A look at Rubrik

We finally had the first cybersecurity IPO in over 2 years back in April, since Okta competitor ForgeRock IPO'd in Sep-21 (which was later acquired by Thoma Bravo and merged with Ping ID).

Rubrik filed an S-1 on April 1st, then filed an amended S-1 on April 16. Let's take a look at this cloud-based backup mgmt and data security company, which happens to partner with next-gen security providers like CrowdStrike, Zscaler, Microsoft, and Palo Alto. Many of these partners are moving into data protection themselves – Zscaler and Microsoft have long focused on DLP in their CASBs, and Palo Alto and CrowdStrike are moving heavily into that direction with the acquires of Dig Security and Flow Security. This will also be of interest to other next-gen security players like Cloudflare and Datadog.

• Rubrik has impressively gone through 3 major transitions at once, as they moved from on-prem app to cloud SaaS, shifted pricing from license to subscription, and evolved their backup & recovery solution to a broader next-gen data protection platform.
• Their subscription ARR from their next-gen SaaS platform is in hypergrowth, with ~60% of their business growing over 100%.
• But they remain very unprofitable. FCF margin could be positive soon, but op & net margin have a long way to go.
• Instead of providing an in-depth look at their profitability, they are providing Subscription ARR Contribution Margin as a substitute – this does show significant operational leverage over the past 2yr.
• Land and expand metrics look healthy. Customers are spending more and more, with a growing number of large customers.
• They are mostly through their major transitions, having hit an inflection point in the past 2Qs. They seem primed to accelerate into the next 2Qs.
• They partner with Microsoft, Palo Alto, and more recently, Zscaler a year ago and now CrowdStrike last month. However, these companies are moving into data security more deeply within their own CNAPP & SSE platforms.

Overview

Rubrik's mission is to "secure the world's data". They started as an on-premise backup & recovery solution, and have since evolved into a fuller cloud-based data mgmt and security platform. The starting point for understanding Rubrik is its evolution. Over the past several years, Rubrik has undergone three separate transitions. (These remind me of Splunk's similar shifts.)

• They have been transitioning from on-prem software on an appliance to a fully managed cloud SaaS service.
• They have been transitioning from perpetual licensing to term subscriptions (recurring revenue).
• They have been transitioning from their core backup & recovery solution to a fuller enterprise data security platform with a number of modules.

This now positions the company as an enterprise SaaS solution with recurring revenue that is heavily focused on land and expand. The growth from here will be from the overall growth of customer data, expansion into new apps/clouds to protect, and upselling into more & more modules.

Product Evolution

It was founded in late 2013 as ScaleData, but that was soon changed to Rubrik. Their first product launched in 2015, as an on-prem appliance-driven backup and recovery platform. SaaS applications began to appear in 2019, and by 2022, they released their fully managed cloud-native SaaS platform.

• In 2015 (FY16), they released their first product, Converged Data Mgmt (CDM). It was a self-managed backup & recovery-focused app that worked over on-prem data via a branded appliance.

A series of blog posts at the time noted how it was cloud-native (using cloud object stores as the underlying storage), API-driven (encouraging a partner ecosystem), and, unlike traditional solutions, was scalable and provided instant access. It was built from layered components that included a cloud-scale file system (on object stores) and Time Machine (versioned incremental backups). Its target was to replace heavy and slow backup & recovery processes over tape arrays or expensive on-prem spinning disks. It was sold via perpetual license & maint contracts, with the appliance made by OEM partners like Supermicro. Competitors included backup solutions from Dell/EMC and Veritas.

• In 2018 (FY19), this evolved into their Polaris release, where they began to call it a SaaS platform and morph the CDM platform into Cloud Data Mgmt. This added in cloud-native backup & recovery, plus new modules for Anomaly Detection (ransomware monitoring) and Sensitive Data Monitoring.
• In 2019 (FY20), they began to shift from perpetual licensing to term subscriptions. They finally stopped offering CDM licensing in Feb-22.
• In 2019, they also began to embrace the "Zero Trust" moniker, with a new DataGuardian architecture that added two-factor authentication (2FA) and user access tracking. This ultimately creates a logical airgap (protected network) between users and backed-up systems and data, which now features heavily in their marketing (the Zero Trust Data Security Company^TM).
• In 2020, they began to expand from on-prem and cloud systems & data into other types. They acquired the assets of Igneous in Dec-20 to add NAS capabilities and partnered with Microsoft in Aug-21.
• The next major release in May-21 (FY22) expanded the platform into unstructured data (NAS & data lakes) and SaaS app protection (MS365). They also added integrations to SIEMs like Azure Sentinel, and SOARs like Palo Alto XSOAR and Service Now IR.
• In Dec-21 (FY22), they released Rubrik Cloud Vault as a new fully-managed SaaS platform built entirely on Microsoft Azure. This soon evolved into the Rubrik Security Cloud (RSC) in May-22 (FY23). They began offering incentives to migrate legacy customers (credits), and transitioned appliances completely to OEM partners.
• They hit $400M in Sub ARR in Aug-22 (growing over +100%, at NRR >140%), and created a new Zero Labs research unit by hiring a Mandiant VP. They soon hit $500M in Sub ARR in Jan-23 from over 5000 custs.
• In Aug-23 (FY24), they acquired Laminar for $105M to move into Data Security Posture Mgmt (DSPM). This scans over cloud data lakes (AWS, Azure, GCP) and databases (Snowflake, BigQuery) to provide security posture analytics, data access control, and threat detection. Customers include Booking and Pagaya. They soon expanded it to cover cloud file stores (Microsoft OneDrive and Google Drive).
• In Jun-23 (FY24), they announced they were using Azure Open AI to create a new AI assistant. By Nov-23, this was released as the Ruby AI assistant, which leverages Azure OpenAI and their Data Threat ML engine for admins to automate threat investigation & recovery.
• In March (FY25), they released their Enterprise Proactive Edition (EPE) of RSC, which combined their new DSPM posture scanning into RSC's backup & recovery product suite.

Rubrik Security Cloud

Data security has typically been called DLP (Data Loss Protection) in the past, but has generally moved towards a more overarching "data security" moniker now that it serves as an umbrella over multiple data sources. These tools are for discovering data, classifying it (sensitive or not), and tracking its access and movement.

Rubrik's primary product is their Rubrik Security Cloud (RSC), a cloud-native SaaS platform for data mgmt (backup & recovery) and data security. It has a Zero Trust-like architecture separating the platform from user systems, and an immutable storage layer for backed-up data & systems (VMs and containers), so any detected threats or ransomware attempts can be easily rolled back to a clean copy. Competitors include Cohesity, Commvault, and Veeam.

RSC is an evolution of their backup & recovery software into a fuller SaaS platform over data mgmt and security, with a number of add-on modules. The goal is ultimately cyber threat detection & resiliency – being able to protect your business's data assets in this age of ransomware and insider threats. Modules include:

• Data Protection for backup & recovery mgmt and protection over enterprise, cloud, SaaS, and unstructured data. This includes hosts, VMs, containers, Kubernetes clusters, databases, files, NAS storage, data lakes, and SaaS apps like MS365 and ServiceNow.
• Data Threat Analytics for threat detection and attack tracking. This includes modules for Anomaly Detection (ransomware monitoring), Threat Monitoring, and Threat Hunting.
• Data Security Posture for continuous scanning of data resources. This includes modules for Sensitive Data Monitoring (tracking most valuable data closely) and User Intelligence (behavioral analytics).
• Cyber Recovery to improve readiness and incident response. This includes modules for recovery simulation, threat containment, and orchestrated recovery to the last clean copy of data (VM, container, database, file).

From its release: "It provides a simple way to test, validate, and document the success of an organization’s cyber recovery plans. It also provides businesses a way to instantly recover the last known clean copy of data into production while performing forensic investigations out-of-band in an isolated recovery environment."

• Ruby is their new AI assistant to help automate incident investigations and automated recovery.
• They also provided a number of other tools & services within RSC, including SentryAI for system health monitoring, dedicated Customer Experience Mgrs (CEMs) and support engineers, a 24x7 Ransomware Recovery Team, and the Rubrik University for training, e-learning, and certifications.

They have a variety of honed solutions that their singular RSC platform can address, including backup/recovery and security over on-prem and cloud infrastructure (VM and containers) and a wide variety of databases, data lakes, SaaS apps, and on-prem storage (NAS).

RSC is priced in 3 tiers:

• Foundation Edition for the core data protection.
• Business Edition adds Anomaly Detection (ransomware monitoring) from Threat Analytics.
• Enterprise Edition provides it all, including threat hunting, containment, recovery simulation, sensitive data monitoring, and Ruby AI

Mgmt stresses that any of the data types covered provide a land, over enterprise (on-prem systems and files), cloud (cloud-native infra), unstructured data (NAS and data lakes), and SaaS application data (Google Drive, MS365). From there, data volumes can grow, customers can expand into other protected areas, and upsell into additional modules and pricing tiers.

• In Nov-22, they added a Cyber Recovery module focused on resilience and recovery testing.
• In May-23, they added User Intelligence features, bolstering their Zero Trust architecture with behavioral analytics.  
• They added a deep integration with MS365 Backup in Jun-23, and expanded it to separate product in Nov-23.

Breaking through some of the terminology in their S-1 and marketing, they combine data and metadata ("self-describing data") and incrementally back up files and data into an append-only cloud object store ("time-series", aka an immutable Time Machine backup). Metadata includes app context, user identity, data sensitivity, and lineage tracking. Because this metadata follows the data around through incremental backups, they are able to apply AI/ML over it all for threat detection and automated recovery, to track threats across backed-up versions of a system or file. They make intensive use of AI/ML in data classification and threat detection, as well as the recent moves into LLMs. Once a threat is detected, they can automatically roll back a system or file or piece of data back to its last known clean state.

From a blog on their data observability engine: "Rubrik organizes backup snapshots into a time-series that can be scanned and analyzed on-demand to find indicators of compromise. This ensures safer recovery by helping organizations contain infected data and restore the last known clean copy."

Their platform has automation at the core, and ties to SIEM/SOAR platforms like Palo Alto XSOAR, as well as now CrowdStrike XDR and Zscaler SSE.

Rubrik believes it has a $36.3B TAM in 2024, growing at 13% CAGR to $52.9B in 2027. This includes Data Mgmt (backup and recovery) growing from $12.9B to $15.4B, and, more importantly, Data Security growing from $23.4B to $37.5B. [Note how they included application security, cloud security, CSPM, and PAM in that calculation per the fine print.]

A walk through the finances

Given the transitions above (licenses to sub, on-prem appliance clusters to cloud service, backup & recovery to fuller security platform), the finances are a bit of mess. But they are clearly in growth mode, with weak profitability and strong land & expand metrics.

You can see the transition clearly in the FY24 results:

• FY24 Revenue was $627.9M, only growing +5% due to their pricing model transition.
• FY24 Sub Revenue was $537.9M, growing +40%.
• FY24 Maint Revenue was $38.7M, dropping -49%.
• Other Revenue (licenses) was $51.3M, dropping -63%.

It is clearly best to focus on the subscription side of things, aka their SaaS-based recurring revenue.

• Q4 Sub Revenue grew +61.2% to $158.7M, or +10.7% sequentially.
• Sub Revenue has grown from 72.5% to 90.7% of total revenue in FY24.

Given these transitions, the metric they are most focused on is Subscription ARR, which comes from RSC as well as some remaining subs to their legacy CDM.

• Sub ARR grew +47.1% to $784M (vs +96% a year ago), or +8.2% sequentially (vs +15.9% a year ago).
• Migrations were 17% of ARR in FY23, now ~4% in FY24. This suggests a lot of the growth over the past two years has been from land and expand instead of migrations.
• Factoring out these migrations, Sub ARR grew +43.1% adjusted (vs +79% a year ago).
• They have an RPO of $1.3B.

Cloud ARR is the subset of Sub ARR that really matters, as it factors out legacy subscriptions (CDM) and their on-prem deployments (RSC-Private).

• Cloud ARR grew +119.4% to $525M, or +15.4% seq.
• Cloud ARR has gone from 44.9% to 66.9% of the ARR mix in FY24 (+22pp).

Putting the Sub Rev mix (90% of rev) and Cloud ARR mix (67% of ARR) together, you have roughly 60% of revenue growing over 100%.

It seems the company has hit an inflection point in its transition to SaaS subscriptions. After a lull in from Oct-22 to Jul-23, Q4 (Jan-24) sub revenue is back to growing +29%, or +5.7% seq. Extending the Q4 seq growth rate forward to Q1 means YoY growth could accelerate to ~+36%. They are seasonally strong in Q2 in seq revenue and ARR, so we might see the same again in Q2.

It is also important to note that the majority of their revenue comes from channel partners. This was 79% of the mix in FY23, and 76% of the mix in FY24. (The S-1 shows the mix being 30%, 35% and 11% across the three partners.) Also, international went from 28.5% to 29.7% of the mix in that time – and will likely be a big focus for their GTM going forward.

As for the bottom line, they only broke out FY23 & FY24 totals. They didn't provide quarterly details, nor break out non-GAAP margins in detail.

• Gross Margin grew from 70% to 77%.
• Sub Gross Margin went from 84% to 82%, due to increased SaaS adoption and increased hosting costs from new products.  
• S&M grew from 70% to 77% of mix. R&D grew from 29% to 33% of mix. G&A grew from 14% to 16% of mix.
• Op margin went from -58% to -47%. Adj op margin went from -42% to -48%.
• Net margin went from -46% to -56%.
• FCF margin went from -3% to -4%, a slight retrace after big improvements in FY23.
• Cash balance is $286M, and they have a similar amount of debt that offsets it.

So they lost -$354M in FY24 on $628M in rev. Instead of providing non-GAAP breakouts, they focused on the improvements seen in the contribution margin of Sub ARR (removing subcription COGS and opex).

• Sub ARR Contrib Margin has risen from -117.3% to -37.7% to -12.2% over the last 2 years.

This shows some significant operational leverage since their big transition, but they still have a long way to go towards non-GAAP and then GAAP profitability. But with the FCF margin hovering at -4%, the cash burn is slowing and they'll soon be cash flow positive. The IPO seems well timed to this and the inflection point I mentioned above.

Land and expand metrics are strong.

• They have 6100 customers, growing +22%.
• They have 1742 customers >100K, growing +44.7% and adding a +161 net new. Q4 (ending January) is seasonally strongest here.
• They have 99 customers >1M.
• NRR was a strong 133% (dropping from 150% a year ago).
• The implied average ACV is $128.5K, growing +21%.
• They reported a very strong NPS of 86 in Dec-23.

They have 3100 employees in 23 countries, including offices in Palo Alto, Austin, Raleigh Triangle, and Bangalore India. R&D is focused in Palo Alto and Bangalore, plus are expanding into Israel with the Laminar acquire. 46% of FTE are outside the US, with 26% in India. They also have 255 patents, with 207 pending.

Partners

A year after hiring a new VP of Global Partners in Feb-22 from Google EMEA (with deep experience in network security and observability across Cybereason, AppDynamics, and Meraki), Rubrik revamped their partner program in Mar-23.

They now have a set of technology alliance partners (clouds, databases, systems, security tools, and SaaS apps), as well as deeper security alliance partners with tighter integrations (Zscaler, Microsoft, Palo Alto Cortex, & CrowdStrike).

• They've been in a strategic partnership with Microsoft since Aug-21 (including an investment), and have been building their SaaS platform upon Azure ever since. They joined its Intelligent Security Assoc in Oct-22, and were awarded US & UK ISV partner of the year in Jun-23. They integrate with Azure Sentinel SIEM and provide backup & protection over MS365, plus have been leveraging OpenAI Service for their new AI assistant.
• They partnered with Zscaler in Mar-23 to integrate with their SSE. Despite Zscaler's own DLP ambitions, it is a very amicable relationship – the two CEOs had a fireside chat at Rubrik's Data Summit event in Sep-23. [Rubrik then hired away a VP of Int'l from Zscaler in Oct-23 as a show of thanks.]
• They deepened their partnership and integration with ServiceNow in Aug-23.
• They recently announced a new partnership with CrowdStrike in March, integrating RSC into the Falcon XDR platform.

However, most of these major partners are moving deeper into data security from their own CNAPP (CSPM/CIEM/DLP) and SSE (CASB/SSPM/DLP) platforms.

• Palo Alto acquired Dig Security in October, which finalized in December. This added a Data Security Posture Mgmt (DSPM) tool to Prisma Cloud to protect cloud data stores.
• Palo Alto also announced a new security module in Prisma Cloud in November that protects 3rd-party SaaS apps. This evolution of SaaS governance (CASB) is generally known as SaaS Security Posture Mgmt (SSPM), which Cloudflare added when it acquired Vectrix in 2022, and Zscaler when it acquired Canonic a year ago. SSPM is very similar to Rubrik's own SaaS app data & DSPM protection features.
• CrowdStrike just acquired Flow Security in March [as just covered]. This adds Data Security Posture Mgmt (DSPM) to their Falcon Cloud Security that, like other next-gen DLP solutions, can discover, classify, and protect data via at-rest storage and cloud scanning. One differentiator is its real-time agent that controls access dynamically via Zero Trust policies, and performs continuous monitoring as data flows between on-prem & cloud infrastructure, SaaS apps, and 3rd party APIs. It can then map out how the data flows across systems, in order to manage risk, protect sensitive data, and proactively prevent data leakage or theft.

Palo Alto/Dig seems most focused on cloud data lakes, but it combines well with their subsequent big move into SSPM. CrowdStrike/Flow seems very similar to Rubrik's stance in data security, but utilizes a very different technology. Both provide DSPM security scanning (DSPM) over SaaS apps and cloud stores, but CrowdStrike's solution will be built into their agent (via eBPF) for real-time protection.

Other Tidbits

• They hired a new CISO (previously at the CIA) in May-22, plus started a new CISO Advisory Board in Jun-22, starting with Chris Krebs (former CISA director), and later added CISOs from Albertson's, Booking, J&J, and Moderna.
• They added a $5M ransomware warranty in Oct-21, and later extended it to their emerging Cloud Vault product in Feb-22. This was increased to $10M in Apr-23 in RSC. The S-1 states the warranty has not been claimed to date.
• They have FedRAMP authorization in process since Jun-23 (still in process today), and received StateRAMP auth in Jan-24. They added Threat Hunting for US Public Sector in Apr-24.
• They released their latest State of Data Security survey in Nov-23, which suggests data volumes for cloud grew +73% in the last 18mo, and SaaS app data by +145%. Three customers store over a petabyte on their platform. See the full report or interactive recap.
• They expanded their AWS protection to EKS (Kubernetes) at re:Invent '23.

IPO

At their Series E in Jan-19, they reported a $3.3B valuation. Microsoft invested in Aug-21, with Bloomberg reporting it at $4B valuation.

The IPO will release 23M new Class A shares. (Class B insider shares have 20x the voting power.)  As is typical of startups, insider mgmt and VCs have the majority of ownership.

• Lightspeed owns 25.6%
• Greylock owns 13.1%
• Cofounders own 22.6%, across the CEO (8.1%), the CTO (7.4%), and the former VP of Engr (7.1%) – now CEO of AI productivity tool Glean
• Bain Capital owns 1.6%
• Microsoft has a small ownership stake as well

Rubrik has morphed its backup & recovery solution into a fuller SaaS platform for data security and continuous protection. They have successfully navigated three major transitions, and seem ready to hit the market. They have strong growth and land and expand metrics, and very weak profitability margins. I really want to see more bottom-line details for further signs of operational leverage.

They have a variety of modules and tiers to upsell customers in a land and expand motion, as they move from backup to fuller data security. But like other enterprise SaaS platforms, the strong growth is waning.

After they acquired DSPM, what other modules might emerge from here? Rubrik seems to be moving towards becoming a broader CNAPP from its roots in backup. And if you look at the fine print, they included app security (SSPM), cloud security (CNAPP), CSPM, and even PAM (privileged access mgmt) in their TAM calculations.

Rubrik has an ecosystem of partners, but they are all converging with their own data security moves. Palo Alto and CrowdStrike have moved into DSPM themselves in their CNAPP products, and Zscaler and Cloudflare have a focus on data protection and SaaS app scanning (SSPM) in their SSEs.

We should see them IPO next week or two, under ticker RBRK.

Add'l Reading

• See Mertitech's excellent breakdown of the company and S-1, as well as Clouded Judgement's breakdown that compares metrics to other SaaS companies.
• Friend of the blog Francis, the Software Analyst (was InvestiAnalyst), has been covering aspects of security, including Cloud & App Security and the Software Supply Chain. The Cloud & App piece had data protection scattered throughout (mostly in SSPM and CASB areas), but Rubrik is proving it can be independent.
• Also see Francis's Guide to Security and SASE.  Though none of this should be a surprise if you read my long-ago pieces Flavors of Security and Zero Trust & SASE primers.

Rubrik is now up +94% since IPO, and +132% since October 1 – quite the winter rise!  As mentioned, I just covered Rubrik extensively this week in Premium, including an earnings take, their product moves since IPO, and the competitive landscape. They just introduced a subtle shift in their platform in a recent announcement during AWS re:Invent this month that is of high interest.

-muji