NEWS ANALYSIS: Money continues to flow toward companies like Rapid7, which focuses on penetration testing and recently announced new incident-response services.
Security vendor Rapid7's June 11 S-1 filing
for an initial public offering (IPO) is yet another indication of the intense demand for security services and the willingness of investors to pour money into security technologies.
Rapid7's S-1 filing offers new visibility into the operations of the currently privately held company. In 2014, Rapid7 generated $76.9 million in revenue from its operations, up from only $31 million in 2011, but the company isn't currently profitable and recorded a net loss in 2014 of $32.6 million.
Rapid7 aims to raise $80 million in the IPO. Previously, the company received $91 million in financing, including a $30 million Series D round announced
in December 2014.
The first time I ever actually heard of Rapid7 was back in 2009, when the company acquired
the open-source Metasploit penetration-testing framework. HD Moore, the founder of Metasploit, is one of the most well-known and respected researchers working today, and is currently the chief research officer at Rapid7.
When Metasploit first moved over to Rapid7, there were no commercial options. Now there are, with multiple editions and commercial support that enables enterprises and security researchers to get one of the most feature-rich penetration-testing platforms ever created.
Penetration testing, that is, testing an organization's posture against known security threats and misconfigurations is a critical exercise for all organizations. In fact, as part of the updated Payment Card Industry Data Security Standard (PCI DSS) 3.1 compliance requirements
, organizations are required to have a robust penetration-testing program.
The need for penetration testing is likely to help further drive Rapid7's business for years to come.
The other key driver for security revenue growth is the response side, which is an area that Rapid7 only recently entered. On March 3, Rapid7 announced
new incident-response services to help organizations be better prepared and respond to breach incidents.
With the seemingly never-ending stream of publicly disclosed data breaches, there is a clear demand and need for incident-response services. It's an area that today is largely dominated by Mandiant, which FireEye acquired
for $1 billion in January 2014.
The promise of Rapid7 is not about just making money from security technology and services, but rather about helping organizations make attacks more expensive.
"Our goal is to say how easy is it for you to be attacked and compromised systematically today and how [you should] make that more difficult and more expensive over time," Rapid7 CEO Corey Thomas told me in December 2014. "It's not a magic pill approach; it is a more managed state of security, but we think it is achievable."
Security is not a static state; it's a dynamic, managed state of operations that requires a very sophisticated skill set. That's why Rapid7 and other security companies that will likely follow it will continue to be a valued commodity for investors.
The question for Rapid7, however, is how effective the company will be at differentiating itself and maintaining operational excellence in an increasingly competitive marketplace of security vendors.
Sean Michael Kerner is a senior editor at
InternetNews.com. Follow him on Twitter @TechJournalist