Rapid7 Raises $30 Million, Aims to Make Attacks More Expensive

CEO Corey Thomas, whose goal is to help companies manage their global IT security exposure, explains what Rapid7 is doing with the money to help secure IT.


Security vendor Rapid7 Dec. 17 announced that it has raised $30 million in a new Series D round of funding. To date, Rapid7 has raised $91 million in funding to help support its security business.

Rapid7 CEO Corey Thomas is planning on using the new funds to further development of technologies to help grow the company's exposure management business. The goal of Rapid7, which provides a number of products and security services, including the Nexpose vulnerability management platform and the Metasploit penetration testing framework, is to help companies manage their global IT security exposure, he said.

"In the last few years we have helped customers find and detect intruders in their environment, and we have helped our customers establish better security programs and practices," Thomas told eWEEK.

Among the product areas that the company will be expanding are its UserInsight service for incident and intruder detection and its Global Strategic Services operation, which enables organizations to use information to manage their security programs.

With the new funding, Thomas is looking to expand both the engineering and the sales resources at Rapid7. As a private company, Rapid7 does not publicly disclose its financial status. That said, Thomas claimed that Rapid7 has a very good handle on its business.

As a software and services company, Rapid7 does not have its own hardware. Thomas said the company does partner with some hardware vendors, but he doesn't view hardware as a core part of his business. Moving to a hybrid environment with both on-premises and cloud components is the general direction for Rapid7's business.

"Our UserInsight product is managed in the cloud today, and it does have collectors that work on-premises," Thomas said. "We also offer managed services with Nexpose."

Thomas said Rapid7 isn't religious about any particular technology approach to delivery, but rather is trying to reduce customer friction points for deployment.

From a business revenue perspective, Thomas noted that Rapid7 is primarily a product- and software-as-a-service-oriented company.

"If you look at our revenue, we'd be considered a strong technology business and practice," he said. "Our services are about enabling our customers to be more successful over time."

Given all the security vendors in the market and the growing threats from attacks, it is increasingly difficult for individual vendors to differentiate and stand out from the crowd. One of the ways that Rapid7 aims to differentiate itself is by being more substantive and help enterprises actually realize and measure value from their security investments.

Rapid7 is able to demonstrate return on investment (ROI) for security by using a methodology that defines how expensive it is for a hacker to attack an organization.

"So, how expensive is it for a company to be attacked and be compromised by an attacker?" Thomas said. "There are some organizations that are really cheap to attack, and that means they are susceptible to anyone attacking them."

On the other hand are organizations that are expensive to attack, which means it requires more focus, attention and resources from an attacker.

There are three primary ways that Rapid7 defines how expensive it is for an attacker to attack an enterprise. The first is how effective IT is managed from a security perspective. That drills down into how well an organization deploys, configures and manages controls in their IT environment. The second factor is the speed of incident detection. That is, does an organization have technology present that can detect compromises rapidly? The third factor is how well an organization is able to manage the cost of remediation for the first two factors.

"Our goal is to say how easy is it for you to be attacked and compromised systematically today and how do you make that more difficult and more expensive over time," Thomas said. "It's not a magic pill approach; it is a more managed state of security, but we think it is achievable."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.