in the

acquisition of Komand which is not deductible for tax purposes. This deferred tax benefit was partially offset by an increase of $0.2 million provision for income taxes due to our increased operations in foreign jurisdictions.

34

Liquidity and Capital Resources
Our principal sources of liquidity are cash and cash equivalents, investments and collections from our accounts receivable. In connection with our initial public offering, or IPO, and concurrent private placement in July 2015, we received aggregate net proceeds to us of $112.3 million, after deducting underwriting discounts and commissions of $8.3 million and offering expenses of $3.1 million. Prior to our IPO, we funded our operations primarily through issuances of common and redeemable convertible preferred stock and debt, including net proceeds of $93.4 million from the sale of shares of common and preferred stock. As of September 30, 2017,March 31, 2022, we had $49.1$141.4 million in cash and cash equivalents, $35.9$121.5 million in short- and long-term investments that have maturities ranging from 3one to twenty months to 2 years and an accumulated deficit of $421.9$781.0 million. Since our inception, we have generated significant losses and expect to continue to generate losses for the foreseeable future. Our principal sources of liquidity are cash and cash equivalents, short and long-term investments and our Credit and Security Agreement (the “Credit Agreement”). To date, we have financed our operations primarily through private and public equity financings, issuance of convertible senior notes and through cash generated by operating activities.
We believe that our existing cash and cash equivalents, and our short and long-term investments, together withour available borrowings under our Credit Agreement and cash generated from our operationsby operating activities will be sufficient to meet our workingoperating and capital expenditure requirements for at least the next 12 months. months as well as our longer-term expected future cash requirements and obligations. Our foreseeable cash needs, in addition to our recurring operating expenses, include our expected capital expenditures to support expansion of our infrastructure and workforce, office facilities lease obligations, purchase commitments, including our cloud infrastructure services (including with Amazon Web Services (“AWS”)), potential future acquisitions of technology businesses and any election we make to redeem our convertible senior notes.
Our future capital requirements will depend on many factors, including our growth rate, the timing and extent of spending to support research and development efforts, the expansion of sales and marketing activities, particularly internationally, the introduction of new and enhanced products and professional service offerings, and the cost of any future acquisitions of technology or businesses.businesses and any election we make to redeem our convertible senior notes. In the event that additional financing is required from outside sources, we may be unable to raise the funds on acceptable terms, if at all. If we are unable to raise additional capital on terms satisfactory to us when we require it, our business, operating results and financial condition could be adversely affected.
The following table shows a summary of our cash flows for the ninethree months ended September 30, 2017March 31, 2022 and 2016:2021:
Three Months Ended March 31,
 Nine Months Ended September 30, 20222021
 2017 2016 (in thousands)
 (in thousands)
Cash and cash equivalents at beginning of period $53,148
 $86,553
Cash, cash equivalents and restricted cash at beginning of periodCash, cash equivalents and restricted cash at beginning of period$165,017 $173,617 
Net cash provided by operating activities 5,084
 2,061
Net cash provided by operating activities10,403 20,595 
Net cash used in investing activities (16,141) (3,307)Net cash used in investing activities(35,911)(18,444)
Net cash provided by financing activities 6,645
 2,348
Net cash provided by financing activities3,208 328,572 
Effects of exchange rates on cash and cash equivalents 319
 60
Cash and cash equivalents at end of period $49,055
 $87,715
Effect of exchange rate changes on cash, cash equivalents and restricted cashEffect of exchange rate changes on cash, cash equivalents and restricted cash(800)(500)
Cash, cash equivalents and restricted cash at end of periodCash, cash equivalents and restricted cash at end of period$141,917 $503,840 
Uses of Funds
Our historical uses of cash have primarily consisted of cash used for operating activities such as expansion of our sales and marketing operations, research and development activities and other working capital needs, as well as cash used for business acquisitions and purchases of property and equipment.equipment, including leasehold improvements for our facilities.
Operating Activities
Operating activities provided $5.1$10.4 million of cash and cash equivalents in the ninethree months ended September 30, 2017,March 31, 2022, which reflects the timing of working capital adjustments and our continued growth in revenue partially offset by our continued investments in our operations and timing of working capital items.operations. Cash provided by operating activities reflected our net loss of $32.5$45.0 million, offset by a decrease in our net operating assets and liabilities of $19.8$14.8 million and non-cash charges of $17.7$40.6 million related primarily to depreciation and amortization, stock-based compensation expense, provision for doubtful accounts, deferred income taxes, induced conversion expense, amortization of debt issuance costs and other non-cash charges. The decrease in our net operating assets and liabilities was primarily due to a $19.6$36.3 million decrease in accounts receivable due to an increase in collections, a $3.8 million increase in deferred revenue from sales of our products and services, a $0.8$8.7 million increase in accrued expenses, a $0.6 million decrease in prepaid and other current assets and a $0.1 million decrease in accounts receivable,payable, which each had a positive impact on operating cash flow. These factors were partially offset by a $1.0$24.0 million decrease in accrued expenses, primarily as a result of the payout of annual bonuses and year-end commissions, a
35

Table of Contents
$6.6 million increase in prepaid expenses, a $2.9 million increase in deferred contract acquisition and fulfillment costs and a $0.5 million decrease in other liabilities, and a $0.3 million decrease in accounts payable, which each had a negative impact on operating cash flow.

Operating activities provided $2.1$20.6 million of cash and cash equivalents in the ninethree months ended September 30, 2016.March 31, 2021, which reflects the timing of working capital adjustments and our continued growth in revenue partially offset by our continued investments in our operations. Cash provided by operating activities reflected our net loss of $39.2$29.8 million, offset by a decrease in our net operating assets and liabilities of $22.1$18.0 million and non-cash charges of $19.2$32.4 million related primarily to depreciation and amortization, stock-based compensation expense, provision for doubtful accountsinduced conversion expense, amortization of debt issuance costs and other non-cash interest charges. The decrease in our net operating assets and liabilities was primarily due to

a $19.0$34.4 million decrease in accounts receivable due to the timing of collections, a $1.0 million increase in deferred revenue and a $5.1 million decrease in accounts receivable, a $0.5$0.6 million increase in accounts payable, and a $0.2 million increase in other liabilities, which each had a positive impact on operating cash flow. These factors were partially offset by a $1.6$15.4 million decrease in accrued expenses, which was largely theprimarily as a result of the payout of annual bonusbonuses and increased commission paymentsyear-end commissions, a $2.0 million increase in deferred contract acquisition and fulfillment costs, a $1.1$0.1 million increase in prepaid expenses and other assets and a $0.4 million decrease in other liabilities, which each had a negative impact on operating cash flow.

Investing Activities
Investing activities used $16.1$35.9 million of cash in the ninethree months ended September 30, 2017,March 31, 2022, consisting of $14.7$29.3 million cash paidof investment purchases, net of sales and maturities, $3.5 million for the acquisitioncapitalization of Komand, $3.5internal-use software costs and $3.1 million in capital expenditures to purchase computer equipment, furniture and fixtures and leasehold improvements and $0.8improvements.
Investing activities used $18.4 million of cash in the three months ended March 31, 2021, consisting of $49.7 million of cash paid for the acquisition of Alcide.IO Ltd. (“Alcide”), net of cash acquired, $1.8 million for capitalization of internal-use software costs, $1.5 million for other investing activities, $1.0 million in capital expenditures to purchase leasehold improvements and computer equipment, partially offset by $24.5$35.6 million of investment sales and maturities, less $21.7 million used for purchasesnet of investments.

Investing activities used $3.3 million of cash in the nine months ended September 30, 2016, as a result of capital expenditures to purchase equipment and leasehold improvements.

purchases.
Financing Activities
Financing activities provided $6.6$3.2 million of cash in the ninethree months ended September 30, 2017,March 31, 2022, which consisted primarily of $5.0$5.7 million in proceeds from the issuance of common stock purchased by employees under the Rapid7, Inc. 2015 Employee Stock Purchase Plan (“ESPP”) and $1.0 million in proceeds from the exercise of stock options, and $2.9 million in proceeds from the issuance of common shares purchased by employees under the ESPP, partially offset by a $0.8 million deferred acquisition payment and $0.5$3.5 million in withholding taxes paid for the net share settlement of equity awards.

Financing activities provided $2.3$328.6 million of cash in the ninethree months ended September 30, 2016,March 31, 2021, which consisted primarily of $3.7$587.1 million in proceeds from the issuance of the 0.25% convertible senior notes due 2027 (the “2027 Notes”), net of issuance costs paid of $12.9 million, $4.5 million in proceeds from the issuance of common sharesstock purchased by employees under the ESPP and $2.5$1.4 million in proceeds from the exercise of stock options, partially offset by $3.8$182.6 million for the repurchase and conversion of the 2023 Notes, $76.0 million for the purchase of 2027 Capped Calls, $3.3 million in withholding taxes paid for the net share settlement of equity awards and $0.1$2.5 million for payments related to the acquisition of payments on capital lease obligations.Alcide.
Contractual Obligations and Commitments
In March 2022, we entered into a new agreement with AWS for cloud infrastructure services. The agreement is for a 36-month period beginning on April 1, 2022 for a total commitment of $300.0 million.
As of September 30, 2017,March 31, 2022, there were no additional material changes other than that noted above in our contractual obligations and commitments from those disclosed in our Annual Report on Form 10-K for the year ended December 31, 20162021 filed with the SEC on March 9, 2017.February 24, 2022.

In October 2017, we entered into a lease agreement for a new facility in Austin, Texas pursuant to which we have leased approximately 26,000 square feet. The lease term is 86 months and our total obligation for the rent is approximately $7.6 million over the term of the lease.  
Off-Balance Sheet Arrangements
We do not have any relationships with unconsolidated entities or financial partnerships, including entities sometimes referred to as structured finance or special purpose entities that were established for the purpose of facilitating off-balance sheet arrangements or other contractually narrow or limited purposes. We do not engage in off-balance sheet financing arrangements.
Recent Accounting Pronouncements
See Note 1 in the notes to the unaudited consolidated financial statements in Part I, Item 1 of this Quarterly Report on Form 10-Q for a discussion of recent accounting pronouncements.
36

Table of Contents
Critical Accounting Policies and Estimates
Our consolidated financial statements are prepared in accordance with generally accepted accounting principles in the United States or GAAP.of America (“GAAP”). The preparation of our consolidated financial statements requires us to make estimates, assumptions and judgments that affect the reported amounts of assets, liabilities, revenue, costs and expenses. We base our estimates and assumptions on historical experience and other factors that we believe to be reasonable under the circumstances. We evaluate our estimates and assumptions on an ongoing basis. Our actual results may differ from these estimates. There have been no material changes in our critical accounting policies from those disclosed in our Annual Report on Form 10-K for the year ended December 31, 20162021 filed with the SEC on March 9, 2017.February 24, 2022.

37

Table of Contents
Item 3.    Quantitative and Qualitative Disclosures About Market Risk.
Market risk represents the risk of loss that may impact our financial position due to adverse changes in financial market prices and rates. Our market risk exposure is primarily the result of fluctuations in interest rates and foreign exchange rates as well as to a lesser extent, inflation. In addition, we do not engage in trading activities involving non-exchange traded contracts. Therefore, we believe that we are not materially exposed to any financing, liquidity, market or credit risk that could arise if we had engaged in these relationships.
Foreign Currency Exchange Risk
Our results of operations and cash flows are subject to fluctuations due to changes in foreign currency exchange rates. Substantially allA majority of our customers enter into contracts that are denominated in U.S. dollars. Our expenses are generally denominated in the currencies of the countries where our operations are located, which is primarily in the United States and to a lesser extent in the United Kingdom, other Euro-zone countries within mainland Europe, Canada, Hong Kong,Australia, Israel, Singapore and Australia.Japan. Our results of operations and cash flows are, therefore, subject to fluctuations due to changes in foreign currency exchange rates and may be adversely affected in the future due to changes in foreign currency exchange rates. The effect of a hypothetical 10% adverse change in foreign currency exchange rates on monetary assets and liabilities at September 30, 2017March 31, 2022 would not behave been material to our financial condition or results of operations. To date, we have not engaged inWe enter into forward contracts designated as cash flow hedges to manage the foreign currency exchange rate risk associated with certain of our foreign currency denominated expenditures. The effectiveness of our existing hedging transactions and the availability and effectiveness of any hedging strategies.transactions we may decide to enter into in the future may be limited, and we may not be able to successfully hedge our exposure, which could adversely affect our financial condition and operating results. For further information, see Note 9, Derivatives and Hedging Activities, in the Notes to our Consolidated Financial Statements included in this Quarterly Report on Form 10-Q. As our international operations grow, we will continue to reassess our approach to manage our risk relating to fluctuations in foreign currency rates.
Interest Rate Risk
Our portfolio of cash and cash equivalents and short- and long-term investments is maintained in a variety of securities, including money market funds, commercial paper, corporate bonds, U.S. government agencies and asset-backed securities. Investments are classified as available-for-sale securities and carried at their fair market value with cumulative unrealized gains or losses recorded as a component of accumulated other comprehensive loss within stockholders' equity. A sharp rise in interest rates could have an adverse impact on the fair market value of certain securities in our portfolio. We do not currently hedge our interest rate exposure and do not enter into financial instruments for trading or speculative purposes.
As of September 30, 2017,March 31, 2022, we had cash and cash equivalents of $49.1$141.4 million consisting of bank deposits and money market funds. We also hadfunds and short- and long-term investments of $35.9$121.5 million consisting of U.S. government agencies, commercial paper, corporate bonds and asset-backed securities. Such interest-earning instruments carry a degree of interest rate risk. To date, fluctuations in interest income haveagency bonds. Our investments are made for capital preservation purposes. We do not been significant. A hypothetical 10% changeenter into investments for trading or speculative purposes.
Our cash and cash equivalents and short- and long-term investments are subject to market risk due to changes in interest rates, during anywhich may affect our interest income and the fair value of our investments. Due in part to these factors, our future investment income may fluctuate due to changes in interest rates or we may suffer losses in principal if we are forced to sell securities that decline in market value due to changes in interest rates. However, because we classify our investments as available-for-sale securities, no gains or losses are recognized due to the changes in interest rates unless securities are sold prior to maturity or declines in fair value are determined to be other-than-temporary.
The fair values of our convertible senior notes are subject to interest rate risk, market risk and other factors due to the conversion features of the periods presentednotes. The fair values of the convertible senior notes may increase or decrease for various reasons, including fluctuations in the market price of our common stock, fluctuations in market interest rates and fluctuations in general economic conditions. The interest and market value changes affect the fair values of the convertible senior notes but does not impact our financial position, cash flows or results of operations due to the fixed nature of the debt obligation. Based upon the quoted market price as of March 31, 2022, the fair values of our 2025 Notes and 2027 Notes were $435.1 million and $669.7 million, respectively.
As of March 31, 2022, the effect of a hypothetical 10% increase or decrease in interest rates would not have had a material impact on our financial statements.
Inflation Risk
We do not believe that inflation had a material effect on our business, financial condition or results of operations in the last three years.operations. If our costs were to become subject to significant inflationary pressures, we may not be able to fully offset such higher costs through price increases. Our inability or failure to do so could harm our business, financial condition and results of operations.
Item 4.    Controls and Procedures.
Evaluation of Disclosure Controls and Procedures
We maintain "disclosure controls and procedures," as defined in Rules 13a-15(e) and 15d-15(e) under the Exchange Act of 1934, as amended, means controls and other procedures of a company that are designed to ensure that information required to be disclosed by a company in the reports that it files or submits under the Exchange Act is recorded, processed, summarized and reported, within the time periods specified in the SEC’s rules and forms. Disclosure controls and procedures include, without limitation, controls and procedures designed to ensure that information required to be disclosed by a company in the reports that it files or submits under the Exchange Act is
38

Table of Contents
accumulated and communicated to the company's management, including its principal executive and principal financial officers, as appropriate to allow timely decisions regarding required disclosure.
Our management, with the participation of our Chief Executive Officer and our Chief Financial Officer, evaluated the effectiveness of the design and operations of our disclosure controls and procedures as of September 30, 2017.March 31, 2022. Based on the evaluation of our disclosure controls and procedures as of September 30, 2017,March 31, 2022, our chief executive officerChief Executive Officer and chief financial officerChief Financial Officer concluded that, as of such date, our disclosure controls and procedures were effective at the reasonable assurance level.
Inherent Limitations of Internal Controls
Our management, including our Chief Executive Officer and Chief Financial Officer, does not expect that our disclosure controls and procedures or our internal controls will prevent all errors and all fraud. A control system, no matter how well conceived and

operated, can provide only reasonable, not absolute, assurance that the objectives of the control system are met. Because of the inherent limitations in all control systems, no evaluation of controls can provide absolute assurance that all control issues and instances of fraud, if any, within the Company have been detected. These inherent limitations include the realities that judgments in decision making can be faulty, and that breakdowns can occur because of a simple error or mistake. Additionally, controls can be circumvented by the individual acts of some persons, by collusion of two or more people or by management override of the control. The design of any system of controls also is based in part upon certain assumptions about the likelihood of future events, and there can be no assurance that any design will succeed in achieving its stated goals under all potential future conditions. Over time, controls may become inadequate because of changes in conditions, or the degree of compliance with the policies or procedures may deteriorate. Because of the inherent limitations in a cost-effective control system, misstatements due to error or fraud may occur and not be detected.
Changes in Internal Control over Financial Reporting
There was no change in our internal control over financial reporting identified in connection with the evaluation required by Rule 13a-15(d) and 15d-15(d) of the Exchange Act that occurred during the period covered by this Quarterly Report on Form 10-Q that has materially affected, or is reasonably likely to materially affect, our internal control over financial reporting.



39

Table of Contents
PART II—OTHER INFORMATION
Item 1.    Legal Proceedings.
FromIn October 2018, Finjan, Inc. (“Finjan”) filed a complaint against us and our wholly-owned subsidiary, Rapid7 LLC, in the United States District Court, District of Delaware, alleging patent infringement of seven patents held by them. In the complaint, Finjan sought unspecified damages, attorneys' fees and injunctive relief. We intend to vigorously contest Finjan's claims. The final outcome, including our liability, if any, with respect to Finjan's claims, is uncertain. Regardless of the outcome, litigation can have an adverse impact on us because of defense and settlement costs, diversion of management resources and other factors.
In addition, from time to time, we may beare a party to litigation or subject to claims incident to the ordinary course of business. Although the results of litigation and claims cannot be predicted with certainty, we currently believe that the final outcome of these ordinary course matters will not have a material adverse effect on our business.business, financial condition or results of operations. Regardless of the outcome, litigation can have an adverse impact on us because of defense and settlement costs, diversion of management resources and other factors.
Item 1A. Risk Factors.
Our operations and financial results are subject to various risks and uncertainties including those described below. You should consider carefully the risks and uncertainties described below, in addition to other information contained in this Quarterly Report on Form 10-Q as well as our other public filings with the Securities and Exchange Commission, or the SEC, including our Annual Report on Form 10-K for the year ended December 31, 2016,2021, filed with the SEC on March 9, 2017.February 24, 2022. The risks and uncertainties described below are not the only ones we face. Additional risks and uncertainties that we are unaware of, or that we currently believe are not material, may also become important factors that adversely affect our business. Furthermore, the COVID-19 pandemic (including governmental responses, broad economic impacts and market disruptions) has heightened risks discussed in the risk factors described below. If any of the following risks or others not specified below materialize, our business, financial condition and results of operations could be materially adversely affected. In that event, the trading price of our common stock could decline.
Summary of Risk Factors
Our business is subject to numerous risks and uncertainties which include, but are not limited to, the following:
Our quarterly operating results may vary from period to period, which could result in our failure to meet expectations with respect to operating results and cause the trading price of our stock to decline.
We are a rapidly growing company, which makes it difficult to evaluate our future operating and financial results and may increase the risk that we will not be successful.
If we are do not effectively manage our future growth rate, our business and results of operations may be adversely affected.
The ongoing COVID-19 pandemic could materially and adversely affect our business, results of operations and financial condition, and we could be subject to risks from further health pandemics or epidemics, as well as uncertainty regarding returning to work and re-openings.
Real or perceived failures, errors or defect in our solutions could adversely affect our brand and reputation, which could have an adverse effect on our business and results of operations.
Our brand, reputation and ability to attract, retain and serve our customers are dependent in part upon the reliable performance of our products and network infrastructure.
Our business and growth depend substantially on customers renewing their subscriptions with us. Any decline in our customer renewals or failure to convince customers to expand their use of our subscription offerings could adversely affect our future operating results.
If we or our third party service providers experience a security breach or unauthorized parties otherwise obtain access to our customers’ data, our reputation may be harmed, demand for our solutions may be reduced and we may incur significant liabilities.
We face intense competition in our market.
If we are unable to successfully hire, train, and retain qualified personnel our business may suffer.
40

Table of Contents
If we fail to continue to effectively scale and manage our operations infrastructure, our customers may experience service outages and/or delays.
A component of our growth strategy is dependent on our continued international expansion, which adds complexity to our operations.
Because our products collect and store user and related information, domestic and international privacy and cybersecurity concerns, and other laws and regulations, could have a material adverse effect on our business.
If our customers are unable to implement our products successfully, customer perceptions of our offerings may be impaired or our reputation and brand may suffer.
We may fail to meet our publicly announced guidance or other expectations about our business and future operating results, which would cause our stock price to decline.
If we are not able to maintain and enhance our brand, our business and operating results may be adversely affected.
Failure to maintain high-quality customer support could have a material adverse effect on our business.
We rely on third-party software to operate certain functions of our business.
We use third-party software and data that may be difficult to replace or that may cause errors or failures of our solutions, which could lead to lost customers or harm to our reputation and our operating results.
Assertions by third parties of infringement or other violations by us of their intellectual property rights, whether or not correct, could result in significant costs and harm our business and operating results.
Organizations may be reluctant to purchase our cloud-based offerings due to the actual or perceived vulnerability of cloud solutions.
We have a significant amount of debt that may decrease our business flexibility, access to capital, and/or increase our borrowing costs, and we may still incur additional debt in the future, which may adversely affect our operations and financial results. We may not have sufficient cash flow from our business to pay our substantial debt when due.
We may require additional capital to support business growth, and this capital might not be available on acceptable terms, if at all.
The summary risk factors described above should be read together with the text of the full risk factors below and our unaudited consolidated financial statements and the related notes, as well as in other documents that we file with the U.S. Securities and Exchange Commission (“SEC”). The risks summarized above or described in full below are not the only risks that we face. Additional risks and uncertainties not precisely known to us or that we currently deem to be immaterial may also materially adversely affect our business, financial condition, results of operations, and future growth prospects.
Risks Related to Our Business and Industry
Our quarterly operating results may vary from period to period, which could result in our failure to meet expectations with respect to operating results and cause the trading price of our stock to decline.
Our operating results, including the levels of our revenue, ARR, cash flow, deferred revenue and gross margins, have historically varied from period to period, and we expect that they will continue to do so as a result of a number of factors, many of which are outside of our control, including:
the level of demand for our products and professional services;
customer renewal rates and ability to attract new customers;
the extent to which customers purchase additional products or professional services;
the mix of our products, as well as professional services, sold during a period;
the ability to successfully grow our sales of our cloud-based solutions;
the level of perceived threats to organizations’ cybersecurity;
network outages, security breaches, technical difficulties or interruptions with our products;
changes in the growth rate of the markets in which we compete;
sales of our products and professional services due to seasonality and customer demand;
the timing and success of new product or service introductions by us or our competitors or any other changes in the competitive landscape of our industry, including consolidation among our competitors;
41

Table of Contents
the introduction or adoption of new technologies that compete with our offerings;
decisions by potential customers to purchase cybersecurity products or professional services from other vendors;
the amount and timing of operating costs and capital expenditures related to the operations and expansion of our business;
price competition;
our ability to successfully manage and integrate any acquired businesses, including, IntSights Cyber Intelligence Ltd. (“IntSights”), and including without limitation the amount and timing of expenses and potential future charges for impairment of goodwill from acquired companies;
business disruptions in regions affecting our operations, stemming from actual, imminent or perceived outbreak or reemergence of contagious disease, including the COVID-19 pandemic;
our ability to increase, retain and incentivize the channel partners that market and sell our products and professional services;
our continued international expansion and associated exposure to changes in foreign currency exchange rates;
the amount and timing of operating expenses related to the maintenance and expansion of our business, operations and infrastructure;
the announcement or adoption of new regulations and policy mandates or changes to existing regulations and policy mandates that impact our business;
the cost or results of existing or unforeseen litigation and intellectual property infringement;
the strength of regional, national and global economies;
the impact of climate change, natural disasters or manmade problems, including terrorism or war (such as the armed conflict between Russia and Ukraine); and
future accounting pronouncements or changes in our accounting policies or practices.
Each factor above or discussed elsewhere herein or the cumulative effect of some of these factors may result in fluctuations in our operating results. This variability and unpredictability could result in our failure to meet expectations with respect to operating results, or those of securities analysts or investors, for a particular period. If we fail to meet or exceed expectations for our operating results for these or any other reasons, the market price of our stock could fall and we could face costly lawsuits, including securities class action suits.
We are a rapidly growing company, which makes it difficult to evaluate our future prospectsoperating and financial results and may increase the risk that we will not be successful.
We are a rapidly growing company. Our ability to forecast our future operating and financial results is subject to a number of uncertainties, including our ability to plan for and model future growth. We have encountered and will continue to encounter risks and uncertainties frequently experienced by growing companies in rapidly evolving industries. If our assumptions regarding these uncertainties, which we use to plan our business, are incorrect or change in reaction to changes in our markets, or if we do not address these risks successfully, our operating and financial results could differ materially from our expectations, our business could suffer and the trading price of our common stock may decline.
If we are unable to sustaindo not effectively manage our revenuefuture growth, rate, we may not achieve or maintain profitability in the future.our business and results of operations will be adverselyaffected.
From the year ended December 31, 20122017 to the year ended December 31, 2016,2021, our revenue grew from $46.0$200.9 million to $157.4$535.4 million which represents a compounded annual growth rate of approximately 36%.and our headcount grew from 1,079 to 2,353 employees. Although we have experienced rapid growth historically, and currently have high renewal rates, we may not sustain our current growth rates and our investments to support our growth may not be successful. The growth and expansion of our business will require us to invest significant financial and operational resources and will continue to grow as rapidly in theplace significant demands on our management team. Our future and our renewal rates may decline. Any success that we may experience in the future will depend in large part on our ability to manage our growth effectively, which will require us to, among other things:
maintain and expand our customer base;
increase revenues from existing customers through increased or broader use of our products and professional services within their organizations;
improve the performance and capabilities of our products through research and development;
continue to develop our cloud-based solutions;
42

Table of Contents
maintain the rate at which customers purchase and renew subscriptions to our cloud-based solutions, content subscriptions, and maintenance and support;support and managed services;
continue to successfully expand our business domestically and internationally;
continue to improve our key business applications, processes and IT infrastructure to support our business needs and appropriately documenting such systems and processes;
continue to effectively attract, integrate and retain a large number of new employees, particularly membersof our salesand marketing and research and development teams;
enhance our information and communication systems to ensure that our employees and offices around the world are well coordinated and can effectively communicate with each other and our growing base of customers and partners;
improve our financial, management, and compliance systems and controls; and
successfully compete with other companies.
If we arefail to achieve these objectives effectively, our ability to manage our expected growth may be impaired and we may be unable to maintain the quality of our offerings, consistent revenue or revenue growth, our stock price could be volatile, and it may be difficult to achieve and maintain profitability. You should not rely on our revenue for any prior quarterly or annual periods performance as any indication of our future revenue or revenue growth.
We have not been profitable historically and may not achieve or maintain profitability in the future.
We have posted a net loss in each year since inception, including net losses of $49.0$146.3 million, $49.9 million, $32.6 million, $32.5$98.8 million and $39.2$53.8 million in the years ended December 31, 2016, 20152021, 2020 and 2014 and the nine months ended September 30, 2017 and 2016,2019, respectively. As of September 30, 2017,March 31, 2022, we had an accumulated deficit of $421.9$781.0 million. While we have experienced significant revenue growth in recent periods, we aremay not certain whether or when we will obtain a high enough volume of sales of

our products and professional services to sustain or increase our growth or achieve or maintain profitability in the future. We also expect our costs to increase in future periods, which could negatively affect our future operating results if our revenue does not increase. In particular, we expect to continue to expend financial and other resources on:
research and development related to our offerings, including investments in our research and development team;
sales and marketing, including a significantcontinued expansion of our sales organization, both domestically and internationally;
continued international expansion of our business;
strategic acquisitions and expansion of our professional services organization;partner ecosystem; and
general and administrative expenses as we continue to implement and enhance our administrative, financial and operational systems, procedures and controls.
These investments may not result in increased revenue or growth in our business. If we are unable to increase our revenue at a rate sufficient to offset the expected increase in our costs, our business, financial position and results of operations will be harmed, and we may not be able to achieve or maintain profitability over the long term. Additionally, we may encounter unforeseen operating expenses, difficulties, complications, delays and other unknown factors that may result in losses in future periods. If our revenue growth does not meet our expectations in future periods, our financial performance may be harmed, and we may not achieve or maintain profitability in the future.
IfThe ongoing COVID-19 pandemic could materially and adversely affect our products or professional services fail to detect vulnerabilities or incorrectly detect vulnerabilities, or if our products contain undetected errors or defects, our brandbusiness, results of operations and reputationfinancial condition, and we could be harmed,subject to risks from further health pandemics or epidemics, as well as uncertainty regarding returning to work and re-openings.
Our business could be adversely affected by the effects of health pandemics or epidemics, including the ongoing COVID-19 pandemic, which continues to have a negative impact on the local, regional, national and global scale. We are unable to accurately predict the full impact that the COVID-19 pandemic will have on our results from operations, financial condition, liquidity and cash flows due to numerous uncertainties, including the duration and severity of the pandemic, the emergence of any new variants, the results of vaccination efforts, vaccine mandate requirements, and containment measures. The implementation of measures to help contain the virus has impacted our day-to-day operations and could have an adverse effect ondisrupt our business and operations, as well as that of our customers, partners, suppliers and others with whom we work, for an indefinite period of time. To support the health and well-being of our employees, customers, partners and communities, a vast majority of our employees began working remotely as of late March 2020, but as of March 31, 2022, we reopened our offices in a phased approach and continue to hold in-person or hybrid meetings, on a voluntary basis, taking into consideration government restrictions and employee safety. In addition, many of our customers and prospective customers are working remotely. The disruptions to our operations caused by the COVID-19 pandemic may negatively impact employee retention and result in
43

Table of Contents
inefficiencies, delays and additional costs in our sales and marketing, professional service and research and development efforts, which cannot be predicted or quantified at this time. To the extent that disruptions occur, we may not be able to fully mitigate any such inefficiencies, delays and additional costs through remote or other alternative work arrangements. In addition, given the economic uncertainty created by COVID-19, we have and may continue to see delays in our sales cycle, failures of customers to renew at all or to renew the anticipated scope their subscriptions with us, requests from customers for payment term deferrals as well as pricing or bundling concessions, which, if significant, could materially and adversely affect our business, results of operations.operations and financial condition.
If our products or professional services fail to detect vulnerabilities in our customers’ cyber security infrastructure, or if our products or professional services fail to identify and respond to new and increasingly complex methods of cyber attacks, our business and reputation may suffer. There is no guarantee that our products or professional services will detect all vulnerabilities, especially in light of the rapidly changing security landscape to which we must respond. Additionally, our products may falsely detect vulnerabilities or threats that do not actually exist. For example, our Metasploit offering relies on information provided by an active community of security researchers who contribute new exploits, attacks and vulnerabilities. If the information from these third parties is inaccurate, the potential for false indications of security vulnerabilities increases. These false positives, while typicalNegative conditions in the industry, may impairgeneral economy both in the perceived reliabilityUnited States and abroad resulting from health pandemics or epidemics, such as the COVID-19 pandemic, could cause a decrease in consumer discretionary spending and business investment and diminish growth expectations in the U.S. economy and abroad. More generally, the COVID-19 pandemic continues to present the possibility of our offeringsan extended global economic downturn and may thereforehas caused volatility in financial markets, which could materially and adversely impact market acceptance ofaffect demand for our products and professional services and could resultmaterially and adversely impact our results and financial condition even after the pandemic is contained. For example, we may be unable to collect receivables from those customers significantly impacted by COVID-19, which may be more pronounced in negative publicity, lossindustry verticals more directly impacted by the COVID-19 pandemic. Also, a decrease in subscriptions and/or renewals in a given period could negatively affect our ARR as well as our revenues in future periods, particularly if experienced on a sustained basis, because a substantial proportion of our software subscriptions yield revenue recognized over time. The pandemic may also have the effect of heightening many of the other risks described in this “Risk Factors” section, including risks associated with our guidance, our customers, our potential customers, our market opportunity, renewals and sales cycle, among others. We will continue to evaluate the nature and increased costs to remedy any problem.extent of the impact of the COVID-19 pandemic on our business.
Our products may also contain undetected errors or defects when first introduced or as new versions are released. We have experienced these errors or defects in the past in connection with new products and product upgrades andAlthough we expect that these errors or defectscurrent cash and cash equivalent balances, including the proceeds of our convertible senior notes offering in March 2021, together with cash flows that are generated from operations and availability under our revolving credit facility, will be found from timesufficient to timemeet our domestic and international working capital needs and other capital and liquidity requirements for at least the next 12 months, if our access to capital is restricted or our borrowing costs increase, our operations and financial condition could be adversely impacted.
The full extent of the COVID-19 pandemic’s impact on our operations and financial performance depends on future developments that are uncertain and unpredictable, including the ultimate duration, spread and reemergence of the pandemic, including any new variants, its impact on capital and financial markets, the timing of economic recovery and any new information that may emerge concerning the severity of the virus, its spread to or reemergence in other geographic regions as well as the actions taken to contain it, including the distribution and acceptance of vaccines, among others. Any of these impacts could have a material adverse impact on our business, results of operations and financial condition and ability to execute and capitalize on our strategies.Due to the current uncertainty regarding the severity and duration of the COVID-19 pandemic, we cannot predict whether our response to date or the actions we may take in the future will be effective in new or enhanced products after commercial release. Defects may cause our products to be vulnerable to attacks, cause them to fail to detect vulnerabilities, or temporarily interrupt customers’ networking traffic. Any errors, defects, disruptions in service or other performance problems with our products may damage our customers’ business and could hurt our reputation. If our products or professional services fail to detect vulnerabilities for any reason, we may incur significant costs,mitigating the attentioneffects of our key personnel could be diverted, our customers may delay or withhold payment to us or elect not to renew or other significant customer relations problems may arise. We may also be subject to liability claims for damages related to errors or defects in our products. A material liability claim or other occurrence that harms our reputation or decreases market acceptance of our products may harmCOVID-19 pandemic on our business, and operating results.
An actualresults of operations or perceived security breach or theft of the sensitive data of one of our customers, regardless of whether the breach is attributable to the failure of our products or professional services, could adversely affect the market’s perception of our offerings and subject us to legal claims.
The market for cyber security data and analytics is new and unproven and may not grow.
We believe our future success will depend in large part on the growth, if any, in the market for cyber security data and analytics. This market is nascent, and as such, it is difficult to predict important market trends, including the potential growth, if any. To date, the majority of enterprise spend on cyber security has been on threat protection products, such as network, endpoint and web security that are designed to stop threats from penetrating corporate networks. Organizations that use these security products may believe that their existing security solutions sufficiently protect access to their sensitive business data. Therefore, they may continue allocating their cyber security budgets to these products and may not adopt our products and professional services in addition to, or in lieu of, such traditional products. Further, sophisticated cyber attackers are skilled at adapting to new technologies and

developing new methods of gaining access to organizations’ sensitive business data, and changes in the nature of advanced cyber threats could result in a shift in IT budgets away from products and professional services such as ours. In addition, while recent high visibility attacks on prominent enterprises and governments have increased market awareness of the problem of cyber attacks, if cyber attacks were to decline, or enterprises or governments perceived that the general level of cyber attacks have declined, our ability to attract new customers and expand our sale to existing customers could be materially and adversely affected. If products and professional services such as ours are not viewed by organizations as necessary, or if customers do not recognize the benefit of our offerings as a critical layer of an effective cyber security strategy, our revenue may not grow as quickly as expected, or may decline, and the trading price of our stock could suffer. It is therefore difficult to predict how large the market will be for our solutions.
In addition, it is difficult to predict customer adoption and renewal rates, customer demand for our products and professional services, the size and growth rate of the market for cyber security data analytics, the entry of competitive products or the success of existing competitive products. Any expansion in our market depends on a number of factors, including the cost, performance and perceived value associated with our offerings and those of our competitors. If these offerings do not achieve widespread adoption or there is a reduction in demand for solutions in our market caused by a lack of customer acceptance, technological challenges, competing technologies and products, decreases in corporate spending, weakening economic conditions, or otherwise, it could result in reduced customer orders, early terminations, reduced renewal rates or decreased revenue, any of which would adversely affect our business operations and financial results. You should consider our business and prospects in light of the risks and difficulties we face in this new and unproven market.

Ifcondition. Accordingly, we are unable at this time to successfully hire, train, manage and retain qualified personnel, especially those in sales and marketing and research and development, our business may suffer.
We continue to be substantially dependentpredict the impact of the COVID-19 pandemic on our sales force to obtain new customersoperations, liquidity, and increase sales with existing customers. Our ability to successfully pursue our growth strategy will also depend on our ability to attract, motivatefinancial results, and, retain our personnel, especially those in sales, marketing and research and development. We face intense competition for these employees from numerous technology, software and other companies, especially in certain geographic areas in which we operate, and we cannot ensure that we will be able to attract, motivate and/or retain sufficient qualified employees in the future. If we are unable to attract new employees and retain our current employees, we may not be able to adequately develop and maintain new products or professional services or market our existing products or professional services at the same levels as our competitors and we may, therefore, lose customers and market share. Our failure to attract and retain personnel, especially those in sales and marketing and research and development positions for which we have historically had a high turnover rate, could have an adverse effect on our ability to execute our business objectives and, as a result, our ability to compete could decrease, our operating results could suffer and our revenue could decrease. Even if we are able to identify and recruit a sufficient number of new hires, these new hires will require significant training before they achieve full productivity and they may not become productive as quickly as we would like or at all.
Our sales cycle may be unpredictable.
The timing of sales of our offerings is difficult to forecast because of the length and unpredictability of our sales cycle, particularly with large enterprises and with respect to certain of our products. We sell our products primarily to IT departments that are managing a growing set of user and compliance demands, which has increased the complexity of customer requirements to be met and confirmed during the sales cycle and prolonged our sales cycle. Further, the length of time that potential customers devote to their testing and evaluation, contract negotiation and budgeting processes varies significantly, depending on the sizemagnitude and duration of the organization and nature of the product or professional service under consideration. In addition, we might devote substantial time and effort to a particular unsuccessful sales effort, and as a result, we could lose other sales opportunities or incur expenses that are not offset by an increase in revenue, which could harm our business.
OrganizationsCOVID-19 pandemic, such impact may be reluctant to purchase cyber security data analytics offerings that are cloud-based due to the actual or perceived vulnerability of cloud solutions.
Some organizations have been reluctant to use cloud solutions for cyber security, such as our InsightIDR, InsightVM, AppSpider, InsightAppSec, InsightOps and Logentries products, because they have concerns regarding the risks associated with the reliability or security of the technology delivery model associated with this solution. If we or other cloud service providers experience security incidents, breaches of customer data, disruptions in service delivery or other problems, the market for cloud solutions may be negatively impacted, which could harm our business.

Our quarterly operating results may vary from period to period, which could result in our failure to meet expectations with respect to operating results and cause the trading price of our stock to decline.
Our operating results, including the levels of our revenue, billings, cash flow and deferred revenue, have historically varied from period to period, and we expect that they will continue to do so as a result of a number of factors, many of which are outside of our control, including:
the level of demand for our products and professional services;
customer renewal rates and ability to attract new customers;
the extent to which customers purchase additional products, including content subscriptions and maintenance and support related to our Nexpose, Metasploit and AppSpider products, or professional services;
the ability to successfully grow our sales of InsightOps, InsightIDR, InsightVM and InsightAppSec;
the level of perceived threats to organizations’ cyber security;
network outages, security breaches, technical difficulties or interruptions with our products;
changes in the growth rate of the markets in which we compete;
variations in our billings and sales of our products and services due to seasonality and customer demand;
the announcement or adoption of new regulations and policy mandates or changes to existing regulations and policy mandates;
the timing and success of new product or professional service introductions by us or our competitors or any other changes in the competitive landscape of our industry, including consolidation among our competitors;
the introduction or adoption of new technologies that compete with our offerings;
the mix of our products and professional services sold during a period;
decisions by potential customers to purchase cyber security products or services from other vendors;
the amount and timing of operating costs and capital expenditures related to the operations and expansion of our business;
the timing of sales commissions relative to the recognition of revenue and the timing of revenue recognition generally;
price competition;
our ability to successfully manage and integrate any future acquisitions of businesses, including without limitation the amount and timing of expenses and potential future charges for impairment of goodwill from acquired companies;
our ability to increase, retain and incentivize the channel partners that market and sell our products and professional services;
our continued international expansion and associated exposure to changes in foreign currency exchange rates, including any fluctuations caused by uncertainties relating to Brexit;
the amount and timing of operating expenses related to the maintenance and expansion of our business, operations and infrastructure;
unforeseen litigation and intellectual property infringement;
the announcement or adoption of new regulations and policy mandates or changes to existing regulations and policy mandates;
the strength of regional, national and global economies;
the impact of natural disasters or manmade problems such as terrorism or war; and
future accounting pronouncements or changes in our accounting policies.
Each factor above or discussed elsewhere in this Quarterly Report on Form 10-Q or the cumulative effect of some of these factors may result in fluctuations in our operating results. This variability and unpredictability could result in our failure to meet expectations with respect to operating results, or those of securities analysts or investors, for a particular period. If we fail to meet or exceed expectations for our operating results for these or any other reasons, the market price of our stock could fall and we could face costly lawsuits, including securities class action suits.

If we do not continue to innovate and offer products and professional services that address the dynamic threat landscape, we may not remain competitive, and our revenue and operating results could suffer.
The cyber security market is characterized by rapid technological advances, changes in customer requirements, frequent new product introductions and enhancements and evolving industry standards. Our success also depends, in part, upon our ability to anticipate industry evolution and introduce or acquire new products and professional services to keep pace with technological developments and market requirements both within our industry and in related industries. While we continue to invest significant resources in research and development in order to ensure that our products continue to address the cyber security risks that our customers face, the introduction of products and services embodying new technologies could render our existing products or services obsolete or less attractive to customers. In addition, developing new products and product enhancements is expensive and time consuming, and there is no assurance that such activities will result in significant cost savings, revenue or other expected benefits. If we spend significant time and effort on research and development and are unable to generate an adequate return on our investment, our business and results of operations may be materially and adversely affected. Further, we may not be able to successfully anticipate or adapt to changing technology or customer requirements or the dynamic threat landscape on a timely basis, in a way that sufficiently differentiates us from competing solutions such that customers choose to purchase our solutions. If any of our competitors implement new technologies before we are able to implement them or better anticipate the innovation opportunities in related industries, those competitors may be able to provide more effective or more cost-effective solutions than ours. In addition, we may experience technical problems and additional costs as we introduce new products and product enhancements, deploy future iterations of our products and integrate new products with existing customer systems. If any of these problems were to arise, our business, financial condition and results of operations could be adversely affected.
To date, we have derived a substantial majority of our revenue from customers using our threat exposure management offerings. If we are unable to renew or increase sales of our threat exposure management offerings, or if we are unable to increase sales of our other offerings, our business and operating results could be adversely affected.
Although we continue to introduce and acquire new products and professional services, we derive and expect to continue to derive a substantial majority of our revenue from customers using certain of our threat exposure management offerings, Nexpose and Metasploit. Greater than half of our revenue was attributable to Nexpose in each of our last three fiscal years. As a result, our operating results could suffer due to:
any decline in demand for our threat exposure management offerings;
failure of our threat exposure management offerings to detect vulnerabilities in our customers’ IT environments;
the introduction of products and technologies that serve as a replacement or substitute for, or represent an improvement over, our threat exposure management offerings;
technological innovations or new standards that our threat exposure management offerings do not address;
sensitivity to current or future prices offered by us or competing solutions; and
our inability to release enhanced versions of our threat exposure management offerings on a timely basis in response to the dynamic threat landscape.
Our inability to renew or increase sales of our threat exposure management offerings, including content subscriptions and maintenance and support, or a decline in prices of our threat exposure management offerings would harm our business and operating results more seriously than if we derived significant revenues from a variety of offerings. In addition, we have introduced several cloud-based subscription products, including InsightOps, InsightIDR, InsightVM and InsightAppSec products. These products are relatively new, and it is uncertain whether they will gain market acceptance. We are also investing in the expansion of our security advisory services offerings, which we believe will help drive demand for our other products in addition to being a stand-alone service. Any factor adversely affecting sales of our products or professional services, including release cycles, market acceptance, competition, performance and reliability, reputation and economic and market conditions, could adversely affect our business and operating results.

material.
Our business and growth depend substantially on customers renewing their content subscriptions and maintenance and support agreements with us. Any decline in our customer renewals or failure to convince customers to expand their use of our subscription offerings could adversely affect our future operating results.
Our maintenance and support agreementssubscription offerings are sold on a term basis. In addition, we also enter into content subscription agreements for our offerings. In order for us to improve our operating results, it is important that our existing customers renew their content subscription agreements, if applicable, and maintenance and support agreementssubscriptions with us when the initial contractexisting subscription term expires.expires, and renew on the same or more favorable terms. Our customers have no obligation to renew their content subscription or maintenance and support agreementssubscriptions with us after the initial terms have expired.and we may not be able to accurately predict customer renewal rates. Our customers’ renewal rates may decline or fluctuate as a result of a number of factors, including their satisfaction or dissatisfaction with our new or current product offerings, our pricing, the effects of economic conditions, including due to the global economic uncertainty and financial market conditions caused by the COVID-19 pandemic, competitive

offerings, our customers' perception of their exposure, or alterations or reductions in our customers’their spending levels. If our customers do not renew their agreements with us or renew on terms less favorable to us, our revenues and results of operations may be adversely impacted.
Our future growth is also affected by our ability to sell additional offerings to our existing customers, which depends on a number of factors, including customers’ satisfaction with our products and services and general economic conditions. If Metasploit wereour efforts to cross-sell and upsell to our customers are unsuccessful, the rate at which our business grows might decline.
44

Table of Contents
If our new and existing product offerings and product enhancements do not achieve sufficient market acceptance, our financial results and competitive position will suffer.
Our business substantially depends on, and we expect our business to continue to substantially depend on, sales of our Insight Platform solutions. As such, market acceptance of our Insight Platform is critical to our continued success. Demand for Insight Platform solutions are affected by a number of factors beyond our control, including continued market acceptance of cloud-based offerings, the timing of development and release of new products by our competitors, technological change, and growth or contraction in our market and the economy in general. If we are unable to continue to meet customer demands or to achieve more widespread market acceptance of our Insight Platform solutions, our business operations, financial results and growth prospects will be usedmaterially and adversely affected.
We spend substantial amounts of time and money to research and develop or acquire new offerings and enhanced versions of our existing offerings to incorporate additional features, improve functionality or other enhancements in order to meet our customers’ rapidly evolving demands. In addition, we continue to invest in solutions that can be deployed on top of our platform to target specific use cases and to cultivate our community. When we develop a new or enhanced version of an existing offering, we typically incur expenses and expend resources upfront to market, promote and sell the new offering. Therefore, when we develop or acquire new or enhanced offerings, their introduction must achieve high levels of market acceptance in order to justify the amount of our investment in developing and bringing them to market. For example, if our recent product expansions and offerings, such as our Cloud Security and Threat Intelligence offerings, do not garner widespread market adoption and implementation, our financial results and competitive position could suffer.
Further, we may make changes to our offerings that our customers do not like, find useful or agree with. We may also discontinue certain features, begin to charge for certain features that are currently free or increase fees for any of our features or usage of our offerings.
Our new and existing offerings or product enhancements and changes to our existing offerings could fail to attain sufficient market acceptance for many reasons, including:
our failure to predict market demand accurately in terms of product functionality and to supply offerings that meet this demand in a timely fashion, including changes in demand as a result of the COVID-19 pandemic;
real or perceived defect, errors or failures;
negative publicity about their performance or effectiveness;
delays in releasing to the market our new offerings or enhancements to our existing offerings;
introduction or anticipated introduction of competing products by attackersour competitors;
inability to exploit vulnerabilitiesscale and perform to meet customer demands;
poor business conditions for our customers, causing them to delay IT purchases, including as a result of the COVID-19 pandemic; and
reluctance of customers to purchase cloud-based offerings.
If our new or existing offerings or enhancements and changes do not achieve adequate acceptance in the cyber security infrastructures of third parties,market, our reputationcompetitive position will be impaired, and our revenue, business couldand financial results will be harmed.
Although Metasploit is a penetration testing tool that is intended to allow organizations to test the effectiveness of their cyber security programs, Metasploit has in the past andnegatively impacted. The adverse effect on our financial results may in the future be used to exploit vulnerabilities in the cyber security infrastructures of third parties. While we have incorporated certain features into Metasploit to deter misuse, there is no guarantee that these controls will not be circumvented or that Metasploit will only be used defensively or for research purposes. Any actual or perceived security breach, malicious intrusion or theft of sensitive data in which Metasploit is believed to have been used could adversely affect perception of, and demand for, our offerings. Further, the identification of new exploits and vulnerabilities by the Metasploit community may enhance the knowledge base of cyber attackers or enable them to undertake new forms of attacks. If anyparticularly acute because of the foregoing were to occur,significant research, development, marketing, sales and other expenses we could suffer negative publicity and loss of customers and sales, as well as possible legal claims.will have incurred in connection with the new offerings or enhancements.
We face intense competition in our market.
The market for cyber securitySecOps solutions is highly fragmented, intensely competitive and constantly evolving. We compete with an array of established and emerging security software and services vendors. With the introduction of new technologies and market entrants, we expect the competitive environment to remain intense going forward. Our primary competitors include: vulnerability management and assessment vendors, includingin Vulnerability Risk Management include Qualys and Tenable Network Security; diversified security softwareTenable; in Incident Detection and services vendors, including IBMResponse include Splunk, Micro Focus, LogRhythm and HPE; legacy complianceMicrosoft (Sentinel); in Application Security include Micro Focus and monitoring solutions such as SIEM, provided by vendors including LogRhythm, AlienvaultIBM; in Security Orchestration and Sumo Logic; machine data analysis tools such as those provided by Splunk; security services specialists, including Mandiant (a subsidiary of FireEye);Automation Response include Splunk and providers of point solutions that compete with some ofPalo Alto Networks; in Cloud Security include Palo Alto Networks and Check Point Software Technologies; in Threat Intelligence include Recorded Future and Digital Shadows and finally, while the features presentcompetition in our solutions.professional services business is diverse, our competitors include Mandiant, SecureWorks and NCC Group.
Some of our actual and potential competitors have advantages over us, such as longer operating histories, significantly greater financial, technical, marketing or other resources, stronger brand and business user recognition, larger and more mature intellectual property portfolios and broader global distribution and presence. In addition, our industry is evolving rapidly and is becoming increasingly competitive. Larger and more established companies may focus on cyber security operations and could
45

Table of Contents
directly compete with us. Smaller companies could also launch new products and services that we do not offer and that could gain market acceptance quickly.
Our competitors may be able to respond more quickly and effectively than we can to new or changing opportunities, technologies, standards or customer requirements. With the introduction of new technologies, the evolution of our offerings and new market entrants, we expect competition to intensify in the future. In addition, some of our larger competitors have substantially broader product offerings and can bundle competing products and services with other software offerings. As a result, customers may choose a bundled product offering from our competitors, even if individual products have more limited functionality than our solutions. These competitors may also offer their products at a lower price as part of this larger sale, which could increase pricing pressure on our offerings and cause the average sales price for our offerings to decline. These larger competitors are also often in a better position to withstand any significant reduction in capital spending by customers, and will therefore not be as susceptible to economic downturns.
Furthermore, our current and potential competitors may establish cooperative relationships among themselves or with third parties that may further enhance their resources and product and services offerings in the markets we address. In addition, current or potential competitors may be acquired by third parties with greater available resources. As a result of such relationships and acquisitions, our current or potential competitors might be able to adapt more quickly to new technologies and customer needs, devote greater resources to the promotion or sale of their products and services, initiate or withstand substantial price competition, take advantage of other opportunities more readily or develop and expand their product and service offerings more quickly than we do. For all of these reasons, we may not be able to compete successfully against our current or future competitors, or we may be required to expend significant resources in order to remain competitive. If our competitors are more successful than we are in developing new product and service offerings or in attracting and retaining customers, our business, financial condition and results of operations could be adversely affected.
If we are unable to successfully hire, train, and retain qualified personnel our business may suffer.
We continue to be substantially dependent on our sales force to obtain new customers and increase sales with existing customers. Our ability to successfully pursue our growth strategy will also depend on our ability to attract, motivate and retain our personnel, especially those in sales, marketing and research and development. In addition, in recent years, recruiting, hiring and retaining employees with expertise in the cybersecurity industry has become increasingly difficult as the demand for cybersecurity professionals has increased as a result of the recent cybersecurity attacks on global corporations and governments. We face intense competition for these employees from numerous technology, software and other companies, especially in certain geographic areas in which we operate, and we cannot ensure that we will be able to attract, motivate and/or retain sufficient qualified employees in the future particularly in tight labor markets. If we are unable to attract new employees and retain our current employees, we may not be able to adequately develop and maintain new products or professional services or market our existing products or professional services at the same levels as our competitors and we may, therefore, lose customers and market share. Our failure to attract and retain personnel, especially those in sales and marketing and research and development positions for which we have historically had a high turnover rate, could have an adverse effect on our ability to execute our business objectives and, as a result, our ability to compete could decrease, our operating results could suffer and our revenue could decrease. Even if we are able to identify and recruit a sufficient number of new hires, these new hires will require significant training before they achieve full productivity and they may not become productive as quickly as we would like or at all.
We believe that our corporate culture has been a critical component to our success. We have invested substantial time and resources in building our team. As we grow and mature as a public company, we may find it difficult to maintain our corporate culture. Any failure to preserve our culture could negatively affect our future success, including our ability to attract, motivate and retain personnel and effectively focus on and pursue our business strategy.
Our sales cycle may be unpredictable.
The timing of sales of our offerings is difficult to forecast because of the length and unpredictability of our sales cycle, particularly with large enterprises and with respect to certain of our products. We sell our products primarily to IT departments that are managing a growing set of user and compliance demands, which has increased the complexity of customer requirements to be met and confirmed during the sales cycle and prolonged our sales cycle. Further, the length of time that potential customers devote to their testing and evaluation, contract negotiation and budgeting processes varies significantly, depending on the size of the organization and nature of the product or service under consideration. In addition, we might devote substantial time and effort to a particular unsuccessful sales effort, and as a result, we could lose other sales opportunities or incur expenses that are not offset by an increase in revenue, which could harm our business.
46

Table of Contents
If we fail to continue to effectively scale and manage our operations infrastructure, our customers may experience service outages and/or delays.
Our future growth is dependent upon our ability to continue to meet the expanding needs of our customers and to attract new customers. As existing customers gain more experience with our products, they may broaden their reliance on our products, which will require that we expand our operations infrastructure. We also seek to maintain excess capacity in our operations infrastructure to facilitate the rapid provision of new customer deployments. In addition, we need to properly manage our technological operations infrastructure in order to support changes in hardware and software parameters and the evolution of our products, all of which require significant lead time. If we do not accurately predict our infrastructure requirements, our existing customers may experience service outages that may subject us to financial penalties, financial liabilities and customer losses. If our operations infrastructure fails to keep pace with increased sales, customers may experience delays as we seek to obtain additional capacity, which could adversely affect our reputation and our revenue.
To date, we have derived a significant amount of our revenue from customers using our vulnerability management offerings. If we are unable to renew or increase sales of our vulnerability management offerings, or if we are unable to increase sales of our other offerings, our business and operating results could be adversely affected.
Although we continue to introduce and acquire new products and professional services, we derive and expect to continue to derive a significant amount of our revenue from customers using certain of our vulnerability management offerings (“VM”), InsightVM, Nexpose and Metasploit. Approximately half of our revenue was attributable to InsightVM, Nexpose and Metasploit for the year ended December 31, 2021. As a result, our operating results could suffer due to:
any decline in demand for our vulnerability management offerings;
failure of our vulnerability management offerings to detect vulnerabilities in our customers’ IT environments;
the introduction of products and technologies that serve as a replacement or substitute for, or represent an improvement over, our vulnerability management offerings;
technological innovations or new standards that our vulnerability management offerings do not address;
sensitivity to current or future prices offered by us or competing solutions;
our inability to release enhanced versions of our vulnerability management offerings on a timely basis in response to the dynamic threat landscape; and
a decline in overall IT spending due to the global economic uncertainty and financial market conditions caused by the COVID-19 pandemic.
Our inability to renew or increase sales of our vulnerability management offerings, including cloud-based subscriptions, content subscriptions, managed services and content and maintenance and support subscriptions, or a decline in prices of our vulnerability management offerings would harm our business and operating results more seriously than if we derived significant revenues from a variety of offerings. In addition, while we have introduced several non-VM subscription products, including InsightAppSec, InsightConnect, InsightCloudSec and Threat Intelligence, these products are relatively new, and it is uncertain whether they will gain the market acceptance we expect. Any factor adversely affecting sales of our non-VM products or professional services, including release cycles, market acceptance, competition, performance and reliability, reputation and economic and market conditions, could adversely affect our business and operating results.
A component of our growth strategy is dependent on our continued international expansion, which adds complexity to our operations.
We market and sell our products and professional services throughout the world and have personnel in many parts of the world. For the ninethree months ended September 30, 2017March 31, 2022 and 2016,2021, operations located outside of North America generated 15%21% and 13%

18%, respectively, of our revenue, respectively.revenue. Our growth strategy is dependent, in part, on our continued international expansion. We expect to conduct a significant amount of our business with organizations that are located outside the United States, particularly in Europe and Asia. We cannot assure you that our expansion efforts into international markets will be successful in creating further demand for our products and professional services or in effectively selling our products and professional services in the international markets that we enter. Our current international operations and future initiatives will involve a variety of risks, including:
increased management, infrastructure and legal costs associated with having international operations;
reliance on channel partners;
trade and foreign exchange restrictions;
economic or political instability or uncertainty in foreign markets and around the world, such as related to the United Kingdom’s referendum in June 2016 in which voters approved an exit from the European Union, commonly referred to as “Brexit”;world;
47

Table of Contents
foreign currency exchange rate fluctuations;
greater difficulty in enforcing contracts, accounts receivable collection and longer collection periods;
changes in regulatory requirements, including, but not limited to data privacy, data protection and data security regulations;
difficulties and costs of staffing and managing foreign operations;
the uncertainty and limitation of protection for intellectual property rights in some countries;
costs of compliance with foreign laws and regulations and the risks and costs of non-compliance with such laws and regulations;
costs of compliance with U.S. laws and regulations for foreign operations, including the U.S. Foreign Corrupt Practices Act, import and export control laws, tariffs, trade barriers, economic sanctions and other regulatory or contractual limitations on our ability to sell or provide our solutions in certain foreign markets, and the risks and costs of non-compliance;
heightened risks of unfair or corrupt business practices in certain geographies and of improper or fraudulent sales arrangements that may impact financial results and result in restatements of, and irregularities in, financial statements;
the potential for political unrest, acts of terrorism, hostilities or war;
management communication and integration problems resulting from cultural differences and geographic dispersion;
costs associated with language localization of our products;
increased exposure to climate change, natural disasters, acts of war (including the armed conflict between Russia and Ukraine), terrorism, epidemics, or pandemics and other health crises, including the ongoing COVID-19 pandemic; and
costs of compliance with multiple and possibly overlapping tax structures.
Our business, including the sales of our products and professional services by us and our channel partners, may be subject to foreign governmental regulations, which vary substantially from country to country and change from time to time. Our failure, or the failure by our channel partners, to comply with these regulations could adversely affect our business. Further, in many foreign countries it is common for others to engage in business practices that are prohibited by our internal policies and procedures or U.S. regulations applicable to us. Although we have implemented policies and procedures designed to comply with these laws and policies, there can be no assurance that our employees, contractors, channel partners and agents have complied, or will comply, with these laws and policies. Violations of laws or key control policies by our employees, contractors, channel partners or agents could result in delays in revenue recognition, financial reporting misstatements, fines, penalties or the prohibition of the importation or exportation of our products and could have a material adverse effect on our business and results of operations.
Further, in late February 2022, Russian military forces launched a significant military action against Ukraine. While our business and operations have not been significantly impacted, it is not possible to predict the broader or longer-term consequences of this crisis. Consequences of the crisis could include further sanctions, embargoes, regional instability, geopolitical shifts and adverse effects on macroeconomic conditions, security conditions, currency exchange rates and financial markets. There can be no assurance that the armed conflict between Russia and the Ukraine, including any resulting sanctions, export controls or other restrictive actions, will not have a material adverse impact on our future operations and results.
If we are unable to successfully manage the challenges of international expansion and operations, our business and operating results could be adversely affected.
We are also monitoring developments related to Brexit, which could haverecognize a significant implications for our business. Brexit could lead to economic and legal uncertainty, including significant volatility in global stock markets and currency exchange rates, and differing laws and regulations as the United Kingdom determines which European Union laws to replace or replicate. Any of these effects of Brexit, among others, could adversely affect our operations in the United Kingdom and our financial results.
As a cyber security provider, we are a target of cyber attacks that could adversely impact our reputation and operating results.
We sell cyber security and data analytics products. As a result, we have been and will be a target of cyber attacks designed to impede the performance of our products, penetrate our network security or the security of our cloud platform or our internal

systems, or that of our customers, misappropriate proprietary information and/or cause interruptions to our services. For example, because Metasploit serves as an introduction to hacking for many individuals, a successful cyber attack on us may be perceived as a victory for the cyber attacker, thereby increasing the likelihood that we may be a target of cyber attacks, even absent financial motives. Further, if our systems are breached, attackers could learn critical information about how our products operate to help protect our customers’ IT infrastructures from cyber risk, thereby making our customers more vulnerable to cyber attacks. In addition, if actual or perceived breaches of our network security occur, they could adversely affect the market perception of our products, negatively affecting our reputation, and may expose us to the loss of our proprietary information or information belonging to our customers, investigations or litigation and possible liability, including injunctive relief and monetary damages. Such security breaches could also divert the efforts of our technical and management personnel. In addition, such security breaches could impair our ability to operate our business and provide products to our customers. If this happens, our reputation could be harmed, our revenue could decline and our business could suffer.
We are dependent on the continued services and performance of our senior management and other key employees, the loss of any of whom could adversely affect our business, operating results and financial condition.
Our future performance depends on the continued services and contributions of our senior management, particularly Corey Thomas, our President and Chief Executive Officer, and other key employees to execute on our business plan and to identify and pursue new opportunities and product innovations. We maintain key man insurance on Mr. Thomas, but do not do so for any of our other executive officers or key employees. From time to time, there may be changes in our senior management team resulting from the termination or departure of our executive officers and key employees. Our senior management and key employees are generally employed on an at-will basis, which means that they could terminate their employment with us at any time. The loss of the services of our senior management, particularly Mr. Thomas, or other key employees for any reason could significantly delay or prevent our development or the achievement of our strategic objectives and harm our business, financial condition and results of operations.
Our business and operations are experiencing rapid growth, and if we do not appropriately manage our future growth, or are unable to scale our systems and processes, our operating results may be negatively affected.
We are a rapidly growing company. To manage future growth effectively we will need to continue to improve and expand our internal information technology systems, financial infrastructure, and operating and administrative systems and controls, which we may not be able to do efficiently, in a timely manner or at all. Any future growth would add complexity to our organization and require effective coordination across our organization. Failure to manage any future growth effectively could result in increased costs, harm our results of operations and lead to customers or investors losing confidence in our internal systems and processes, which could harm our results of operations and stock price.
We recognize substantially allpercentage of our revenue ratably over the term of our agreements with customers, and as a result, downturns or upturns in sales may not be immediately reflected in our operating results.
We recognize substantially alla significant percentage of our revenue ratably over the various terms of our agreements with customers, which generally occurs over a one to three-year period.customers. As a result, a substantial portion of the revenue that we report in each period will be derived from the recognition of deferred revenue relating to agreements entered into during previous periods. Consequently, a decline in new sales or renewals in any one period may not be immediately reflected in our revenue results for that period. This decline, however, will negatively affect our revenue in future periods. Accordingly, the effect of significant downturns in sales and market acceptance of our products and potential changes in our rate of renewals may not be fully reflected in our results of operations until future periods. Our model also makes it difficult for us to rapidly increase our revenue through additional sales in any period, as revenue from new customers generally will be recognized over the term of the applicable agreement.term.
We also intend to increase our investment in research and development, sales and marketing, and general and administrative functions and other areas to grow our business. We are likely to recognize the costs associated with these increased investments
48

Table of Contents
earlier than some of the anticipated benefits and the return on these investments may be lower, or may develop more slowly, than we expect, which could adversely affect our operating results.
We may be unable to rapidly and efficiently adjust our cost structure in response to significant revenue declines, which could adversely affect our operating results.
Our brand, reputation and ability to attract, retain and serve our customers are dependent in part upon the reliable performance of our products and network infrastructure.
Our brand, reputation and ability to attract, retain and serve our customers are dependent in part upon the reliable performance of our products and network infrastructure. We have experienced, and may in the future experience, disruptions, outages and other

performance problems due to a variety of factors, including infrastructure changes, human or software errors, capacity constraints and fraud or security attacks. In some instances, we may not be able to identify the cause or causes of these performance problems within an acceptable period of time.
We utilize third-party data centers located in Boston, Massachusetts, in addition to operating and maintaining certain elements of our own network infrastructure. We also utilize Amazon Web Services for our Insight platform infrastructure. Some elements of this complex system are operated by third parties that we do not control and that could require significant time to replace. We expect this dependence on third parties to continue. More specifically, certain of our products, in particular our Managed Vulnerability Management (Nexpose), InsightIDR, InsightVM, InsightAppSec, InsightOps and Logentries products, are hosted on Amazon Web Services, which provides us with computing and storage capacity. Interruptions in our systems or the third-party systems on which we rely, whether due to system failures, computer viruses, physical or electronic break-ins, or other factors, could affect the security or availability of our products, network infrastructure and website.
Prolonged delays or unforeseen difficulties in connection with adding capacity or upgrading our network architecture when required may cause our service quality to suffer. Problems with the reliability or security of our systems could harm our reputation. Damage to our reputation and the cost of remedying these problems could negatively affect our business, financial condition, and operating results.
Additionally, our existing data center facilities and third-party hosting providers have no obligations to renew their agreements with us on commercially reasonable terms or at all, and certain of the agreements governing these relationships may be terminated by either party at any time. If we are unable to maintain or renew our agreements with these providers on commercially reasonable terms or if in the future we add additional data center facilities or third-party hosting providers, we may experience costs or downtime as we transition our operations.
Any disruptions or other performance problems with our products could harm our reputation and business and may damage our customers’ businesses. Interruptions in our service delivery might reduce our revenue, cause us to issue credits to customers, subject us to potential liability and cause customers to not renew their purchases or our products.
If we fail to manage our operations infrastructure, our customers may experience service outages and/or delays.
Our future growth is dependent upon our ability to continue to meet the expanding needs of our customers and to attract new customers. As existing customers gain more experience with our products, they may broaden their reliance on our products, which will require that we expand our operations infrastructure. We also seek to maintain excess capacity in our operations infrastructure to facilitate the rapid provision of new customer deployments. In addition, we need to properly manage our technological operations infrastructure in order to support changes in hardware and software parameters and the evolution of our products, all of which require significant lead time. If we do not accurately predict our infrastructure requirements, our existing customers may experience service outages that may subject us to financial penalties, financial liabilities and customer losses. If our operations infrastructure fails to keep pace with increased sales, customers may experience delays as we seek to obtain additional capacity, which could adversely affect our reputation and our revenue.
If our products fail to help our customers achieve and maintain compliance with regulations and/or industry standards, our revenue and operating results could be harmed.
We generate a portion of our revenue from our threat exposure management offerings that help organizations achieve and maintain compliance with regulations and industry standards both domestically and internationally. For example, many of our customers subscribe to our threat exposure management offerings to help them comply with the security standards developed and maintained by the Payment Card Industry Security Standards Council, or the PCI Council, which apply to companies that process, transmit or store cardholder data. In addition, our threat exposure management offerings are used by customers in the health care industry to help them comply with numerous federal and state laws and regulations related to patient privacy. In particular, the Health Insurance Portability and Accountability Act of 1996, or HIPAA, and the 2009 Health Information Technology for Economic and Clinical Health Act include privacy standards that protect individual privacy by limiting the uses and disclosures of individually identifiable health information and implementing data security standards. The foregoing and other state, federal and international legal and regulatory regimes may affect our customers’ requirements for, and demand for, our products and professional services. Governments and industry organizations, such as the PCI Council, may also adopt new laws, regulations or requirements, or make changes to existing laws or regulations, that could impact the demand for, or value of, our products. If we are unable to adapt our products to changing legal and regulatory standards or other requirements in a timely manner, or if our products fail to assist with, or expedite, our customers’ cyber security defense and compliance efforts, our customers may lose confidence in our products and could switch to products offered by our competitors, or threaten or bring legal actions against us. In addition, if laws, regulations or standards related to data security, vulnerability management and other IT security and compliance requirements are relaxed or

the penalties for non-compliance are changed in a manner that makes them less onerous, our customers may view government and industry regulatory compliance as less critical to their businesses, and our customers may be less willing to purchase our products. In any of these cases, our revenue and operating results could be harmed.
In addition, government and other customers may require our products to comply with certain privacy, security or other certifications and standards. If our products are late in achieving or fail to achieve or maintain compliance with these certifications and standards, or our competitors achieve compliance with these certifications and standards, we may be disqualified from selling our products to such customers, or may otherwise be at a competitive disadvantage, either of which would harm our business, results of operations, and financial condition.
If our customers are unable to implement our products successfully, customer perceptions of our offerings may be impaired or our reputation and brand may suffer.
Our products are deployed in a wide variety of IT environments, including large-scale, complex infrastructures. Some of our customers have experienced difficulties implementing our products in the past and may experience implementation difficulties in the future. If our customers are unable to implement our products successfully, customer perceptions of our offerings may be impaired or our reputation and brand may suffer.
In addition, in order for our products to achieve their functional potential, our products must effectively integrate into our customers’ IT infrastructures, which have different specifications, utilize varied protocol standards, deploy products from multiple different vendors and contain multiple layers of products that have been added over time. Our customers’ IT infrastructures are also dynamic, with a myriad of devices and endpoints entering and exiting the customers’ IT systems on a regular basis, and our products must be able to effectively adapt to and track these changes.
Any failure by our customers to appropriately implement our products or any failure of our products to effectively integrate and operate within our customers’ IT infrastructures could result in customer dissatisfaction, impact the perceived reliability of our products, result in negative press coverage, negatively affect our reputation and harm our financial results.
Future acquisitionsOur success in acquiring and integrating other businesses, products or technologies could disruptimpact our business and harm our financial condition and operating results.position.
In order to remain competitive, we have in the past and may in the future seek to acquire additional businesses, products or technologies. The environment for acquisitions in our industry is very competitive and acquisition candidate purchase prices will likely exceed what we would prefer to pay. We also may not find suitable acquisition candidates, and acquisitions we complete may be unsuccessful.
Achieving the anticipated benefits of past or future acquisitions will depend in part upon whether we can integrate acquired operations, products and technology in a timely and cost-effective manner and successfully market and sell these as new product offerings, including, foror as new features within our existing offerings. For example, the operations, productson July 16, 2021, we acquired IntSights, a provider of contextualized external threat intelligence and technology acquired in connection with our acquisition of Komand in July 2017. The acquisition of Komand’s orchestration and automation technology isproactive threat remediation which were intended to helpextend the cloud security capabilities of our customers automatically identify risks, respond to incidents,Insight Platform. The integration of IntSights and address issues faster and with less human intervention. The process of integrating a new business or technology into our product offerings, such as Komand and its technology, requires, amongany other things, coordination of administrative, sales and marketing, accounting and finance functions, and expansion of information and management systems. Integration of any future acquisition may prove to be difficult due to the necessity of coordinating geographically separate organizations and integrating personnel with disparate business backgrounds and accustomed to different corporate cultures.cultures and business operations and internal systems. We may need to implement or improve controls, procedures, and policies at a business that prior to the acquisition may have lacked sufficiently effective controls, procedures and policies. The acquisition and integration processes are complex, expensive and time consuming, and may cause an interruption of, or loss of momentum in, product development, sales activities and operations of both companies. Further, we may be unable to retain key personnel of an acquired company following the acquisition, including certain employees which we acquired in connection with our acquisition of Komand.acquisition. If we are unable to effectively execute or integrate acquisitions, the anticipated benefits of such acquisition, including sales or growth opportunities or targeted synergies may not be realized, and our business, financial condition and operating results could be adversely affected.
In addition, we may only be able to conduct limited due diligence on an acquired company’s operations or may discover that the products or technology acquired were not as capable as we thought based upon the initial or limited due diligence. Following an acquisition, we may be subject to unforeseen liabilities arising from an acquired company’s past or present operations and these liabilities may be greater than the warranty and indemnity limitations that we negotiate. Any unforeseen liability that is greater than these warranty and indemnity limitations could have a negative impact on our financial condition.
We may fail to meet our publicly announced guidance or other expectations about our business and future operating results, which would cause our stock price to decline.
We have provided and may continue to provide guidance about our business, future operating results and key metrics, including ARR. In developing this guidance, our management must make certain assumptions and judgments about our future performance. Some of those key assumptions relate to the impact of the COVID-19 pandemic and the associated economic uncertainty on our business and the timing and scope of economic recovery globally, which are inherently difficult to predict. While presented with numerical specificity, this guidance is necessarily speculative in nature, and is inherently subject to significant business, economic and competitive uncertainties and contingencies, many of which are beyond our control and are based upon specific assumptions with respect to future business decisions or economic conditions, some of which may change. This guidance, which inherently consists of forward-looking statements, is also qualified by, and subject to, assumptions, estimates and expectations as of the date given.Forward-looking statements are subject to a number of risks, uncertainties, assumptions and other factors that could cause actual results and the timing of certain events to differ materially from future results expressed or implied by the forward-looking statements including the risks described in this Risk Factors section and in
49

Table of Contents
the Risk Factors section of any future SEC filings we make. It can be expected that some or all of the assumptions, estimates and expectations of any guidance we furnished will not materialize or will vary significantly from actual results. Accordingly, our guidance is only an estimate of what management believes is realizable as of the date of release of such guidance.
Furthermore, analysts and investors may develop and publish their own projections of our business, which may form a consensus about our future performance. Our business results may vary significantly from such projections or that consensus due to a number of factors, many of which are outside of our control, including due to the global economic uncertainty and financial market conditions caused by the COVID-19 pandemic and which could adversely affect our operations and operating results. There are no comparable recent events that provide guidance as to the probable effect of the COVID-19 pandemic, and, as a result, the ultimate impact of the COVID-19 outbreak is highly uncertain and subject to change. If we fail to accurately predict the full impact that the COVID-19 pandemic will have on all aspects of our business, the guidance and other forward-looking statements provided may also be incorrect or incomplete. Furthermore, if we make downward revisions of our previously announced guidance, or if our publicly announced guidance of future operating results fails to meet expectations of securities analysts, investors or other interested parties, the price of our common stock would decline.
If we are unable to maintain successful relationships with our channel partners, our business operations, financial results and growth prospects could be adversely affected.

Our success is dependent in part upon establishing and maintaining relationships with a variety of channel partners that we utilize to extend our geographic reach and market penetration. We anticipate that we will continue to rely on these partners in order to help facilitate sales of our offerings as part of larger purchases in the United States and to grow our business internationally. For 2016the years ended December 31, 2021, 2020 and 2015,2019, we derived approximately 37%52%, 47%, and 39%43%, respectively, of our revenue from sales of products and professional services through channel partners, and the percentage of revenue derived from channel partners may increase in future periods. Our agreements with our channel partners are non-exclusive and do not prohibit them from working with our competitors or offering competing solutions, and some of our channel partners may have more established relationships with our competitors. If our channel partners choose to place greater emphasis on products of their own or those offered by our competitors or do not effectively market and sell our products and professional services, our ability to grow our business and sell our products and professional services, particularly in key international markets, may be adversely affected. In addition, our failure to recruit additional channel partners, or any reduction or delay in their sales of our products and professional services or conflicts between channel sales and our direct sales and marketing activities may harm our results of operations. Finally, even if we are successful, our relationships with channel partners may not result in greater customer usage of our products and professional services or increased revenue.
If we are not able to maintain and enhance our brand, our business and operating results may be adversely affected.
We believe that maintaining and enhancing our brand identity is critical to our relationships with our customers and channel partners and to our ability to attract new customers and channel partners. The successful promotion of our brand will depend largely upon our marketing efforts, our ability to continue to offer high-quality offerings and our ability to successfully differentiate our offerings from those of our competitors. Our brand promotion activities may not be successful or yield increased revenues. In addition, independent industry analysts often provide reviews of our offerings, as well as those of our competitors, and perception of our offerings in the marketplace may be significantly influenced by these reviews. If these reviews are negative, or less positive as compared to those of our competitors’ products and professional services, our brand may be adversely affected.
Moreover, it may be difficult to maintain and enhance our brand in connection with sales through channel or strategic partners. The promotion of our brand requires us to make substantial expenditures, and we anticipate that the expenditures will increase as our market becomes more competitive, as we expand into new markets and as more sales are generated through our channel partners. To the extent that these activities yield increased revenues, these revenues may not offset the increased expenses we incur. If we do not successfully maintain and enhance our brand, our business may not grow, we may have reduced pricing power relative to competitors with stronger brands, and we could lose customers and channel partners, all of which would adversely affect our business operations and financial results.
Failure to maintain high-quality customer support could have a material adverse effect on our business.
Once our products are deployed within our customers’ networks, our customers depend on our technical and other customer support services to resolve any issues relating to the implementation and maintenance of our products. If we do not effectively assist our customers in deploying our products, help our customers quickly resolve post-deployment issues or provide effective ongoing support, our ability to renew or sell additional products or professional services to existing customers would be adversely affected and our reputation with potential customers could be damaged. Further, to the extent that we are unsuccessful in hiring, training and retaining adequate technical and customer success personnel, our ability to provide adequate and timely support to our customers will be negatively impacted, and our customers’ satisfaction with our offerings will be adversely affected.
50

Table of Contents
We are dependent on the continued services and performance of our senior management and other key employees, the loss of any of whom could adversely affect our business, operating results and financial condition.
Our future performance depends on the continued services and contributions of our senior management, particularly Corey Thomas, our Chief Executive Officer, and other key employees to execute on our business plan and to identify and pursue new opportunities and product innovations. From time to time, there may be changes in our senior management team resulting from the termination or departure of our executive officers and key employees. Our senior management and key employees are employed on an at-will basis, which means that they could terminate their employment with us at any time. Further, members of our management and other key personnel in critical functions across our organization may be unable to perform their duties or have limited availability due to COVID-19. The temporary or permanent loss of the services of our senior management, particularly Mr. Thomas, or other key employees for any reason could significantly delay or prevent the achievement of our development and strategic objectives and harm our business, financial condition and results of operations.
We rely on third-party software to operate certain functions of our business.
We rely on software vendors to operate certain critical functions of our business, including financial management, customer relationship management and human resource management. If we experience difficulties in implementing new software or if these services become unavailable due to extended outages or interruptions or because they are no longer available on commercially reasonable terms or prices, our expenses could increase, our ability to manage our finances could be interrupted and our processes for managing sales of our solutions and supporting our customers could be impaired until equivalent services, if available, are identified, obtained and integrated, all of which could harm our business.
We use third-party software and data that may be difficult to replace or that may cause errors or failures of our solutions, which could lead to lost customers or harm to our reputation and our operating results.
We license third-party software and security and compliance data from various third parties that are used in our solutions in order to deliver our offerings. In the future, this software or data may not be available to us on commercially reasonable terms, or at all. Any loss of the right to use any of this software or data could result in delays in the provisioning of our offerings until equivalent technology or data is either developed by us, or, if available, is identified, obtained and integrated, which could harm our business. In addition, any errors or defects in or failures of this third-party software could result in errors or defects in our products or cause our products to fail, which could harm our business and be costly to correct. Many of these providers attempt to impose limitations on their liability for such errors, defects or failures, and if enforceable, we may have additional liability to our customers or third-party providers that could harm our reputation and increase our operating costs.
We will need to maintain our relationships with third-party software and data providers, and to obtain software and data from such providers that do not contain errors or defects. Any failure to do so could adversely impact our ability to deliver effective solutions to our customers and could harm our operating results.
Our products contain third-party open source software components, and our failure to comply with the terms of the underlying open source software licenses could restrict our ability to sell our products.
Our products contain software licensed to us by third parties under so-called “open source” licenses, including the GNU General Public License, or GPL, the GNU Lesser General Public License, or LGPL, the BSD License, the Apache License and others. From time to time, there have been claims against companies that distribute or use open source software in their products and services, asserting that such open source software infringes the claimants’ intellectual property rights. We could be subject to suits by parties claiming that what we believe to be licensed open source software infringes their intellectual property rights. Use and distribution of open source software may entail greater risks than use of third-party commercial software, as open source licensors generally do not provide warranties or other contractual protections regarding infringement claims or the quality of the code. In

addition, certain open source licenses require that source code for software programs that are subject to the license be made available to the public and that any modifications or derivative works to such open source software continue to be licensed under the same terms.
Although we monitor our use of open source software in an effort both to comply with the terms of the applicable open source licenses and to avoid subjecting our products to conditions we do not intend, the terms of many open source licenses have not been interpreted by U.S. courts, and there is a risk that these licenses could be construed in a way that could impose unanticipated conditions or restrictions on our ability to commercialize our products. The terms of certain open source licenses require us to release the source code of our applications and to make our applications available under those open source licenses if we combine or distribute our applications with open source software in a certain manner. In the event that portions of our applications are determined to be subject to an open source license, we could be required to publicly release the affected portions of our source code, re-engineer all, or a portion of, those applications or otherwise be limited in the licensing of our applications. Disclosing our proprietary source code could allow our competitors to create similar products with lower development effort and time and ultimately, could result in a loss of sales for us. Disclosing the source code of our proprietary software could also make it easier for cyber attackers and other third parties to discover vulnerabilities in or to defeat the protections of our products, which could result in our products failing to provide our customers with the security they expect. Any of these events could have a material adverse effect on our business, operating results and financial condition.
Our technology alliance partnerships expose us to a range of business risks and uncertainties that could have a material adverse impact on our business and financial results.
We have entered, and intend to continue to enter, into technology alliance partnerships with third parties to support our future growth plans, including with certain of our actual or potential competitors. For example, through these technology alliance partnerships, we integrate with certain third-party application program interfaces or APIs,(“APIs”), which enhance our data collection capabilities in our customers’ IT environments. If these third parties no longer allow us to integrate with their APIs, or if we determine not to maintain these integrations, the functionality of our products may be reduced and our products may not be as marketable to certain potential customers. Technology alliance partnerships require significant coordination between the parties involved, particularly if a partner requires that we integrate its products with our products. Further, we have invested and will continue to invest significant time, money and resources to establish and maintain relationships with our technology alliance partners, but we have no assurance that any particular relationship will continue for any specific period of time, result in new offerings that we can effectively commercialize or result in enhancements to our existing offerings. In addition, while we believe that entering into technology alliance partnerships with certain of our actual or potential competitors is currently beneficial to our competitive position in the market, such partnerships may also give our competitors insight into our offerings that they may not otherwise have, thereby allowing them to compete more effectively against us.
If our products fail to help our customers achieve and maintain compliance with regulations and/or industry standards, our revenue and operating results could be harmed.
We generate a portion of our revenue from our vulnerability management offerings that help organizations achieve and maintain compliance with regulations and industry standards both domestically and internationally. For example, many of our customers subscribe to our vulnerability management offerings to help them comply with the security standards developed and maintained by the Payment Card Industry Security Standards Council (the “PCI Council”), which apply to companies that process, transmit or store cardholder data. In addition, our vulnerability management offerings are used by customers in the health care industry to help them comply with numerous federal and state laws and regulations related to patient privacy. In
51

Table of Contents
particular, HIPAA, and the 2009 Health Information Technology for Economic and Clinical Health Act include privacy standards that protect individual privacy by limiting the uses and disclosures of individually identifiable health information and implementing data security standards. The continued utility of Metasploit depends in part on the continued contributions from security researchers.
Our Metasploit product relies on information provided by an active community of security researchers who contribute new exploits, attacksforegoing and vulnerabilities. We expect that the continued contributions from these third parties will both enhance the robustness of Metasploitother state, federal and also supportinternational legal and regulatory regimes may affect our salescustomers’ requirements for, and marketing efforts. However, to the extent that the information provided by these third parties is inaccurate or malicious, the potentialdemand for, false indications of security vulnerabilities and susceptibility to attack increases, which could adversely impact market acceptance of our products and professional servicesservices. Governments and industry organizations, such as the PCI Council, may also adopt new laws, regulations or requirements, or make changes to existing laws or regulations, that could impact the demand for, or value of, our products. If we are unable to adapt our products to changing legal and regulatory standards or other requirements in a timely manner, or if our products fail to assist with, or expedite, our customers’ cybersecurity defense and compliance efforts, our customers may lose confidence in our products and could resultswitch to products offered by our competitors or threaten or bring legal actions against us. In addition, if laws, regulations or standards related to data security, vulnerability management and other IT security and compliance requirements are relaxed or the penalties for non-compliance are changed in negative publicity, lossa manner that makes them less onerous, our customers may view government and industry regulatory compliance as less critical to their businesses, and our customers may be less willing to purchase our products. In any of these cases, our revenue and operating results could be harmed.
In addition, government and other customers may require our products to comply with certain privacy, security or other certifications and salesstandards. If our products are late in achieving or fail to achieve or maintain compliance with these certifications and increased costs to remedy any problem. Further, to the extent thatstandards, or our community of third parties is reduced in size or participants become less active,competitors achieve compliance with these certifications and standards, we may lose valuable insight into the dynamic threat landscapebe disqualified from selling our products to such customers, or may otherwise be at a competitive disadvantage, either of which would harm our business, results of operations, and our ability to quickly respond to new exploits, attacks and vulnerabilities may be reduced.financial condition.
A portion of our revenue is generated by sales to government entities, which are subject to a number of challenges and risks.
Selling to government entities can be highly competitive, expensive and time consuming, and often requires significant upfront time and expense without any assurance that we will win a sale. Government demand and payment for our products and professional services may also be impacted by public sector budgetary cycles and funding authorizations, with funding reductions or delays adversely affecting public sector demand for our offerings. Government entities also have heightened sensitivity surrounding the purchase of cyber securitycybersecurity solutions due to the critical importance of their IT infrastructures, the nature of the information contained within those infrastructures and the fact that they are highly-visible targets for cyber attacks. Accordingly, increasing sales of our products and professional services to government entities may be more challenging than selling to commercial organizations. Further, in the course of providing our products and professional services to government entities, our employees and those of our channel partners may be exposed to sensitive government information. Any failure by us or our channel partners to safeguard and maintain the confidentiality of such information could subject us to liability and reputational harm, which could materially and adversely affect our results of operations and financial performance.

We are exposed to fluctuations in currency exchange rates, which could negatively affect our financial condition and results of operations.
Our reporting currency is the U.S. dollar and we generate a majority of our revenue in U.S. dollars. However, for the ninethree months ended September 30, 2017March 31, 2022 and 2016,2021 we incurred approximately 16%19% and 13%14%, respectively, of our expenses respectively, outside of the United States in foreign currencies, primarily the British pound sterling and euro, principally with respect to salaries and related personnel expenses associated with our sales and research and development operations. Additionally, for the ninethree months ended September 30, 2017March 31, 2022 and 2016, approximately 5%2021, 10% and 9%, respectively, of our revenue was generated in foreign currencies. Accordingly, changes in exchange rates may have an adverse effect on our business, operating results and financial condition. The exchange rate between the U.S. dollar and foreign currencies has fluctuated substantially in recent years and may continue to fluctuate substantially in the future. To date, weFurthermore, a strengthening of the U.S. dollar could increase the cost in local currency of our products and services to customers outside the United States, which could adversely affect our business, results of operations, financial condition and cash flows. We implemented a hedging program during 2020 and have not engagedentered into forward contracts designated as cash flow hedges in anyorder to mitigate our exposure to foreign currency fluctuations resulting from certain operating expenses denominated in certain foreign currencies. These forward contracts and other hedging strategies and any such strategies, such as forward contracts, options and foreign exchange swaps related to transaction exposures that we may implement to mitigate this risk in the future may not eliminate our exposure to foreign exchange fluctuations.
Changes in financial accounting standards may adversely impact our reported results of operations.
A change in accounting standards or practices, in particular with respect to revenue recognition, could harm our operating results and may even affect our reporting of transactions completed before the change is effective. New accounting pronouncements and varying interpretations of accounting pronouncements have occurred and may occur in the future. For example, in May 2014, the Financial Accounting Standards Board issued Accounting Standards Update No. 2014-09 (Topic 606), Revenue from Contracts with Customers, which supersedes nearly all existing revenue recognition guidance under generally accepted accounting principles in the United States. We will be required to implement this new revenue standard, as amended by accounting standards update No. 2015-14, in the first quarter of fiscal 2018. While we are still evaluating the total impact of the new revenue standard, we believe the adoption of this new standard will have an impact on our consolidated financial statements, including the way we account for perpetual software license arrangements where the software license is deemed dependent on our content subscription arrangements, arrangements involving software licenses that are sold with professional services and the recognition of direct and incremental commission costs to obtain a contract. These and other changes to existing rules or the questioning of current practices may harm our operating results or the way we conduct our business.
We may require additional capital to support business growth, and this capital might not be available on acceptable terms, if at all.
We intend to continue to make investments to support our business growth and may require additional funds to respond to business challenges, including the need to develop new features or enhance our products, improve our operating infrastructure or acquire complementary businesses and technologies. Accordingly, we may need to engage in equity or debt financings to secure additional funds. If we raise additional funds through future issuances of equity or convertible debt securities, our existing stockholders could suffer significant dilution, and any new equity securities we issue could have rights, preferences and privileges superior to those of holders of our common stock. Any debt financing that we may secure in the future could involve restrictive covenants relating to our capital raising activities and other financial and operational matters, which may make it more difficult for us to obtain additional capital and to pursue business opportunities, including potential acquisitions. We may not be able to obtain additional financing on terms favorable to us, if at all. If we are unable to obtain adequate financing or financing on terms satisfactory to us when we require it, our ability to continue to support our business growth and to respond to business challenges could be significantly impaired, and our business may be adversely affected.
Risks Related to Government Regulation, Data Collection, Intellectual Property, Litigation and Catastrophic Events
We are subject to governmental export and import controls that could impair our ability to compete in international markets and/or subject us to liability if we are not in compliance with applicable laws.
Like other U.S.-based IT security products, our products are subject to U.S. export control and import laws and regulations, including the U.S. Export Administration Regulations and various economic and trade sanctions regulations administered by the U.S. Treasury Department’s Office of Foreign Assets Control. Exports of these products must be made in compliance with these laws and regulations. Compliance with these laws and regulations is complex, and if we were to fail to comply with these laws and regulations, we and certain of our employees could be subject to substantial civil and criminal penalties, including fines for our company and responsible employees or managers, and, in extreme cases, incarceration of responsible employees and managers and the possible loss of export privileges. Complying with export control laws and regulations, including obtaining the necessary licenses or authorizations, for a particular sale may be time-consuming, is not guaranteed and may result in the delay or loss of sales opportunities. Changes in export or import laws and regulations, shifts in the enforcement or scope of existing laws and

regulations, or changes in the countries, governments, persons, products or services targeted by such laws and regulations, could also result in decreased use of our products by, or in our decreased ability to export or sell our products to, existing or potential customers. A decreased use of our products or limitation on our ability to export or sell our products could adversely affect our business, financial condition and results of operations.
We also incorporate encryption technology into our products. These encryption products may be exported outside of the United States only with the required export authorizations, including by a license, a license exception or other appropriate government authorizations, including the filing of a product classification request. In addition, various countries regulate the import and domestic use of certain encryption technology, including through import permitting and licensing requirements, and have enacted laws that could limit our ability to distribute our products or could limit our customers’ ability to implement our products in those countries. Governmental regulation of encryption technology and regulation of imports or exports of encryption products, or our failure to obtain required import or export approval for our products, when applicable, could harm our international sales and adversely affect our revenue. Compliance with applicable laws and regulations regarding the export and import of our products, including with respect to new products or changes in existing products, may create delays in the introduction of our products in international markets, prevent our customers with international operations from deploying our products globally or, in some cases, could prevent the export or import of our products to certain countries, governments, entities or persons altogether.
Further, U.S. export control laws and economic sanctions prohibit the shipment of certain products and services to U.S. embargoed or sanctioned countries, governments or persons. Although we take precautions to prevent our products from being provided to those subject to U.S. sanctions, such measures may be circumvented.
Finally, there are currently multinational efforts underway as part of the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, or the Wassenaar Arrangement, to impose additional restrictions on certain cyber security products. Such controls have been implemented by many Wassenaar members, but are not currently in effect in the United States and may undergo substantial modification before becoming effective. To implement the controls under the Wassenaar Arrangement in the United States, the U.S. Department of Commerce's Bureau of Industry and Security, or BIS, would have to amend the Export Administration Regulations, or the EAR. Such amendments could include changes that impose new licensing, approval and other requirements on our commercial Metasploit products and thereby put us at a disadvantage in competing for international sales. We are closely monitoring the potential implications of the Wassenaar Arrangement on the commercial versions of Metasploit, and are actively working with BIS and other U.S. government stakeholders in connection with the implementation of the controls under the Wassenaar Arrangement.
Failure to comply with governmental laws and regulations could harm our business.
Our business is subject to regulation by various federal, state, local and foreign governments. In certain jurisdictions, these regulatory requirements may be more stringent than those in the United States. Noncompliance with applicable regulations or requirements could subject us to investigations, sanctions, mandatory product recalls, enforcement actions, disgorgement of profits, fines, damages, civil and criminal penalties, injunctions or other collateral consequences. If any governmental sanctions are imposed, or if we do not prevail in any possible civil or criminal litigation, our business, results of operations, and financial condition could be materially adversely affected. In addition, responding to any action will likely result in a significant diversion of management’s attention and resources and an increase in professional fees. Enforcement actions and sanctions could harm our business, reputation, results of operations and financial condition.
Because our products collect and store user and related information, domestic and international privacy and cyber security concerns, and other laws and regulations, could result in additional costs and liabilities to us or inhibit sales of our products.
We, and our customers, are subject to a number of domestic and international laws and regulations that apply to online services and the internet generally. These laws, rules and regulations address a range of issues including data privacy and cyber security, and restrictions or technological requirements regarding the collection, use, storage, protection, retention or transfer of data. The regulatory framework for online services, data privacy and cyber security issues worldwide can vary substantially from jurisdiction to jurisdiction, is rapidly evolving and is likely to remain uncertain for the foreseeable future. Many federal, state and foreign government bodies and agencies have adopted or are considering adopting laws, rules and regulations regarding the collection, use, storage and disclosure of information, web browsing and geolocation data collection, data analytics, cyber security and breach notification procedures. Interpretation of these laws, rules and regulations and their application to our products and professional services in the United States and foreign jurisdictions is ongoing and cannot be fully determined at this time.
In the United States, these include rules and regulations promulgated under the authority of the Federal Trade Commission, the Electronic Communications Privacy Act, Computer Fraud and Abuse Act, HIPAA, the Gramm Leach Bliley Act and state breach notification laws, as well as regulator enforcement positions and expectations reflected in federal and state regulatory actions,

settlements, consent decrees and guidance documents. Internationally, virtually every jurisdiction in which we operate has established its own data security and privacy legal frameworks with which we, or our customers, must comply, including the EU Data Protection Directive 95/46/EC (“Directive”) established in the European Union (“EU”) and local EU Member State legislation implementing the Directive, such as the Data Protection Act in the United Kingdom. In addition, in April 2016, the European Union adopted a new General Data ProtectionGovernment Regulation designed to unify data protection within the European Union under a single law, which may result in significantly greater compliance burdens and costs for companies with users and operations in the European Union. Under the General Data Protection Regulation, fines of up to 20 million euros or up to 4% of the annual global turnover of the infringer, whichever is greater, could be imposed. This government action is typically intended to protect the privacy of personal data that is collected, processed and transmitted in or from the governing jurisdiction. These laws apply not only to third-party transactions, but also to transfers of information between us and our subsidiaries, including employee information. The General Data Protection Regulation will go into effect and apply to us beginning in May 2018. Further, many U.S. federal and state and other foreign government bodies and agencies have introduced, and are currently considering, additional laws and regulations. Non-compliance with these laws could result in penalties or significant legal liability. We could be adversely affected if legislation or regulations are expanded to require changes in our business practices or if governing jurisdictions interpret or implement their legislation or regulations in ways that negatively affect our business, results of operations or financial condition.
In addition, to facilitate the transfer of both customer and personnel data from the European Union to the United States, we signed up to the EU-U.S. Safe Harbor Framework, which required U.S.-based companies to provide assurance that they were adhering to relevant European standards for data protection. On October 6, 2015, the Court of Justice of the European Union, or CJEU, invalidated the EU-U.S. Safe Harbor Framework. In light of CJEU’s decision, we have reviewed our current operations to ensure that our EU-U.S. data transfers comply with EU data protection laws. The available legal basis for such transfers will depend on a number of factors, including, for example, the type of data and the European Economic Area country from which the data is being transferred, and may require that we obtain express consent from the customer or employee whose data is being transferred or include in our agreements with the applicable customer or European Economic Area employing entity the standard contractual clauses that have been approved by the EU Commission or adopt one of the other alternative mechanisms available in order to effect such transfers in compliance with the EU laws (although certain German regulators have expressed concerns in respect of the standard contractual clauses and in October 2017, the Irish High Court referred the question as to whether the standard contractual clauses can be used as a basis for data transfers to the United States to the CJEU). Our compliance actions may involve substantial time and expense; for example, if we enter into the standard contractual clauses with a customer, in some EU countries, including Belgium and Spain, executed clauses need to be lodged with or notified to the country’s data protection authority prior to the transfer of any data, and in other countries, including Austria, France, Ireland, Romania and Slovenia, the clauses need to be approved by the country’s data protection authority prior to use. Non-compliance could result in the EU data protection authorities imposing a number of different sanctions on us until we do, including fines and, ultimately, a prohibition on transfers.
In addition to government regulation, privacy advocates and industry groups may propose new and different self-regulatory standards that either legally or contractually apply to us. Because the interpretation and application of privacy and data protection laws are still uncertain, it is possible that these laws may be interpreted and applied in a manner that is inconsistent with our existing practices or the features of our products. We may also be subject to claims of liability or responsibility for the actions of third parties with whom we interact or upon whom we rely in relation to various services, including but not limited to vendors and business partners. If so, in addition to the possibility of fines, lawsuits and other claims, we could be required to fundamentally change our business activities and practices or modify our products, which could have an adverse effect on our business. Any inability to adequately address privacy concerns, even if unfounded, or comply with applicable privacy or data protection laws, regulations and policies, could result in additional cost and liability to us, damage our reputation, inhibit sales and adversely affect our business.
The costs of compliance with, and other burdens imposed by, the laws, rules, regulations and policies that are applicable to the businesses of our customers may limit the use and adoption of, and reduce the overall demand for, our software. Privacy or cyber security concerns, whether valid or not valid, may inhibit market adoption of our products particularly in certain industries and foreign countries.
Further, there are active legislative discussions regarding the implementation of laws or regulations that could restrict the manner in which security research is conducted and that could restrict or possibly bar the conduct of penetration testing and the use of exploits, which are an essential component of our Metasploit product and our business strategy more generally. Our failure to comply with existing laws, rules or regulations, changes to existing laws or their interpretation, or the imposition of new laws, rules or regulations, could result in additional costs and may necessitate changes to our business practices and divergent operating models, which may have a material and adverse impact on our business, results of operations, and financial condition.

Failure to protect our proprietary technology and intellectual property rights could substantially harm our business and operating results.
Our future success and competitive position depend in part on our ability to protect our intellectual property and proprietary technologies. To safeguard these rights, we rely on a combination of patent, trademark, copyright and trade secret laws and contractual protections in the United States and other jurisdictions, all of which provide only limited protection and may not now or in the future provide us with a competitive advantage.
52

Table of Contents
We cannot assure you that any patents will issue from any patent applications, that patents that issue from such applications will give us the protection that we seek or that any such patents will not be challenged, invalidated, or circumvented. Any patents that may issue in the future from our pending or future patent applications may not provide sufficiently broad protection and may not be enforceable in actions against alleged infringers. We have registered the “Rapid7,” “Nexpose” and “Metasploit” names and logos in the United States and certain other countries. We have registrations and/or pending applications for additional marks in the United States and other countries; however, we cannot assure you that any future trademark registrations will be issued for pending or future applications or that any registered trademarks will be enforceable or provide adequate protection of our proprietary rights. While we have copyrights in our software, we do not typically register such copyrights with the Copyright Office. This failure to register the copyrights in our software may preclude us from obtaining statutory damages for infringement under certain circumstances. We also license software from third parties for integration into our products, including open source software and other software available on commercially reasonable terms. We cannot assure you that such third parties will maintain such software or continue to make it available.
In order to protect our unpatented proprietary technologies and processes, we rely on trade secret laws and confidentiality agreements with our employees, consultants, channel partners, vendors and others. Despite our efforts to protect our proprietary technology and trade secrets, unauthorized parties may attempt to misappropriate, reverse engineer or otherwise obtain and use them. In addition, others may independently discover our trade secrets, in which case we would not be able to assert trade secret rights, or develop similar technologies and processes. Further, the contractual provisions that we enter into may not prevent unauthorized use or disclosure of our proprietary technology or intellectual property rights and may not provide an adequate remedy in the event of unauthorized use or disclosure of our proprietary technology or intellectual property rights. Moreover, policing unauthorized use of our technologies, trade secrets and intellectual property is difficult, expensive and time-consuming, particularly in foreign countries where the laws may not be as protective of intellectual property rights as those in the United States and where mechanisms for enforcement of intellectual property rights may be weak. We may be unable to determine the extent of any unauthorized use or infringement of our solutions, technologies or intellectual property rights.
From time to time, legal action by us may be necessary to enforce our patents and other intellectual property rights, to protect our trade secrets, to determine the validity and scope of the intellectual property rights of others or to defend against claims of infringement or invalidity. Such litigation could result in substantial costs and diversion of resources and could result in impairment or loss of portions of our intellectual property. Furthermore, our efforts to enforce our intellectual property rights may be met with defenses, counterclaims and countersuits attacking the validity and enforceability of our intellectual property rights. Our failure to secure, protect and enforce our intellectual property rights could negatively affect our brand and adversely impact our business, operating results and financial condition.
Assertions by third parties of infringement or other violations by us of their intellectual property rights, whether or not correct, could result in significant costs and harm our business and operating results.
Patent and other intellectual property disputes are common in our industry. We are currentlyperiodically involved in a lawsuitdisputes brought by a non-practicing entityentities alleging that we have infringed upon a now-expired patent held by such entityinfringement and we may, from time to time, be involved in other such disputes in the ordinary course of our business. Some companies, including some of our competitors, own large numbers of patents, copyrights and trademarks, which they may use to assert claims against us. Many of these companies have the capability to dedicate substantially greater resources to enforce their intellectual property rights. Third parties have in the past and may in the future assert claims of infringement, misappropriation or other violations of intellectual property rights against us. Theyus and we are currently involved in legal proceedings with Finjan, Inc., which has filed a complaint against us and our wholly-owned subsidiary, Rapid7 LLC, in the United States District Court, District of Delaware, alleging patent infringement. Third parties may also assert such claims against our customers or channel partners, whom we typically indemnify against claims that our solutions infringe, misappropriate or otherwise violate the intellectual property rights of third parties. As the numbers of products and competitors in our market increase and overlaps occur, claims of infringement, misappropriation and other violations of intellectual property rights may increase. Any claim of infringement, misappropriation or other violation of intellectual property rights by a third party, even those without merit, could cause us to incur substantial costs defending against the claim and could distract our management from our business.
The patent portfolios of our most significant competitors are larger than ours. This disparity may increase the risk that they may sue us for patent infringement and may limit our ability to counterclaim for patent infringement or settle through patent cross-licenses. In addition, future assertions of patent rights by third parties, and any resulting litigation, may involve patent holding companies or other adverse patent owners who have no relevant product revenues and against whom our own patents may therefore provide little or no deterrence or protection. There can be no assurance that we will not be found to infringe or otherwise violate any third-party intellectual property rights or to have done so in the past.

An adverse outcome of a dispute may require us to:
pay substantial damages, including treble damages, if we are found to have willfully infringed a third party’s patents or copyrights;
53

Table of Contents
cease making, licensing or using solutions that are alleged to infringe or misappropriate the intellectual property of others;
expend additional development resources to attempt to redesign our solutions or otherwise develop non-infringing technology, which may not be successful;
enter into potentially unfavorable royalty or license agreements in order to obtain the right to use necessary technologies or intellectual property rights; and
indemnify our partners and other third parties.
In addition, royalty or licensing agreements, if required or desirable, may be unavailable on terms acceptable to us, or at all, and may require significant royalty payments and other expenditures. Some licenses may also be non-exclusive, and therefore, our competitors may have access to the same technology licensed to us.
Any of the foregoing events could seriously harm our business, financial condition and results of operations.
Our intercompany relationshipsproducts contain third-party open source software components, and our failure to comply with the terms of the underlying open source software licenses could restrict our ability to sell our products.
Our products contain software licensed to us by third parties under so-called “open source” licenses, including the GNU General Public License, the GNU Lesser General Public License, the BSD License, the Apache License and others. From time to time, there have been claims against companies that distribute or use open source software in their products and services, asserting that such open source software infringes the claimants’ intellectual property rights. We could be subject to suits by parties claiming that what we believe to be licensed open source software infringes their intellectual property rights. Use and distribution of open source software may entail greater risks than use of third-party commercial software, as open source licensors generally do not provide warranties or other contractual protections regarding infringement claims or the quality of the code. In addition, certain open source licenses require that source code for software programs that are subject to complex transfer pricing regulations, which maythe license be challengedmade available to the public and that any modifications or derivative works to such open source software continue to be licensed under the same terms.
Although we monitor our use of open source software in an effort both to comply with the terms of the applicable open source licenses and to avoid subjecting our products to conditions we do not intend, the terms of many open source licenses have not been interpreted by taxing authorities.
We generally conductU.S. courts, and there is a risk that these licenses could be construed in a way that could impose unanticipated conditions or restrictions on our international operations through wholly-owned subsidiaries and reportability to commercialize our taxable income in various jurisdictions worldwide based upon our business operations in those jurisdictions. In 2016, we completedproducts. The terms of certain open source licenses require us to release the reorganizationsource code of our corporate structureapplications and intercompany relationships to more closely alignmake our corporate organizationapplications available under those open source licenses if we combine or distribute our applications with open source software in a certain manner. In the expansionevent that portions of our international business activities. Although we anticipate achieving a reduction in our overall effective tax rate in the future as a result of this reorganized corporate structure, we may not realize any benefits. Our intercompany relationshipsapplications are and will continuedetermined to be subject to complex transfer pricing regulations administered by taxing authorities in various jurisdictions. The relevant taxing authorities may disagree with our determinations as to the income and expenses attributable to specific jurisdictions. If such a disagreement were to occur, and our position were not sustained,an open source license, we could be required to pay additional taxes, interestpublicly release the affected portions of our source code, re-engineer all, or a portion of, those applications or otherwise be limited in the licensing of our applications. Disclosing our proprietary source code could allow our competitors to create similar products with lower development effort and penalties,time and ultimately, could result in a loss of sales for us. Disclosing the source code of our proprietary software could also make it easier for cyber attackers and other third parties to discover vulnerabilities in or to defeat the protections of our products, which could result in one-time tax charges, higher effective tax rates, reduced cash flowsour products failing to provide our customers with the security they expect. Likewise, some open source projects have known security and lower overall profitabilityother vulnerabilities and architecture instabilities, or are otherwise subject to security attacks due to their wide availability, and are provided on an “as-is” basis. Any of these events could have a material adverse effect on our operations. In addition,business, operating results and financial condition.
We are subject to governmental export and import controls that could impair our ability to compete in international markets and/or subject us to liability if we are not in compliance with applicable laws.
Like other U.S.-based IT security products, our products are subject to U.S. export control and import laws and regulations, including the intended tax treatment of our reorganized corporate structure is not acceptedU.S. Export Administration Regulations and various economic and trade sanctions regulations administered by the applicable taxing authorities, changesU.S. Treasury Department’s Office of Foreign Assets Control. Exports of these products must be made in tax law negatively impactcompliance with these laws and regulations. Although we take precautions to prevent our products from being provided in violation of these laws, our products could be provided inadvertently in violation of such laws, despite the structure orprecautions we do not operate our business consistenttake. Compliance with the structurethese laws and applicable taxregulations is complex, and if we were to fail to comply with these laws and regulations, we and certain of our employees could be subject to substantial civil and criminal penalties, including fines for our company and responsible employees or managers, and, in extreme cases, incarceration of responsible employees and managers and the possible loss of export privileges. Complying with export control laws and regulations, including obtaining the necessary licenses or authorizations, for a particular sale may failbe time-consuming, is not guaranteed and may result in the delay or loss of sales opportunities. Changes in export or import laws and regulations, shifts in the enforcement or scope of existing laws and regulations, or changes in the countries, governments, persons, products or services targeted by such laws and regulations, could also result in decreased use of our products by, or in our decreased ability to achieve any tax advantagesexport or sell our products to, existing or potential customers. For example, in response to the armed conflict between Russia and Ukraine, countries such as Canada, the
54

Table of Contents
United Kingdom, the European Union, the United States and other countries and organizations have implemented new and stricter sanctions and export controls against officials, individuals, regions, and industries in Russia, Ukraine and Belarus. Each country’s potential response to such sanctions, export controls, tensions, and military actions could damage or disrupt international commerce and the global economy and could have a resultmaterial adverse effect on our business and results of operations or impact our ability to continue to operate in affected regions.
A decreased use of our products or limitation on our ability to export or sell our products could adversely affect our business, financial condition and results of operations.
We also incorporate encryption technology into our products. These encryption products may be exported outside of the reorganized corporate structure,United States only with the required export authorizations, including by a license, a license exception or other appropriate government authorizations, including the filing of a product classification request. In addition, various countries regulate the import and domestic use of certain encryption technology, including through import permitting and licensing requirements, and have enacted laws that could limit our future operating resultsability to distribute our products or could limit our customers’ ability to implement our products in those countries. Governmental regulation of encryption technology and financial conditionregulation of imports or exports of encryption products, or our failure to obtain required import or export approval for our products, when applicable, could harm our international sales and adversely affect our revenue. Compliance with applicable laws and regulations regarding the export and import of our products, including with respect to new products or changes in existing products, may be negatively impacted.create delays in the introduction of our products in international markets, prevent our customers with international operations from deploying our products globally or, in some cases, could prevent the export or import of our products to certain countries, governments, entities or persons altogether.
Our ability to use net operating losses to offset future taxable income may be subject to certain limitations.
As of December 31, 2016,2021, we had federal and state net operating loss carryforwards or NOLs,(“NOLs”), of $93.8$510.3 million and $69.2$400.7 million, respectively, available to offset future taxable income, which expire in various years beginning in 20232022 if not utilized. A lack of future taxable income would adversely affect our ability to utilize these NOLs before they expire. Under the provisions of the Internal Revenue Code of 1986, as amended or the Internal(the “Internal Revenue Code,Code”), substantial changes in our ownership may limit the amount of pre-change NOLs that can be utilized annually in the future to offset taxable income. Section 382 of the Internal Revenue Code imposes limitations on a company’s ability to use NOLs if a company experiences a more-than-50-percentmore-than-50-percentage point ownership change over a three-year testing period. Based upon our historical analysis, as of December 31, 2016, we determined that although a small limitation on our historical NOLs exists, we do not expect this limitation to impair our ability to use our NOLs prior to expiration. However, if changes in our ownership occur in the future, our ability to use our NOLs may be further limited. For these reasons, we may not be able to utilize a material portion of the NOLs, even if we achieve profitability. If we are limited in our ability to use our NOLs in future years in which we have taxable income, we will pay more taxes than if we were able to fully utilize our NOLs. This could adversely affect our operating results, cash balances and the market price of our common stock.

We could be subject to additional tax liabilities.
The enactment of legislation implementing changes in the U.S. taxation of international business activities or the adoption of other tax reform policies could materially impact our financial position and results of operations.
Recent changesWe are subject to U.S. tax laws, including limitations on the ability of taxpayers to claimfederal, state, local and utilize foreign tax credits and the deferral of certain tax deductions until earnings outside ofsales taxes in the United States are repatriated to the United States, as well as changes to U.S. tax laws that may be enactedand foreign income taxes, withholding taxes and transaction taxes in the future, could impact the tax treatment of ournumerous foreign earnings. The U.S. federal government has called for substantial changes to U.S. tax policy and laws which would significantly alter the U.S. tax code if enacted.jurisdictions. We do not currently have sufficient information that would allow us to predict what U.S. tax reform, if any, may be enacted in the future or what impact any such changes would have on our business. Due to expansion ofgenerally conduct our international operations through wholly-owned subsidiaries and report our taxable income in various jurisdictions worldwide based upon our business activities, any changesoperations in the U.S. taxation of such activities may increase our worldwide effective tax ratethose jurisdictions. Our intercompany relationships are and adversely affect our financial condition and operating results. Additionally, changes in foreign tax laws, in particular with regardwill continue to UK tax policy, may adversely impact our worldwide tax rate.
Our operating results may be harmed if we are requiredsubject to collect sales and use or other related taxes for our products and professional services in jurisdictions where we have not historically done so.
Taxing jurisdictions, including state, local and foreigncomplex transfer pricing regulations administered by taxing authorities have differing rules and regulations governing sales and use or other taxes, and these rules and regulations are subject to varying interpretations that may change over time. In particular, significantin various jurisdictions. Significant judgment is required in evaluating our tax positions and our worldwide provision for taxes. While we believe that weDuring the ordinary course of business, there are in material compliancemany activities and transactions for which the ultimate tax determination is uncertain and the relevant taxing authorities may disagree with our obligations under applicable taxing regimes, one or more states, localities or countries may seekdeterminations as to impose additional sales or other tax collection obligations on us, including for past sales. It is possible that we could face sales tax auditsthe income and that such audits could result in tax-related liabilities for which we have not accrued. A successful assertion that we should be collecting additional sales or other taxes on our offerings in jurisdictions where we have not historically done so and do not accrue for sales taxes could result in substantial tax liabilities for past sales, discourage customers from purchasing our offerings or otherwise harm our business and operating results.
expenses attributable to specific jurisdictions. In addition, our tax obligations and effective tax rates could be adversely affected by changes in the relevant tax, accounting and other laws, regulations, principles and interpretations including those relating to income tax nexus, by recognizing tax losses or lower than anticipated earnings in jurisdictions where we have lower statutory rates and higher than anticipated earnings in jurisdictions where we have higher statutory rates, by changes in foreign currency exchange rates, or by changes in the valuation of our deferred tax assets and liabilities. We may be audited in various jurisdictions, and such jurisdictions may assess additional taxes, sales taxes and value-added taxes against us. Although we believe our tax estimates are reasonable, the final determination of any tax audits or litigation could be materially different from our historical tax provisions and accruals, which could have a material adverse effect on our operating results or cash flows in the period or periods for which a determination is made.
55

Table of Contents
Risks Related to Data Privacy and Cybersecurity
Real or perceived failures, errors or defects in our solutions could adversely affect our brand and reputation, which could have an adverse effect on our business and results of operations.
If our products or professional services fail to detect vulnerabilities in our customers’ cybersecurity infrastructure, or if our products or professional services fail to identify and respond to new and increasingly complex methods of cyber attacks, our business and reputation may suffer. There is no guarantee that our products or professional services will detect all vulnerabilities and threats, especially in light of the rapidly changing security landscape to which we must respond, including the constantly evolving techniques used by attackers to access or sabotage data. If we fail to update our solutions in a timely or effective manner to respond to these threats, our customers could experience security breaches. Many federal, state and foreign governments have enacted laws requiring companies to notify individuals of data security breaches involving their personal data. These mandatory disclosures regarding a security breach often lead to widespread negative publicity, and any association of us with such publicity may cause our customers to lose confidence in the effectiveness of our solutions. An actual or perceived security breach or theft of sensitive data of one of our customers, regardless of whether the breach is attributable to the failure of our products or professional services, could adversely affect the market’s perception of our offerings and subject us to legal claims.
Additionally, our products may falsely detect vulnerabilities or threats that do not actually exist. For example, our Metasploit offering relies on information provided by an active community of security researchers who contribute new exploits, attacks and vulnerabilities. We expect that the continued contributions from these third parties will both enhance the robustness of Metasploit and also support our sales and marketing efforts. However, to the extent that the information from these third parties is inaccurate or malicious, the potential for false indications of security vulnerabilities and susceptibility to attack increases. These false positives, while typical in the industry, may impair the perceived reliability of our offerings and may therefore adversely impact market acceptance of our products and professional services and could result in negative publicity, loss of customers and sales and increased costs to remedy any problem. Further, to the extent that our community of third parties is reduced in size or participants become less active, we may lose valuable insight into the dynamic threat landscape and our ability to quickly respond to new exploits, attacks and vulnerabilities may be reduced.
Our products may also contain undetected errors or defects. Errors or defects may be more likely when a product is first introduced or as new versions are released, or when we introduce an acquired company's products. We have experienced these errors or defects in the past in connection with new products, acquired products and product upgrades and we expect that these errors or defects will be found from time to time in the future in new, acquired or enhanced products after commercial release. Defects may cause our products to be vulnerable to attacks, cause them to fail to detect vulnerabilities or threats, or temporarily interrupt customers’ networking traffic. Any errors, defects, disruptions in service or other performance problems with our products may damage our customers’ businesses and could hurt our reputation. If our products or professional services fail to detect vulnerabilities or threats for any reason, we may incur significant costs, the attention of our key personnel could be diverted, our customers may delay or withhold payment to us or elect not to renew or other significant customer relations problems may arise. We may also be subject to liability claims for damages related to errors or defects in our products. A material liability claim or other occurrence that harms our reputation or decreases market acceptance of our products may harm our business and operating results. Limitation of liability provisions in our standard terms and conditions and our other agreements may not adequately or effectively protect us from any claims related to errors or defects in our solutions, including as a result of federal, state or local laws or ordinances or unfavorable judicial decisions in the United States or other countries.
Our brand, reputation and ability to attract, retain and serve our customers are dependent in part upon the reliable performance of our products and network infrastructure.
Our brand, reputation and ability to attract, retain and serve our customers are dependent in part upon the reliable performance of our products and network infrastructure. We have experienced, and may in the future experience, disruptions, outages and other performance problems due to a variety of factors, including infrastructure changes, human or software errors, capacity constraints and fraud or security attacks. In some instances, we may not be able to identify the cause or causes of these performance problems within an acceptable period of time.
We utilize third-party data centers located in North America, Europe, Australia and Asia, in addition to operating and maintaining certain elements of our own network infrastructure. Some elements of our complex infrastructure are operated by third parties that we do not control and that could require significant time to replace. We expect this dependence on third parties to continue. More specifically, certain of our products, in particular our cloud-based products, are hosted on cloud providers such as Amazon Web Services, which provides us with computing and storage capacity. Interruptions in our systems or the third-party systems on which we rely, whether due to system failures, computer viruses, physical or electronic break-ins, or other factors, could affect the security or availability of our products, network infrastructure and website.
Prolonged delays or unforeseen difficulties in connection with adding capacity or upgrading our network architecture when required may cause our service quality to suffer. Problems with the reliability or security of our systems or third-party systems
56

Table of Contents
on which we rely could harm our reputation. Damage to our reputation and the cost of remedying these problems could negatively affect our business, financial condition, and operating results.
Additionally, our existing data center facilities and third-party hosting providers have no obligations to renew their agreements with us on commercially reasonable terms or at all, and certain of the agreements governing these relationships may be terminated by either party at any time. If we are unable to maintain or renew our agreements with these providers on commercially reasonable terms or if in the future we add additional data center facilities or third-party hosting providers, we may experience additional costs or downtime or delays as we transition our operations.
Any disruptions or other performance problems with our products could harm our reputation and business and may damage our customers’ businesses. Interruptions in our service delivery might reduce our revenue, cause us to issue credits to customers, due to our inability to meet stated service level commitments, subject us to potential liability and cause customers to not renew their purchases or our products.
If we or our third party service providers experience a security breach or unauthorized parties otherwise obtain access to our customers’ data, our reputation may be harmed, demand for our solutions may be reduced and we may incur significant liabilities.
We sell cybersecurity and data analytics products. As a result, we have been and will continue to be a target of cyber attacks designed to impede the performance of our products, penetrate our network security or the security of our cloud platform or our internal systems, or that of our customers, misappropriate proprietary information and/or cause interruptions to our services. For example, because Metasploit serves as an introduction to hacking for many individuals, a successful cyber attack on us may be perceived as a victory for the cyber attacker, thereby increasing the likelihood that we may be a target of cyber attacks, even absent financial motives.
We also process, store and transmit our own data as part of our business and operations, including personal, confidential or proprietary information. As many of our customers and employees will continue to work remotely, we expect there will continue to be an increased amount of such information that is stored in our solutions, which increases the exposure and risk of attempted security breaches, cyberattacks and other malicious internet-based activity. Additionally, we make use of third-party technology and systems for a variety of reasons, including, without limitation, encryption and authentication technology, employee email, content delivery to customers, back-office support, credit card processing, customer relationship management, human resources services and other functions.
Computer malware, ransomware, cyber viruses, social engineering (phishing attacks), supply-chain attacks, denial of service or other attacks, employee theft or misuse and increasingly sophisticated network attacks have become more prevalent in our industry, particularly against cloud services. In particular, ransomware attacks, including by organized criminal threat actors, nation-states, and nation-state-supported actors, are becoming increasingly prevalent and severe and can lead to significant interruptions in our operations, loss of data and income, reputational harm, and diversion of funds. While extortion payments may alleviate the negative impact of a ransomware attack, we may be unwilling or unable to make such payments due to, for example, applicable laws or regulations prohibiting such payments. Similarly, supply-chain attacks have increased in frequency and severity, and we cannot guarantee that third parties and infrastructure in our supply chain or our third-party partners’ supply chains have not been compromised or that they do not contain exploitable defects or bugs that could result in a breach of or disruption to our information technology systems (including our products) or the third-party information technology systems that support us and our services. Such attacks may also include exploitation of vulnerabilities in third party or open source software code that may be incorporated into our own or our customers’ or supplier’s systems, such as the vulnerability in the Java logging library known as “log4j” identified in late 2021 that affected many in our industry. Further, if our systems or those of our third-party service providers are breached as a result of third-party action, employee error or misconduct, attackers could learn critical information about how our products operate to help protect our customers’ IT infrastructures from cyber risk, thereby making our customers more vulnerable to cyber attacks. While we maintain measures designed to protect the integrity, confidentiality and security of our data, our security measures could fail and those of our third-party service providers have failed and could fail, any of which could result in unauthorized access to or disclosure, modification, misuse, loss or destruction of such data or financial loss.
Additionally, the growth in state sponsored cyber activity, including those actions taken in connections with the armed conflict in Russia and Ukraine, demonstrates the increasing sophistication and evolution of cyber threats. As a result, we may be unable to anticipate the techniques used or implement adequate measures to prevent an electronic intrusion into our customers through our cloud platform or to prevent breaches and other security incidents affecting our cloud platform, internal networks, systems or data. Further, once identified, we may be unable to remediate or otherwise respond to a breach or other incident in a timely manner. Actual or perceived security breaches of our cloud platform could result in actual or perceived breaches of our customers’ networks and systems.
Since our business is subjectfocused on providing reliable security solutions to our customers, a security breach or other security incident, or the risksperception that one has occurred, could result in a loss of earthquakes, fire, power outages, floods customer confidence in the security of our offerings
57

Table of Contents
and other catastrophic events,damage to our brand, reduce the demand for our offerings, disrupt normal business operations, require us to spend material resources to investigate or correct the breach and to interruption by manmade problems suchprevent future security breaches and incidents, expose us to legal liabilities, including litigation, regulatory enforcement, and indemnity obligations, and adversely affect our revenues and operating results. These risks may increase as terrorism.we continue to grow the number and scale of our cloud services, and process, store, and transmit increasing amounts of data.
A significant natural disaster, suchAdditionally, we cannot be certain that our insurance coverage will be adequate for data security liabilities actually incurred, that insurance will cover any indemnification claims against us relating to any incident, that insurance will continue to be available to us on economically reasonable terms, or at all, or that any insurer will not deny coverage as an earthquake, fireto any future claim. The successful assertion of one or a flood,more large claims against us that exceed available insurance coverage, or a significant power outagethe occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could have a material adverse effect on our business, including our financial condition, operating results, and reputation.
If Metasploit were to be used by attackers to exploit vulnerabilities in the cybersecurity infrastructures of third parties, our reputation and business could be harmed.
Although Metasploit is a penetration testing tool that is intended to allow organizations to test the effectiveness of their cybersecurity programs, Metasploit has in the past and may in the future be used to exploit vulnerabilities in the cybersecurity infrastructures of third parties. While we have incorporated certain features into Metasploit to deter misuse, there is no guarantee that these controls will not be circumvented or that Metasploit will only be used defensively or for research purposes. Any actual or perceived security breach, malicious intrusion or theft of sensitive data in which Metasploit is believed to have been used could adversely affect perception of, and demand for, our offerings. Further, the identification of new exploits and vulnerabilities by the Metasploit community may enhance the knowledge base of cyber attackers or enable them to undertake new forms of attacks. If any of the foregoing were to occur, we could suffer negative publicity and loss of customers and sales, as well as possible legal claims.
Because our products collect and store user and related information, domestic and international privacy and cybersecurity concerns, and other laws and regulations, could have a material adverse effect on our business.
We, and our customers, are subject to a number of stringent and changing obligations in domestic and international laws, regulations, guidance, industry standards, external and internal policies and contracts and other obligationsthat address a range of issues including data privacy and cybersecurity, and restrictions or technological requirements regarding the collection, use, storage, protection, retention or transfer of data. The regulatory framework for online services, data privacy and cybersecurity issues worldwide can vary substantially from jurisdiction to jurisdiction, is rapidly evolving and is likely to remain uncertain for the foreseeable future. This creates some uncertainty as to the effective legal frameworks and our obligations may be subject to differing applications and interpretations, which may be inconsistent or in conflict among jurisdictions. Preparation for and compliance with these obligations requires us to devote significant resources (including, without limitation, financial and time-related resources). These obligations may necessitate changes to our business including our information technologies, systems and practices and to those of any third parties that process personal data on our behalf. Although we strive to comply with all applicable data privacy and security obligations, we may at times fail (or be perceived to have failed) to do so. Moreover, despite our efforts, our personnel or third parties upon whom we rely may fail to comply with such obligations. If we (or third parties upon whom we rely) fail, or are perceived to have failed, to address and comply with data privacy and security obligations, we could face significant consequences. These consequences may include but are not limited to: government enforcement actions (e.g., investigations, fines, penalties, audits, inspections and similar consequences); litigation (including class-related claims); additional reporting requirements and oversight; bans on processing personal data; orders to destroy and not to use personal data; and imprisonment of company officials. Any of these events could have a material adverse effect on our reputation and our business, and financial condition, including but not limited to: loss of customers; interruptions or stoppages in our business or operations; inability to process personal data; inability to operate in specific jurisdictions; limitations in our ability to develop our products and professional services; management's time and other resource expenditures; adverse publicity; and revisions to our operations.
In the United States, federal, state and local governments have enacted numerous data privacy and cybersecurity laws (including data breach notification laws, personal data privacy laws and consumer protection laws). For example, the California Consumer Privacy Act of 2018 (“CCPA”), imposes obligations on businesses to which it applies. These obligations include but are not limited to providing specific disclosures in privacy notices and affording California residents certain rights related to their personal data. The CCPA allows for statutory fines for non-compliance (up to $7,500 per violation). Other states have proposed data privacy laws. If we become subject to new data privacy or security laws, the risk of enforcement action against us could increase because we may become subject to additional obligations, and the number of individuals or entities that can initiate actions against us may increase (including individuals, via a private right of action, and state actors).
58

Table of Contents
Internationally, virtually every jurisdiction in which we operate has established its own data security and cyberprivacy legal frameworks with which we, and/or our customers, must comply, including the European Union's General Data Protection Regulation, 2016/679 (“GDPR”), laws implemented by European Union (“EU”) member states and, following the withdrawal of the United Kingdom (“UK”) from the EU, the so-called ‘UK GDPR’ (“European Data Protection Laws”). The UK’s decision to leave the EU and ongoing developments in the UK have created uncertainty with regard to data protection regulation in the UK. Going forward, there may be an increasing scope for divergence in the application, interpretation and enforcement of data protection laws as between the UK and EU. The European Data Protection Laws present significantly greater risks, compliance burdens and costs for companies with users and operations in the EU and UK. Under the GDPR, fines of up to 20 million euros or up to 4% of the annual global turnover of the infringer, whichever is greater, could be imposed for significant non-compliance and similar levels of fines could also be imposed under the UK GDPR.
The European Data Protection Laws are broad in their application and apply when we do business with EU- and UK-based customers and when our U.S.-based customers collect and use personal data that originates from individuals resident in the EU and UK. They also apply to transfers of personal data between us and our EU- and UK-based subsidiaries, including employee information. Further, many U.S. federal and state and other foreign government bodies and agencies have introduced, and are currently considering, additional laws and regulations. Non-compliance with these laws could result in penalties or significant legal liability. We could be adversely affected if legislation or regulations are expanded to require changes in our business practices or if governing jurisdictions interpret or implement their legislation or regulations in ways that negatively affect our business, results of operations or financial condition.
In addition, certain jurisdictions have enacted data localization laws and cross-border personal data transfer laws. For example, European Data Protection Laws generally prohibit the transfer of personal data from the European Economic Area (“EEA”) and, the UK and Switzerland (collectively, “Europe”), to most other non-European countries unless the parties to the transfer have implemented specific safeguards to protect the transferred personal data. In particular, government regulators in Europe have found that the United States does not provide an adequate level of data privacy and cybersecurity protection and although there are legal mechanisms to allow for the transfer of personal data from Europe to the United States, uncertainty remains about compliance and such mechanisms may not be available or applicable with respect to our personal data processing activities. For example, the “Standard Contractual Clauses” (“SCCs) that are designed to be a valid mechanism by which parties can transfer personal data out of Europe to jurisdictions that are not found to provide an adequate level of protection, must be assessed on a case-by-case basis taking into account the legal regime applicable in the destination country. Specifically, the parties to the cross-border personal data transfer must evaluate the importing jurisdiction’s laws and implement supplemental security measures as necessary to protect the at-issue personal data. It is likely that there will continue to be some uncertainty regarding the mechanisms by which parties transfer personal data out of Europe to jurisdictions such as the United States. At present, there are few if any viable alternatives to the SCCs. If we cannot implement and maintain a valid mechanism for cross-border personal data transfers, we may face increased exposure to regulatory actions, substantial fines and injunctions against processing (including prohibitions on transferring personal data out of the EU and UK). This may also reduce demand for our services from companies subject to European Data Protection Laws. Loss of our ability to import personal data from the EU and UK may also require us to increase our data processing capabilities in the EEA at significant expense.
The costs of compliance with, and other burdens imposed by, the laws, rules, regulations and policies that are applicable to the businesses of our customers may limit the use and adoption of, and reduce the overall demand for, our software. Privacy or cybersecurity concerns, whether valid or not valid, may inhibit market adoption of our products particularly in certain industries and foreign countries.
Further, there are active legislative discussions regarding the implementation of laws or regulations that could restrict the manner in which security research is conducted and that could restrict or possibly bar the conduct of penetration testing and the use of exploits, which are an essential component of our Metasploit product and our business strategy more generally. Our failure to comply with existing laws, rules or regulations, changes to existing laws or their interpretation, or the imposition of new laws, rules or regulations, could result in additional costs and may necessitate changes to our business practices and divergent operating models, which may have a material and adverse impact on our business, operating results of operations, and financial condition. In addition, natural disasters could affect
Organizations may be reluctant to purchase our channel partners’ abilitycloud-based offerings due to perform servicesthe actual or perceived vulnerability of cloud solutions.
Some organizations have been reluctant to use cloud solutions for us on a timely basis. Incybersecurity, such as our InsightVM, InsightIDR, InsightAppSec, InsightConnect, InsightCloudSec and Threat Intelligence, because they have concerns regarding the eventrisks associated with the reliability or security of the technology delivery model associated with this solution. If we or our channel partners are hindered by anyother cloud service providers experience security incidents, breaches of the events discussed above, our ability to provide our products or professional services to customers could be delayed.
In addition, our facilities and those of our third-partycustomer data, centers and hosting providers are vulnerable to damage or interruption from human error, intentional bad acts, pandemics, earthquakes, hurricanes, floods, fires, war, terrorist attacks, power losses, hardware failures, systems failures, telecommunications failures and similar events. The occurrence of a natural disaster, power failure or an act of terrorism, vandalismdisruptions in service delivery or other misconduct,problems, the market for cloud solutions as a decision by a third party to close a facility on which we rely without adequate notice, or other unanticipated problems could result in lengthy interruptions in provision or delivery of our products, potentially leaving our customers vulnerable to cyber attacks. The occurrence of any of the foregoing events could damage our systems and hardware or could cause them to fail completely, and our insurance may not cover such events orwhole may be insufficient to compensate us for the potentially significant losses, including the potentialnegatively impacted, which could harm to the future growthour business.
59

Table of our business, that may result from interruptions in our service as a result of system failures.Contents
All of the aforementioned risks may be exacerbated if our disaster recovery plans or the disaster recovery plans established for our third-party data centers and hosting providers prove to be inadequate. To the extent that any of the above results in delayed or reduced customer sales, our business, financial condition and results of operations could be adversely affected.
Risks Related to our Common Stock

The market price of our common stock has been and is likely to continue to be volatile.
The market price of our common stock may be highly volatile and may fluctuate substantially as a result of a variety of factors, some of which are related in complex ways. Since shares of our common stock were sold in our initial public offering or IPO,(“IPO”), in July 2015 at a price of $16.00 per share, our stock price has ranged from an intraday low of $9.05 to an intraday high of $27.45$145.00 through November 1, 2017.April 29, 2022. Factors that may affect the market price of our common stock include:
actual or anticipated fluctuations in our financial condition and operating results;
variance in our financial performance from expectations of securities analysts;
changes in our projected operating and financial results;
changes in the prices of our products and professional services;
changes in our projected operating and financial results;
changes in laws or regulations applicable to our products or professional services;
announcements by us or our competitors of significant business developments, acquisitions or new offerings;
our involvement in any litigation;litigation or investigations by regulators;
our sale of our common stock or other securities in the future;
changes in our board of directors, senior management or key personnel;
trading volume of our common stock;
price and volume fluctuations in the overall stock market;
changes in the anticipated future size and growth rate of our market;
sales of shares of our common stock by us or our stockholders, including sales and purchases of any common stock issued upon conversion of our convertible senior notes; and
general economic, regulatory and market conditions.
From time to time,Recently, the stock markets, and in particular the market on which our common stock is listed, have experienced extreme price and volume fluctuations that have affected and continue to affect the market prices of equity securities of many companies.companies due to, among other factors, the actions of market participants or other actions outside of our control, including general market volatility caused by the COVID-19 pandemic. These fluctuations have often been unrelated or disproportionate to the operating performance of those companies. Broad market and industry fluctuations, as well as general economic, political, regulatory and market conditions, may negatively impact the market price of our common stock. In the past, companies that have experienced volatility in the market price of their securities have been subject to securities class action litigation. We may be the target of this type of litigation in the future, which could result in substantial costs and divert our management’s attention.
We may fail to meet our publicly announced guidance or other expectations about our business and future operating results, which would cause our stock price to decline.
We have provided and may continue to provide guidance about our business, other business metrics and future operating results. In developing this guidance, our management must make certain assumptions and judgments about our future performance. Furthermore, analysts and investors may develop and publish their own projections of our business, which may form a consensus about our future performance. Our business results may vary significantly from such guidance or that consensus due to a number of factors, many of which are outside of our control, and which could adversely affect our operations and operating results. Furthermore, if we make downward revisions of our previously announced guidance, or if our publicly announced guidance of future operating results fails to meet expectations of securities analysts, investors or other interested parties, the price of our common stock would decline.
If securities or industry analysts do not publish research or reports about our business, or publish negative reports about our business, our stock price and trading volume could decline.
The trading market for our common stock will depend,depends, in part, on the research and reports that securities or industry analysts publish about us or our business. We do not have any control over these analysts. If our financial performance fails to meet analyst estimates or one or more of the analysts who cover us downgrade our shares or change their opinion of our shares, our share price would likely decline. If one or more of these analysts cease coverage of our company or fail to regularly publish reports on us, we could lose visibility in the financial markets, which could cause our share price or trading volume to decline.
We do not intend to pay dividends for the foreseeable future and, as a result, your ability to achieve a return on your investment will depend on appreciation in the price of our common stock.
We have never declared or paid any cash dividends on our common stock and do not intend to pay any cash dividends in the foreseeable future. We anticipate that we will retain all of our future earnings for use in the development of our business and for general corporate purposes. Any determination to pay dividends in the future will be at the discretion of our board of directors.

Accordingly, investors must rely on sales of their common stock after price appreciation, which may never occur, as the only way to realize any future gains on their investments.
Concentration of ownership among our existing directors, executive officers and holders of 10% or more of our outstanding common stock may prevent minority investors from influencing significant corporate decisions.
As of November 1, 2017, our directors, executive officers and holders of more than 10% of our common stock, some of whom are represented on our board of directors, together with their affiliates, beneficially owned 44% of the voting power of our outstanding capital stock. As a result, these stockholders will be able to determine the outcome of matters submitted to our stockholders for approval. This concentration of ownership by itself may have the effect of delaying, deferring or preventing a change in control of our company, impeding a merger, consolidation, takeover or other business combination involving us, or discouraging a potential acquirer from making a tender offer or otherwise attempting to obtain control, which in turn, could materially and adversely affect the market price of our common stock.
Substantial futureFuture sales of our common stock or equity-linked securities in the public market could lower the market price for our common stock and adversely impact the trading price of the Notes.
In the future, we may sell additional shares of our common stock or the perception that these sales may occur, could cause our share priceequity-linked securities to decline.
Sales ofraise capital. In addition, a substantial amountnumber of shares of our common stock is reserved for issuance upon the exercise of stock options, settlement of
60

other equity incentive awards and upon conversion of the Notes. The indentures for the Notes do not restrict our ability to issue additional common stock or equity-linked securities in the publicfuture. We cannot predict the size of future issuances or the effect, if any, that they may have on the market price for our common stock. The issuance and sale of substantial amounts of common stock or equity-linked securities, or the perception that thesesuch issuances and sales mightmay occur, could depressadversely affect the trading price of the Notes and the market price of our common stock and could impair our ability to raise capital through the sale of additional equity or equity-linked securities. All
Risks Related to our Indebtedness
We have a significant amount of debt that may decrease our business flexibility, access to capital, and/or increase our borrowing costs, and we may still incur additional debt in the future, which may adversely affect our operations and financial results. We may not have sufficient cash flow from our business to pay our substantial debt when due.
In May 2020, we issued $230.0 million aggregate principal amount of 2025 Notes and in March 2021, we issued $600.0 million aggregate principal amount of 2027 Notes (collectively, the (“Notes”). In addition, we may also incur indebtedness under our revolving credit facility. Our indebtedness may:
limit our ability to borrow additional funds for working capital, capital expenditures, acquisitions or other general business purposes;
limit our ability to use our cash flow or obtain additional financing for future working capital, capital expenditures, acquisitions or other general business purposes;
require us to use a substantial portion of our cash flow from operations to make debt service payments;
limit our flexibility to plan for, or react to, changes in our business and industry;
place us at a competitive disadvantage compared to our less leveraged competitors; and
increase our vulnerability to the impact of adverse economic and industry conditions.
Further, the indentures governing the Notes do not restrict our ability to incur additional indebtedness, secure existing or future debt, recapitalize our existing or future debt or take a number of other actions that could intensify the risks discussed above and below. Further, we and our subsidiaries may incur substantial additional indebtedness in the future, subject to the restrictions contained in our revolving credit facility and any future debt instruments existing at the time, some of which may be secured indebtedness. While our revolving credit facility restricts our ability to incur additional indebtedness, if our revolving credit facility is terminated, we may not be subject to such restriction under the terms of such indebtedness.
Our ability to pay our debt when due or to refinance our indebtedness, including the Notes, depends on our future performance, which is subject to economic, financial, competitive, and other factors beyond our control. Our business may not generate cash flow from operations in the future sufficient to service our debt and make necessary capital expenditures. In addition, any required repurchase of the Notes for cash as a result of a fundamental change or voluntary redemption (in each case, pursuant to the terms of the Notes) would lower our current cash on hand such that we would not have that cash available to fund operations. If we are unable to generate sufficient cash flow, we may be required to adopt one or more alternatives, such as selling assets, restructuring our debt or obtaining additional equity capital on terms that may be onerous or highly dilutive. Our ability to refinance our indebtedness will depend on the capital markets and our financial condition at such time. We may not be able to engage in any of these activities or engage in these activities on desirable terms, which could result in a default on our debt obligations.
In addition, our revolving credit facility contains, and any future additional indebtedness that we may incur may contain, financial and other restrictive covenants that limit our ability to operate our business, raise capital, pay dividends and/or make payments under our other indebtedness. If we fail to comply with these covenants or to make payments under our indebtedness when due, then we would be in default under that indebtedness, which could, in turn, result in that and our other indebtedness becoming immediately payable in full. Any such event of default under our revolving credit facility would give the lenders the right to terminate their commitments to provide additional loans under our revolving credit facility and to declare any and all borrowings outstanding, together with accrued and unpaid interest and fees, to be immediately due and payable. In addition, the lenders under our revolving credit facility would have the right to proceed against the collateral in which we granted a security interest to them, which consists of substantially all our assets. If the debt under our revolving credit facility were to be accelerated, we may not have sufficient cash or be able to borrow sufficient funds to refinance the debt or sell sufficient assets to repay the debt, which could immediately materially and adversely affect our cash flows, business, results of operations, financial condition and our ability to make payments under our indebtedness, including the Notes, when due. Further, the terms of any new or additional financing may be on terms that are more restrictive or on terms that are less desirable to us.
61

The conditional conversion feature of the Notes, if triggered, may adversely affect our financial condition and operating results.
In the event the conditional conversion feature of the Notes is triggered, holders of the Notes will be entitled to convert their Notes at any time during specified periods at their option. If one or more holders elect to convert their Notes, unless we elect to satisfy our conversion obligation by delivering solely shares of our common stock (other than paying cash in lieu of delivering any fractional share), we would be required to settle a portion or all of our conversion obligation in cash, which could adversely affect our liquidity. As disclosed in Note 10, Debt, to our consolidated financial statements, the conditional conversion features of the 2025 Notes were triggered as of March 31, 2022, and the 2025 Notes are freely tradable without restrictionconvertible at the option of the holders, in whole or in part, between April 1, 2022 and June 30, 2022. Whether the 2025 Notes will be convertible following the fiscal quarter ending June 30, 2022, will depend on the continued satisfaction of this condition or another conversion condition in the future. As of March 31, 2022, the 2027 Notes are not convertible at the option of the holder. In addition, even if holders of Notes do not elect to convert their Notes, we could be required under applicable accounting rules to reclassify all or a portion of the Securities Actoutstanding principal of 1933,the Notes as amended, ora current rather than long-term liability, which would result in a material reduction of our net working capital.
The capped call transactions may affect the Securities Act, except for anyvalue of the Notes and our common stock.
In connection with the issuance of the 2023 Notes, the 2025 Notes and the 2027 Notes, we entered into capped call transactions with certain counterparties (the “Capped Calls”). The Capped Calls cover, subject to customary adjustments, the number of shares of our common stock that may be heldinitially underlying each of the 2023 Notes, the 2025 Notes and the 2027 Notes. The Capped Calls are expected to offset the potential dilution as a result of conversion of such Notes. In connection with establishing their initial hedge of the capped call transactions, the counterparties or acquired bytheir respective affiliates entered into various derivative transactions with respect to our directors, executive officers and other affiliates, as that term is definedcommon stock concurrently with or shortly after the pricings of the respective Notes, including with certain investors in the Securities Act,applicable Notes. The counterparties and/or or their respective affiliates may modify or unwind their hedge positions by entering into or unwinding various derivatives with respect to our common stock and/or purchasing or selling our common stock or other securities of ours in secondary market transactions prior to the maturity of the applicable Notes (and are likely to do so on each exercise date of the capped call transactions, which are subjectscheduled to restrictions underoccur during the Securities Act,applicable observation period relating to any conversion of the 2025 Notes on or after November 1, 2024 or relating to any conversion of the 2027 Notes on or after December 15, 2026, in each case that may be issued under our equity incentive plans subjectis not in connection with a redemption). We redeemed the 2023 Notes in November 2021. As described elsewhere in this Quarterly Report on Form 10-Q, the 2023 capped calls were not redeemed with the redemption of the 2023 Notes. We cannot make any prediction as to vesting requirements. We are unable to predict the direction or magnitude of any potential effect that these sales, particularly sales by our directors, executive officers, and significant stockholders,the transactions described above may have on the prevailingprices of the Notes or the shares of our common stock. Any of these activities could adversely affect the value of the Notes and our common stock.
We are subject to counterparty risk with respect to the capped call transactions.
The option counterparties are financial institutions, and we will be subject to the risk that one or more of the option counterparties may default or otherwise fail to perform, or may exercise certain rights to terminate, their obligations under the Capped Calls. Our exposure to the credit risk of the option counterparties will not be secured by any collateral. Recent global economic conditions have resulted in the actual or perceived failure or financial difficulties of many financial institutions. If an option counterparty becomes subject to insolvency proceedings, we will become an unsecured creditor in those proceedings with a claim equal to our exposure at the time under such transaction. Our exposure will depend on many factors but, generally, our exposure will increase if the market price or the volatility of our common stock increases. In addition, upon a default or other failure to perform, or a termination of obligations, by an option counterparty, we may suffer adverse tax consequences and more dilution than we currently anticipate with respect to our common stock. We can provide no assurances as to the financial stability or viability of the option counterparties.
Provisions in the indentures for the Notes may deter or prevent a business combination that may be favorable to our stockholders.
If a fundamental change occurs prior to the maturity date of the Notes, holders of the Notes, will have the right, at their option, to require us to repurchase all or a portion of their Notes. In addition, if a “make-whole fundamental change” (as defined in the indentures) occurs prior the maturity date, we will in some cases be required to increase the conversion rate of the Notes for a holder that elects to convert its Notes in connection with such make-whole fundamental change.
Furthermore, the indentures governing the Notes prohibit us from engaging in certain mergers or acquisitions unless, among other things, the surviving entity assumes our obligations under the Notes. These and other provisions in the indentures could deter or prevent a third party from acquiring us even when the acquisition may be favorable to our stockholders.
62

Conversion of the Notes will dilute the ownership interest of existing stockholders, including holders who had previously converted their Notes, or may otherwise depress the price of our common stock.
We have filed registration statements on Form S-8 underThe conversion of some or all of the Securities ActNotes will dilute the ownership interests of existing stockholders to register shares of common stock that may be issued under our equity incentive plans from time to time. Shares registered under these registration statements are available for sale in the public market upon issuance subject to vesting arrangements and exercise of options, as well as Rule 144 in the case of our affiliates. We also filed a “shelf” registration statement on Form S-3 under the Securities Act in May 2017 that became effective in June 2017, allowing us, from time to time, to offer up to $50 million of shares of common stock and to cover the resale of up to an aggregate of 18,419,274extent we deliver shares of our common stock by selling stockholdersupon conversion of any of the Notes. As disclosed in Note 10, Debt, to our consolidated financial statements, the conditional conversion features of the 2025 Notes were triggered as of March 31, 2022, and the 2025 Notes are convertible at the option of the holders, in whole or in part, between April 1, 2022 and June 30, 2022. Whether the 2025 Notes will be namedconvertible following the fiscal quarter from April 1, 2022 and June 30, 2022 will depend on the continued satisfaction of the applicable conversion condition or another conversion condition in the applicable prospectus supplement tofuture. As of March 31, 2022, the shelf registration statement, from time to time.
Certain existing holders2027 Notes are not convertible at the option of the holder. Any sales in the public market of the common stock issuable upon such conversion could adversely affect prevailing market prices of our common stock havestock. In addition, the right, subjectexistence of the Notes may encourage short selling by market participants because the conversion of the Notes could be used to various conditions and limitations, to request we include theirsatisfy short positions, or anticipated conversion of the Notes into shares of our common stock in registration statements we may file relating to our securities. Ifcould depress the offer and sale of these shares are registered, they will be freely tradable without restriction under the Securities Act. In the event such registration rights are exercised and a large number of shares of common stock are sold in the public market, such sales could reduce the trading price of our common stock.
General Risks
Failure to comply with governmental laws and regulations could harm our business.
Our business is subject to regulation by various federal, state, local and foreign governments. In June 2017,certain jurisdictions, these regulatory requirements may be more stringent than those in the United States. Noncompliance with applicable regulations or requirements could subject us to investigations, sanctions, mandatory product recalls, enforcement actions, disgorgement of profits, fines, damages, civil and criminal penalties, injunctions or other collateral consequences. If any governmental sanctions are imposed, or if we fileddo not prevail in any possible civil or criminal litigation, our business, results of operations, and financial condition could be materially adversely affected. In addition, responding to any action will likely result in a prospectus supplement with respectsignificant diversion of management’s attention and resources and an increase in professional fees. Enforcement actions and sanctions could harm our business, reputation, results of operations and financial condition.
Our business is subject to the salerisks of upclimate change, pandemics, earthquakes, fire, power outages, floods and other catastrophic events, and to 2,800,000 shares ofinterruption by manmade problems such as terrorism.
A significant public health crisis, epidemic or pandemic (including the ongoing COVID-19 pandemic), or climate change, or a natural disaster, such as an earthquake, fire or a flood, or a significant power outage could have a material adverse impact on our common stockbusiness, operating results and financial condition. In addition, public health crises, climate change, or natural disasters could affect our channel partners’ ability to perform services for us on a timely basis. In the event we or our channel partners are hindered by two of our significant stockholders, which facilitated the resale by those holders of a portionany of the shares ofevents discussed above, our common stock they hold.ability to provide our products or professional services to customers could be delayed.
In addition, our facilities and those of our third-party data centers and hosting providers are vulnerable to damage or interruption from human error, intentional bad acts, pandemics, earthquakes, hurricanes, floods, fires, war (including the armed conflict between Russia and Ukraine), terrorist attacks, power losses, hardware failures, systems failures, telecommunications failures and similar events. The occurrence of a public health crisis, climate change, natural disaster, power failure or an act of terrorism, vandalism or other misconduct, a decision by a third party to close a facility on which we rely without adequate notice, or other unanticipated problems could result in lengthy interruptions in provision or delivery of our products, potentially leaving our customers vulnerable to cyber attacks. The occurrence of any of the foregoing events could damage our systems and hardware or could cause them to fail completely, and our insurance may not cover such events or may be insufficient to compensate us for the potentially significant losses, including the potential harm to the future we may issue common stock or other securities in connection with a capital raise or acquisitions. The number of new sharesgrowth of our common stock issued in connection with a capital raise or acquisition could constitute a material portion of our then-outstanding shares of our common stock.
We are an “emerging growth company” and we cannot be certain if the reduced disclosure requirements applicable to emerging growth companies will make our common stock less attractive to investors.
We are an “emerging growth company,” as defined in the JOBS Act. For as long as we qualify as an emerging growth company, we intend to take advantage of certain exemptionsbusiness, that may result from various reporting requirements that are applicable to other public companies that are not “emerging growth companies” including, but not limited to, the auditor attestation requirements of Section 404 of the Sarbanes-Oxley Act, reduced disclosure obligations regarding executive compensationinterruptions in our periodic reports and proxy statements, and exemptions from the requirements of holding a nonbinding advisory vote on executive compensation and stockholder approval of any golden parachute payments not previously approved. We cannot predict if investors will find our common stock less attractive because we will rely on these exemptions and provide reduced disclosure. If some investors find our common stock less attractiveservice as a result thereof system failures.
All of the aforementioned risks may be a less active trading marketexacerbated if our disaster recovery plans or the disaster recovery plans established for our common stockthird-party data centers and hosting providers prove to be inadequate. To the extent that any of the above results in delayed or reduced customer sales, our stock price maybusiness, financial condition and results of operations could be more volatile.

adversely affected.
We are obligated to maintain proper and effective internal controls over financial reporting and any failure to maintain the adequacy of these internal controls may adversely affect investor confidence in our company and, as a result, the value of our common stock.
We have been and are required, pursuant to Section 404 of the Sarbanes-Oxley Act or Section 404,(Section 404), to furnish a report by management on, among other things, the effectiveness of our internal control over financial reporting on an annual basis. This assessment includes disclosure of any material weaknesses identified by our management in our internal control over financial reporting. During the evaluation and testing process, if we identify one or more material weaknesses in our internal control over financial reporting, we will be unable to assert that our internal controls are effective. While we have established certain procedures and control over our financial reporting processes, we cannot assure you that these efforts will prevent restatements of our financial statements in the future.
63

Our independent registered public accounting firm will not beis also required, pursuant to attestSection 404, to report annually on the effectiveness of our internal control over financial reporting until our first annual reportreporting. This assessment is required to be filed with the SEC following the date we no longer qualify as an “emerging growth company,” as definedinclude disclosure of any material weaknesses identified by our management in the JOBS Act. At such time,our internal control over financial reporting. For future reporting periods, our independent registered public accounting firm may issue a report that is adverse in the event it is not satisfied with the level at which our controls are documented, designed or operating. We may not be able to remediate any future material weaknesses, or to complete our evaluation, testing and any required remediation in a timely fashion. We will be required to disclose significant changes made in our internal control procedures on a quarterly basis.
Our compliance with Section 404 will require that we incur substantial accounting expense and expend significant management efforts. We currently do not have an internal audit group, and we may need to hire additional accounting and financial staff with appropriate public company experience and technical accounting knowledge and compile the system and process documentation necessary to perform the evaluation needed to comply with Section 404.
Any failure to maintain internal control over financial reporting could severely inhibit our ability to accurately report our financial condition or results of operations. If we are unable to assertconclude that our internal control over financial reporting is effective, or if our independent registered public accounting firm is unable to express an opinion on the effectiveness ofthat our internal controls when it is required to issue such opinion, weover financial reporting are effective, investors could lose investor confidence in the accuracy and completeness of our financial reports, which could cause the market price of our common stock couldto decline, and we could be subject to sanctions or investigations by the NASDAQ Stock Market,regulatory authorities, including the SEC or other regulatory authorities.and Nasdaq. Failure to remedyremediate any material weakness in our internal control over financial reporting, or to implement or maintain other effective control systems required of public companies, could also restrict our future access to the capital markets.
Changes in financial accounting standards may adversely impact our reported results of operations.
A change in accounting standards or practices could adversely affect our operating results and may even affect our reporting of transactions completed before the change is effective. New accounting pronouncements and varying interpretations of accounting pronouncements have occurred and may occur in the future. Changes to existing rules or the questioning of current practices may adversely affect our operating results.
We may require additional capital to support business growth, and this capital might not be available on acceptable terms, if at all.
We intend to continue to make investments to support our business growth and may require additional funds to respond to business challenges, including the need to develop new features or enhance our products, improve our operating infrastructure or acquire complementary businesses and technologies. Accordingly, we may need to engage in equity or debt financings to secure additional funds. If we raise additional funds through future issuances of equity or convertible debt securities, our existing stockholders could suffer significant dilution, and any new equity securities we issue could have rights, preferences and privileges superior to those of holders of our common stock. Any debt financing that we may secure in the future could involve restrictive covenants relating to our capital raising activities and other financial and operational matters, which may make it more difficult for us to obtain additional capital and to pursue business opportunities, including potential acquisitions. We may not be able to obtain additional financing on terms favorable to us, if at all. For example, while the potential impact and duration of the COVID-19 pandemic on the global economy and our business in particular may be difficult to assess or predict, the pandemic has resulted in, and may continue to result in significant disruption of global financial markets, reducing our ability to access capital, which could in the future negatively affect our liquidity. Although we expect that current cash and cash equivalent balances and cash flows that are generated from operations will be sufficient to meet our domestic and international working capital needs and other capital and liquidity requirements for at least the next 12 months, if we are unable to obtain adequate financing or financing on terms satisfactory to us if and when we require it, our ability to continue to support our business growth and to respond to business challenges could be significantly impaired, and our business may be adversely affected.
Anti-takeover provisions in our charter documents and under Delaware law could make an acquisition of us more difficult, limit attempts by our stockholders to replace or remove our current management and limit the market price of our common stock.
Provisions in our amended and restated certificate of incorporation and amended and restated bylaws may have the effect of delaying or preventing a change in control or changes in our management. Among other things, our amended and restated certificate of incorporation and amended and restated bylaws include provisions that:
authorize our board of directors to issue preferred stock without further stockholder action and with voting liquidation, dividend and other rights superior to our common stock;
require that any action to be taken by our stockholders be effected at a duly called annual or special meeting and not by written consent, and limit the ability of our stockholders to call special meetings;
establish an advance notice procedure for stockholder proposals to be brought before an annual meeting, including proposed nominations of persons for director nominees;
establish that directors elected prior to our board of directors is divided into three classes, with directors in each class serving2021 annual meeting serve three-year staggered terms;terms and subsequent to the 2023 annual meeting, each director will hold office for a term of one year;
(i) prior to June 30, 2022 require the approval of holders of two-thirds of the shares entitled to vote at an election of directors and (ii) on or following June 30, 2022, require the approval of the holders of a majority of the voting power of all of the then-outstanding shares of capital stock of the Company entitled to vote generally at an election of
64

directors, voting together as a single class, to adopt, amend or repeal our amended and restated bylaws or amend or repeal the provisions of our amended and restated certificate of incorporation regarding the election and removal of directors and the ability of stockholders to take action by written consent or call a special meeting;
prohibit cumulative voting in the election of directors; and
provide that vacancies on our board of directors may be filled only by a majority of directors then in office, even though less than a quorum.

These provisions may frustrate or prevent any attempts by our stockholders to replace or remove our current management by making it more difficult for stockholders to replace members of our board of directors, who are responsible for appointing the members of our management. In addition, because we are incorporated in Delaware, we are governed by the provisions of Section 203 of the Delaware General Corporation Law, which generally prohibits a Delaware corporation from engaging in any of a broad range of business combinations with any “interested” stockholder for a period of three years following the date on which the stockholder became an “interested” stockholder. Any of the foregoing provisions could limit could limit the opportunity for our stockholders to receive a premium for their shares of our common stock and could also affect the price that some investors are willing to pay for our common stock.
Our amended and restated certificate of incorporation designates the Court of Chancery of the State of Delaware as the exclusive forum for certain litigation that may be initiated by our stockholders, which could limit our stockholders’ ability to obtain a favorable judicial forum for disputes with us.
Pursuant to our amended and restated certificate of incorporation, unless we consent in writing to the selection of an alternative forum, the Court of Chancery of the State of Delaware is the sole and exclusive forum for (1) any derivative action or proceeding brought on our behalf, (2) any action asserting a claim of breach of a fiduciary duty owed by any of our directors, officers or other employees to us or our stockholders, (3) any action asserting a claim arising pursuant to any provision of the Delaware General Corporation Law, our amended and restated certificate of incorporation or our amended and restated bylaws or (4) any action asserting a claim governed by the internal affairs doctrine. Our amended and restated certificate of incorporation further provides that any person or entity purchasing or otherwise acquiring any interest in shares of our common stock is deemed to have notice of and consented to the foregoing provision. The forum selection clause in our amended and restated certificate of incorporation may limit our stockholders’ ability to obtain a favorable judicial forum for disputes with us.
Item 2.    Unregistered Sales of Equity Securities and Use of Proceeds.
(a) Recent Sales of Unregistered Equity Securities
None.

(b) Use of Proceeds from Initial Public Offering of Common Stock
Our initial public offering of common stock was effected through the filing of a Registration Statement on Form S-1 (File No. 333-204874), which was declared or became effective on July 16, 2015. There has been no material change in the use of proceeds from our initial public offering as described in our final prospectus filed with the SEC pursuant to Rule 424(b) and other periodic reports previously filed with the SEC.None.
(c) Issuer Purchases of Equity Securities
None.
  Total Number of Shares Purchased (1) Average Price Paid per Share Total Number of Shares Purchased as Part of Publicly Announced Plans or Programs Approximate Dollar Value of Shares That May Yet Be Purchased Under the Plans or Programs (dollars in thousands)
July 1, 2017 to July 31, 2017 6,610
 $17.28
 
 
August 1, 2017 to August 31, 2017 
 
 
 
September 1, 2017 to September 30, 2017 
 
 
 
Total 6,610
 $17.28
 
 
(1)Represents the total number of shares of our common stock delivered to us by an employee to satisfy the statutory tax withholding obligations owed in connection with the vesting of restricted stock awards granted to such employee under the Rapid7, Inc. 2015 Equity Incentive Plan, as amended.
Item 3.    Defaults Upon Senior Securities.
Not applicable.
Item 4.    Mine Safety Disclosures.

Not applicable.
Item 5.    Other Information.
None.

65

Table of Contents


Item 6.    Exhibits.
Exhibit
Number
Description
Amended and Restated Certificate of Incorporation of Rapid7, Inc. (filed as Exhibit 3.1 to the Registrant’s CurrentQuarterly Report on Form 8-K10-Q (File No. 001-37496), filed with the Securities and Exchange Commission on July 22, 2015,August 10, 2020, and incorporated herein by reference).
Amended and Restated Bylaws of Rapid7, Inc. (filed as Exhibit 3.2 to the Registrant’s CurrentQuarterly Report on Form 8-K10-Q (File No. 001-37496), filed with the Securities and Exchange Commission on July 22, 2015,August 10, 2020, and incorporated herein by reference).
Certification of Principal Executive Officer Pursuant to Rules 13a-14(a) and 15d-14(a) under the Securities Exchange Act of 1934, as Adopted Pursuant to Section 302 of the Sarbanes-Oxley Act of 2002.
Certification of Principal Financial Officer Pursuant to Rules 13a-14(a) and 15d-14(a) under the Securities Exchange Act of 1934, as Adopted Pursuant to Section 302 of the Sarbanes-Oxley Act of 2002.
Certification of Principal Executive Officer Pursuant to 18 U.S.C. Section 1350, as Adopted Pursuant to Section 906 of the Sarbanes-Oxley Act of 2002.
Certification of Principal Financial Officer Pursuant to 18 U.S.C. Section 1350, as Adopted Pursuant to Section 906 of the Sarbanes-Oxley Act of 2002.
101.INSInline XBRL Instance Document - the instance document does not appear in the Interactive Data file because its XBRL tags are embedded within the inline XBRL document
101.SCHInline XBRL Taxonomy Extension Schema Document
101.CALInline XBRL Taxonomy Extension Calculation Linkbase Document
101.DEFInline XBRL Taxonomy Extension Definition Linkbase Document
101.LABInline XBRL Taxonomy Extension Label Linkbase Document
101.PREInline XBRL Taxonomy Extension Presentation Linkbase Document
104Cover Page Interactive Data file (formatted as inline XBRL with applicable taxonomy extension information contained in Exhibits 101)
*Filed herewith.
**This certification is deemed not filed for purposes of Section 18 of the Securities Exchange Act of 1934, as amended, or otherwise subject to the liability of that section, nor shall it be deemed incorporated by reference into any filing under the Securities Act of 1933, as amended, or the Securities Exchange Act of 1934, as amended.



66

Table of Contents
SIGNATURES
Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned thereunto duly authorized.
RAPID7, INC.
Date: May 5, 2022RAPID7, INC.
By:
Date: November 8, 2017By:/s/ Corey E. Thomas
Name:  Corey E. Thomas
Title:    President and Chief Executive Officer
(Principal Executive Officer)
Date: November 8, 2017May 5, 2022By:/s/ Jeff KalowskiTim Adams
Name:Jeff Kalowski  Tim Adams
Title:    Chief Financial Officer
(Principal Financial Officer and Principal Accounting Officer)




57
67