Special Note Regarding Forward-Looking Statements

This Annual Report on Form 10-K, including the sections entitled “Business,” “Risk Factors,” and “Management’s Discussion and Analysis of Financial Condition and Results of Operations,” contains forward-looking statements that involve risks and uncertainties, as well as assumptions that, if they never materialize or prove incorrect, could cause our results to differ materially from those expressed or implied by such forward-looking statements. Statements that are not purely historical are forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended. Forward-looking statements are often identified by the use of words such as, but not limited to, “anticipate,” “believe,” “can,” “continue,” “could,” “estimate,” “expect,” “intend,” “may,” “plan,” “project,” “seek,” “should,” “target,” “will,” “would” and similar expressions or variations intended to identify forward-looking statements. These forward-looking statements include, but are not limited to, statements concerning the following:

• our ability to continue to add new customers, maintain existing customers and sell new products and professional services to new and existing customers;

• uncertain impacts that prolonged economic uncertainty may have on our business, strategy, operating results, financial condition and cash flows, as well as changes in overall level of software spending and volatility in the global economy;

• the effects of increased competition as well as innovations by new and existing competitors in our market;

• our ability to adapt to technological change and effectively enhance, innovate and scale our solutions;

• our ability to effectively manage or sustain our growth and to attain and sustain profitability;

• our ability to diversify our sources of revenue;

• potential acquisitions and integration of complementary business and technologies;

• our expected use of proceeds;proceeds from future issuances of equity or convertible debt securities;

• our ability to maintain, or strengthen awareness of, our brand;

• perceived or actual security, integrity, reliability, quality or compatibility problems with our solutions, including related to security breaches in our customers; systems, unscheduled downtime or outages;

• statements regarding future revenue, hiring plans, expenses, capital expenditures, capital requirements and stock performance;

• our ability to meet publicly announced guidance or other expectations about our business, key metrics and future operating results;

• our ability to maintain an adequate rate of billingsannualized recurring revenue growth;

• our ability to attract and retain qualified employees and key personnel and further expand our overall headcount;

• our ability to grow, both domestically and internationally;

• our ability to stay abreast of new or modified laws and regulations that currently apply or become applicable to our business both in the United States and internationally including laws and regulations related to export compliance;internationally;

• our ability to maintain, protect and enhance our intellectual property;

• costs associated with defending intellectual property infringement and other claims; and

• the future trading prices of our common stock and the impact of securities analysts’ reports on these prices.

These statements represent the beliefs and assumptions of our management based on information currently available to us. Such forward-looking statements are subject to risks, uncertainties and other important factors that could cause actual results and the timing of certain events to differ materially from future results expressed or implied by such forward-looking statements. Factors that could cause or contribute to such differences include, but are not limited to, those identified below, and those discussed in the section titled “Risk Factors” included under Part I, Item 1A. Furthermore, such forward-looking statements speak only as of the date of this report. Except as required by law, we undertake no obligation to update any forward-looking statements to reflect events or circumstances that occur after the date of this report.

As used in this report, the terms “Rapid7,” the “company,” “we,” us,"“us,” and our"“our” mean Rapid7, Inc. and its subsidiaries unless the context indicates otherwise.

Through our security operations platform, anchored on our cloud security, security information and event management or SIEM, application(“SIEM”), advanced detection and response, and vulnerability management offerings, we believe that Rapid7 is poised to expand the capabilities of today's SecOps teams. Rapid7 extends and expands the expertise of the Security Operations Center (“SOC") across information security, testing, log analytics,cloud operations, development, and IT teams, enabling them to better understand the attacker and leverage that information to take control of their fragmented attack surface. Enriched by years of managed services expertise, our integrated security orchestration and automation all focus on the critical needs of enterprises for greater visibility into their environments, analytics that provide context to complex data, and automation thatoperations platform enables SecOps teams to scalemove away from a reactive approach, reduce their attack surface, and more efficiently address criticalenhance response efficiency with a deep contextual understanding of their environment.

In 2017, 70%2023, 2022 and 2021 recurring revenue, defined as revenue from term software licenses, content subscriptions, managed services, cloud-based subscriptions and maintenance and support, was 95%, 94% and 92%, respectively, of our revenues were recurring revenues compared to 67% in 2016.total revenue. We incurred net losses of $45.5$149.3 million, $49.0$124.7 million and $49.9$146.3 million in 2017, 20162023, 2022 and 2015,2021, respectively, as we continued to invest for long-term growth.

Our Analyticsextended SOC platform provides a high level of scalability and Automation Cloud

In response to our customerscustomers’ expanding digital footprints, we have invested in our capacity to gather, standardize, enrich, and correlate diverse telemetry within our platform. Our cloud architecture utilizes a combination of native collection technologies and application programming interfaces, and third-party event sources, to scale in alignment with specific, actionable insights for their security and IT operations. We designed the digital transformation occurring within our customers’ organizations.

Our products have been designed to deliverconsolidation offerings combine our sophisticated analytics with an intuitive user interface, focused on ease-of-installation, ease-of-usecompelling platform technology and fast time-to-value forlean into vendor consolidation as well as the prioritization of security budgets around critical spending areas.

Our technicalexperienced research team regularly reviews trending insights from our Platform and broader open source community to prepare industry reports and resources. This includes regular threat reports, common vulnerabilities and exposures, and skunkworks research to spotlight specific security concerns. This focus and intentionality around understanding the attacker mindset is a big part of our Rapid7 culture and is infused into our product development and engineering team monitors and tests our products on a regular basis, and we maintain a regular release process to refine, update, and enhance our existing products. We also have a team of experienced security researchers who work to keep us abreast of the latest developments in the cyber security landscape. ethos.

Our research and development teams are located in our offices in Cambridge,Boston, Massachusetts; Austin, Texas; Los Angeles, California; Toronto, Canada;Arlington, Virginia; Dublin Ireland and Galway, Ireland; Belfast, Northern IrelandIreland; and Tel Aviv, Israel, providing us with a broad,exposure to worldwide reach to engineering talent. ResearchWe are also establishing a new development and development expense totaled $50.9 million, $48.0 millionservice center in Prague, Czech Republic that we anticipate will continue to grow over the next year.

Our industry-leading attack experts analyze vulnerabilities, misconfigurations, and $38.7 millionthreat data to offer proactive guidance for 2017, 2016organizations’ security programs. Leveraging threat intelligence from our free and 2015, respectively.open-source projects, we continuously enhance our products and services to improve the customer experience.

Our customers span a wide variety of industries including manufacturing, financial services, healthcare and life sciences, retail, technology, government, media and entertainment, energy, education, transportation, real estate, and other professional services, withinwith customers in the 12 months preceding the applicable measurement date. We provide products and services to customersmanufacturing industry representing our largest industry in 2023 at 15% of varying sizes, including enterprises, non-profit organizations, educational institutions and government agencies. Fifty-six percentour revenue. In 2023, 45% of our revenue in 2017 was generated by largefrom enterprises, which we define as organizations that have either annual revenue greater than $1.0 billion or more than 2,500 employees, and the balance was generated byfrom middle-market organizations. Our customers span a wide variety of industries including technology, energy, financial services, healthcare and life sciences, manufacturing, media and entertainment, retail, education, real estate, transportation, government and professional services, with customers in the finance industry representing our largest industry in 2017 at 14% of our revenue. small organizations.

Our revenue is not concentrated with any individual customer, or group ofwith no customers and no customer representedrepresenting more than 2%1% of our revenue in 2017, 20162023, 2022 or 2015.2021.

We compete on the basis of a number of factors, including:

CertainSome of our competitors have greater sales, marketing and financial resources, more extensive geographic presence or greater brand awareness than we do. We may face future competition in our markets from other large, established companies, as well as from emerging companies. In addition, we expect that there is likely to be continued consolidation in our industry that could lead to increased price competition and other forms of competition. With the introduction of new technologies, the evolution of our offerings and new market entrants, we expect competition to intensify in the future. Conditions in our market could change rapidly and significantly as a result of technological advancements, including with respect to AI. Our competitors may more successfully incorporate AI into their products, gain or leverage superior access to certain AI technologies, and achieve higher market acceptance of their AI solutions. For further discussion of the risks related to AI, please see below under “Risks Related to Intellectual Property, Litigation and Government Regulation."

Our future success and competitive position dependdepends in part on our ability to protect our intellectual property and proprietary technologies. To safeguard these rights, we rely on a combination of patents, trademarks, copyrights, trade secrets, employee and

We have numerousover two hundred issued patents and a number of registered and unregistered trademarks. WeThe standard length of our patents is 20 years and while the grant dates of our patents vary, we believe that the duration of our issued patents is sufficient when considering the expected lives of our products. We file patent applications to protect our intellectual property and have a number of patent applications pending in the United States.pending. We require our employees, consultants and other third parties to enter into confidentiality and proprietary rights agreements and control access to software, documentation and other proprietary information. Although we rely on intellectual property rights, including trade secrets, patents, copyrights and trademarks, as well as contractual protections to establish and protect our proprietary rights, we believe that factors such as the technological and creative skills of our personnel, creation of new modules, features and functionality, and frequent enhancements to our solutions are more essential to establishing and maintaining our technology leadership position.

We also license software from third parties for integration into our offerings, including open source software and other software available on commercially reasonable terms. We cannot assure you that suchbelieve our continuing research and product development are not materially dependent on any single license or other agreement with a third parties will maintain such software orparty relating to the development of our products.

Rapid7 is dedicated to making the best in security operations achievable for all, and our employees are critical to achieving this mission. In order to continue to make it available.

As of December 31, 2017,2023, we had 1,0792,228 full-time employees, including 236418 in product and service delivery and support, 437840 in sales and marketing, 266692 in research and development and 140278 in general and administrative. As of December 31, 2017,2023, we had 8051,277 full-time employees in the United StatesU.S. and 274951 full-time employees internationally. None of our U.S. employees are covered by collective bargaining agreements. We believe our employee relations are good and we have not experienced any work stoppages.

We have evolved to a hybrid-first model, in which our employees who are assigned to an office can divide their time between the office and home. We are often iterating our approach to ensure we are balancing the needs of the business with the desires of our people, but remain committed to our view that offices remain a vital environment for fostering mentorship, career

development and collaboration. Additionally, we believe gathering in person allows our operationspeople to foster stronger relationships and managetrust, and helps to contribute to our great work culture.

Fostering a culture that values the principles of diversity, equity, and inclusion is an essential and fundamental aspect of who we are. We strive to create an environment where every individual, regardless of their background, feels valued and empowered. Diversity, equity and inclusion are key drivers of creativity and innovation, and we know that when teams embrace these drivers, they are able to make better business decisions, which ultimately drive better business outcomes. Our commitment extends beyond just words, it is an ongoing investment that is visible in our partnerships, yearly programming, internal events, training and development and available resources.

Over the past year we have made significant progress on internal programming and support, which in turn allowed us for the first time to be featured on the Human Rights Campaign Equality Index. Our employee resource groups offered roundtables and educational sessions focused on embracing identity, navigating difficult conversations, building a personal brand and reputation, advocating for yourself, celebrating and supporting those who are neurodivergent and more. We welcomed the launch of our newest employee resource group established to create intentional space for those identifying as one operating segment. SeeLatinX and/or Hispanic. We continue to offer our consolidated financial statementscomprehensive e-learning program on diversity, equity, and inclusion, for all new hires. Our efforts also extended to our global talent acquisition teams, holding in-person and virtual training, focused on leveraging the key tenets of cultural competency to support our ongoing efforts to build multidimensional talent pipelines. In addition, all our employees now have access to education geared toward collaborating with supporting neurodivergent team members.

We give back to the communities where we live and work, and believe that this commitment helps in our efforts to attract and retain employees. We partner with a discussionvariety of revenues, operating loss, net lossSTEM and total assets.inclusion-focused programs to promote technology education for all. Beyond contributions of cash, we encourage employee volunteerism at all our locations. In 2021, we formed the Rapid7 Cybersecurity Foundation (the “Foundation”). The Foundation’s mission, which aligns closely to that of Rapid7, is to promote a more diverse and inclusive cyber workforce and advance security by supporting cybersecurity programs and solutions that are free and open. These include, among others, Hack.Diversity, the Cyber Peace Institute and its program Cyber Peace Builders and Cyversity. After seeding the Foundation with an initial contribution of $1.0 million in 2021, Rapid7 continued its support of the Foundation with an additional investment of $0.5 million in 2022.

Item 1A. Risk Factors.

Risks Related to Our Business and Industry

Each factor above or discussed elsewhere herein or the cumulative effect of some of these factors may result in fluctuations in our operating results. This variability and unpredictability could result in our failure to meet expectations with respect to operating results, or those of securities analysts or investors, for a particular period. If we fail to meet or exceed expectations for our operating results for these or any other reasons, the market price of our stock could fall and we could face costly lawsuits, including securities class action suits.

Our business and operations have experienced significant growth, and if we do not appropriately manage any future growth, or are unable to sustainmaintain and scale our revenue growth rate, weinfrastructure, systems and processes, our business and results of operations may not achieve or maintain profitability in the future.be negatively affected.

From the year ended December 31, 20132019 to the year ended December 31, 2017,2023, our revenue grew from $60.0$326.9 million to $200.9$777.7 million which represents a compounded annualand our headcount grew from 1,544 to 2,228 employees. Our future growth rateis dependent upon our ability to continue to meet the expanding needs of approximately 35%.our customers and to attract new customers. Although we have experienced rapid growth historically, and currently have high renewal rates, we expectcannot provide any assurance that we may notour business will continue to grow at the same rate or at all.

As existing customers gain more experience with our products, they may broaden their reliance on our products, which will require that we expand our operations infrastructure. We also seek to maintain excess capacity in our operations infrastructure to facilitate the rapid provision of new customer deployments. In addition, we need to properly manage our technological operations infrastructure in order to support changes in hardware and software parameters and the evolution of our products, all of which require significant lead time. If we do not accurately predict our infrastructure requirements, our existing customers may experience service outages that may subject us to financial penalties, financial liabilities and customer losses. If our operations infrastructure fails to keep pace with increased sales, customers may experience delays as rapidly in the futurewe seek to obtain additional capacity, which could adversely affect our reputation and our renewal rates may decline. Anyrevenue.

To continue to grow and expand our business while meeting the performance and other requirements of our customers, we intend to continue to make significant financial and operational investments. Our future success that we may experience in the future will depend in large part on our ability to manage our growth effectively, which will require us to, among other things:

If we arefail to achieve these objectives effectively, our ability to manage our expected growth may be impaired and we may be unable to maintain the quality of our offerings, consistent revenue or revenue growth, our stock price could be volatile, and it may be difficult to achieve and maintain profitability. You should not rely on our revenue for any prior quarterly or annual periods performance as any indication of our future revenue or revenue growth.

We have not been profitable historically and may not achieve or maintain profitability in the future.

We have posted a net loss in each year since inception, including net losses of $45.5$149.3 million, $49.0$124.7 million and $49.9$146.3 million in the years ended December 31, 2017, 20162023, 2022 and 2015,2021, respectively. As of December 31, 2017,2023, we had an accumulated deficit of $434.9 million.$1.0 billion. While we have experienced significant revenue growth in recent periods, we aremay not certain whether or when we will obtain a high enough volume of sales of our products and professional servicesservice offerings to sustain or increase our growth or achieve or maintain profitability in the future. We also expect our costs to increase in future periods, which could negatively affect our

These investments may not result in increased revenue or growth in our business. If we are unable to increase our revenue at a rate sufficient to offset the expected increase in our costs, our business, financial position and results of operations will be harmed, and we may not be able to achieve or maintain profitability over the long term. Additionally, we may encounter unforeseen operating expenses, difficulties, complications, delays and other unknown factors that may result in losses in future periods. If our revenue growth does not meet our expectations in future periods, our financial performance may be harmed, and we may not achieve or maintain profitability in the future.

Our subscription offerings are sold on a term basis. In order for us to improve our operating results, it is important that our existing customers renew their subscriptions with us when the existing subscription term expires, and renew on the same or more favorable terms. Our customers have no obligation to renew their subscriptions with us and we may not be able to accurately predict customer renewal rates. Our customers’ renewal rates may decline or fluctuate as a result of a number of factors, including their satisfaction or dissatisfaction with our new or current product offerings, our pricing, the effects of economic conditions, including due to a global economic slowdown, inflation, foreign currency exchange rate fluctuation, the Russia-Ukraine war, the Israel-Hamas conflict and any global economic uncertainty and financial market disruptions, competitive offerings, our customers' perception of their exposure, or alterations or reductions in their spending levels. If our customers do not renew their agreements with us or renew on terms less favorable to us, our revenues and results of operations may be adversely impacted.

Our future growth is also affected by our ability to sell additional offerings to our existing customers, which depends on a number of factors, including customers’ satisfaction with our products and services and general economic conditions. If our efforts to cross-sell and upsell to our customers are unsuccessful, the rate at which our business grows might decline.

Our business substantially depends on, and we expect our business to continue to substantially depend on, sales of our platform solutions. As such, market acceptance of our platform solutions is critical to our continued success. Demand for platform solutions are affected by a number of factors beyond our control, including continued market acceptance of cloud-based offerings, the timing of development and release of new products by our competitors, technological change, and growth or professional servicescontraction in our market and the economy in general. If we are unable to continue to meet customer demands or to achieve more widespread market acceptance of our platform solutions, including through evolution of our sales model to a consolidated platform sales approach, our business operations, financial results and growth prospects will be materially and adversely affected.

Our new and existing offerings or product enhancements and changes to our existing offerings could fail to detect vulnerabilitiesattain sufficient market acceptance for many reasons, including:

If our new or existing offerings or enhancements and changes do not achieve adequate acceptance in the market, our competitive position will be harmed, which could have animpaired, and our revenue, business and financial results will be negatively impacted. The adverse effect on our financial results may be particularly acute because of the significant research, development, marketing, sales and other expenses we will have incurred in connection with the new offerings or enhancements.

We face intense competition in our market, which could adversely affect our business, financial condition, and results of operations.

Some of our actual and potential competitors have advantages over us, such as longer operating histories, significantly greater financial, technical, marketing or other resources, stronger brand and business user recognition, larger and more mature intellectual property portfolios and broader global distribution and presence. In addition, our industry is evolving rapidly and is becoming increasingly competitive. Larger and more established companies may focus on security operations and could directly compete with us. Smaller companies could also launch new products or professionaland services failthat we do not offer and that could gain market acceptance quickly.

Our competitors may be able to detect vulnerabilities in our customers’ cyber security infrastructure, or if our products or professional services fail to identifyrespond more quickly and respondeffectively than we can to new and increasingly complex methodsor changing opportunities, technologies, standards or customer requirements. With the introduction of cyber attacks, our business and reputation may suffer. There is no guarantee that our products or professional services will detect all vulnerabilities, especially in light ofnew technologies, the rapidly changing security landscape to which we must respond. Additionally, our products may falsely detect vulnerabilities or threats that do not actually exist. For example, our Metasploit offering relies on information provided by an active community of security researchers who contribute new exploits, attacks and vulnerabilities. If the information from these third parties is inaccurate, the potential for false indications of security vulnerabilities increases. These false positives, while typical in the industry, may impair the perceived reliabilityevolution of our offerings and new market entrants, we expect competition to intensify in the future. Conditions in our market could change rapidly and significantly as a result of technological advancements, including with respect to AI. Our competitors may therefore adversely impactmore successfully incorporate AI into their products, gain or leverage superior access to certain AI technologies, and achieve higher market acceptance of their AI solutions. For further discussion of the risks related to AI, please see below under “Risks Related to Intellectual Property, Litigation and Government Regulation”.

In addition, some of our larger competitors have substantially broader product offerings and can bundle competing products and professional services with other software offerings. As a result, customers may choose a bundled product offering from our competitors, even if individual products have more limited functionality than our solutions. These competitors may also offer their products at a lower price as part of this larger sale, which could increase pricing pressure on our offerings and couldcause the average sales price for our offerings to decline. These larger competitors are also often in a better position to withstand any significant reduction in spending by customers, and will therefore not be as susceptible to economic downturns.

These competitive pressures in our market or our failure to compete effectively may result in negative publicity,price reductions, fewer orders, reduced renewals, reduced revenue and gross margins, and loss of customers and sales and increased costsmarket share. Any failure to remedy any problem.

An actual or perceived security breach or theftFor all of the sensitive data of one of our customers, regardless of whether the breach is attributable to the failure of our products or professional services, could adversely affect the market’s perception of our offerings and subject us to legal claims.

If we are unable to successfully hire, train, manage and retain qualified personnel especially those in sales and marketing and research and development, our business may suffer.

We continue to be substantially dependent on our sales force to obtain new customers and increase sales with existing customers. Our ability to successfully pursue our growth strategy will also depend on our ability to attract, motivate and retain our personnel, especially those in sales, marketing and research and development. In addition, in recent years, recruiting, hiring and retaining employees with expertise in the cybersecurity industry has become increasingly difficult as the demand for cybersecurity professionals has increased as a result of the recent cybersecurity attacks on global corporations and governments. We face intense competition for these employees from numerous technology, software and other companies, especially in certain geographic areas in which we operate, and we cannot ensure that we will be able to attract, motivate and/or retain sufficient qualified employees in the future.future particularly in tight labor markets. In addition, the change by us and other companies to offer a remote or hybrid work environment may increase the competition for such employees from employers outside of our traditional office locations. Our workforce has evolved to a hybrid-first model following the COVID-19 pandemic, which requires regular in-office attendance but utilizes a hybrid approach. While we intend to continue iterating our

approach to ensure we are balancing the needs of the business with the desires of our people, we may face difficulty in hiring and retaining our workforce as a result of this shift to have greater in-office attendance. If we are unable to attract new employees and retain our current employees, we may not be able to adequately develop and maintain new products or professional servicesservice offerings or market our existing products or professional servicesservice offerings at the same levels as our competitors and we may, therefore, lose customers and market share. Our failure to attract and retain personnel, especially those in sales and marketing and research and development positions for which we have historically had a high turnover rate, could have an adverse effect on our ability to execute our business objectives and, as a result, our ability to compete could decrease, our operating results could suffer and our revenue could decrease. Even if we are able to identify and recruit a sufficient number of new hires, these new hires will require significant training before they achieve full productivity and they may not become productive as quickly as we would like or at all.

We believe that our corporate culture has been a critical component to our success. We have invested substantial time and resources in building our team. As we grow and mature as a public company, we may find it difficult to maintain our corporate culture. Any failure to preserve our culture could negatively affect our future success, including our ability to attract, motivate and retain personnel and effectively focus on and pursue our business strategy.

Our hybrid working model and use of service providers with remote working arrangements also subjects us to heightened operational risks. For example, technologies in our employees’ and service providers’ homes when they are working remotely may not be as robust as in our offices and could cause the networks, information systems, applications, and other tools available to employees and service providers to be more limited or less reliable than in our offices. Further, the security systems in place at our employees’ and service providers’ homes may be less secure than those used in our offices, and while we have implemented technical and administrative safeguards to help protect our systems as our employees and service providers work from home, we may be subject to increased cybersecurity risk, which could expose us to risks of data or financial loss, and could disrupt our business operations. There is no guarantee that the data security and privacy safeguards we have put in place will be completely effective or that we will not encounter risks associated with employees and service providers accessing company data and systems remotely.

Our sales cycle may be unpredictable.

The timing of sales of our offerings is difficult to forecast because of the length and unpredictability of our sales cycle, particularly with large enterprises and with respect to certain of our products. We sell our products primarily to IT departments that are managing a growing set of user and compliance demands, which has increased the complexity of customer requirements to be met and confirmed during the sales cycle and prolonged our sales cycle. Further, the length of time that potential customers devote to their testing and evaluation, contract negotiation and budgeting processes varies significantly, depending on the size of the organization, andbudgetary constraints, nature of the product or service under consideration.consideration and the seniority of the approval required. In addition, we might devote substantial time and effort to a particular unsuccessful sales effort, and as a result, we could lose other sales opportunities or incur expenses that are not offset by an increase in revenue, which could harm our business.

We market and sell our products and professional servicesservice offerings throughout the world and have personnel in many parts of the world. For the years ended December 31, 20172023, 2022 and 2016,2021, operations located outside of North America generated 15%22%, 21% and 14%19%, respectively, of our revenue, respectively.revenue. Our growth strategy is dependent, in part, on our continued international expansion. We expect to conduct a significant amount of our business with organizations that are located outside the United States, particularly in Europe and Asia. We cannot assure you that our expansion efforts into international markets will be successful in creating further demand for our products and professional servicesservice offerings or in effectively selling our products and professional servicesservice offerings in the international markets that we enter. Our current international operations and future initiatives will involve a variety of risks, including:

Our business, including the sales of our products and professional servicesservice offerings by us and our channel partners, may be subject to foreign governmental regulations, which vary substantially from country to country and change from time to time. Our failure, or the failure by our channel partners, to comply with these regulations could adversely affect our business. Further, in many foreign countries it is common for others to engage in business practices that are prohibited by our internal policies and procedures or U.S. regulations applicable to us. Although we have implemented policies and procedures designed to comply with these laws and policies, there can be no assurance that our employees, contractors, channel partners and agents have complied, or will comply, with these laws and policies. Violations of laws or key control policies by our employees, contractors, channel partners or agents could result in delays in revenue recognition, financial reporting misstatements, fines, penalties or the prohibition of the importation or exportation of our products and could have a material adverse effect on our business and results of operations.

If we are unable to successfully manage the challenges of international expansion and operations, our business and operating results could be adversely affected.

We are also monitoring developments related to Brexit, which could haverecognize a significant implications for our business. Brexit could lead to economic and legal uncertainty, including significant volatility in global stock markets and currency exchange rates, and differing laws and regulations as the United Kingdom determines which European Union laws to replace or replicate. Any of these effects of Brexit, among others, could adversely affect our operations in the United Kingdom and our financial results.

We recognize substantially alla significant percentage of our revenue ratably over the various terms of our agreements with customers, which generally occurs over a one to three-year period.customers. As a result, a substantial portion of the revenue that we report in each period will be derived from the recognition of deferred revenue relating to agreements entered into during previous periods. Consequently, a decline in new sales or renewals in any one period may not be immediately reflected in our revenue results for that period. This decline, however, will negatively affect our revenue in future periods. Accordingly, the effect of significant downturns in sales and market acceptance of our products and potential changes in our rate of renewals may not be fully reflected in our results of operations until future periods. Our model also makes it difficult for us to rapidly increase our revenue through additional sales in any period, as revenue from new customers generally will be recognized over the term of the applicable agreement.term.

We also intend to increase our investment in research and development, sales and marketing, and general and administrative functions and other areas to grow our business. We are likely to recognize the costs associated with these increased investments earlier than some of the anticipated benefits and the return on these investments may be lower, or may develop more slowly, than we expect, which could adversely affect our operating results.

We may be unable to rapidly and efficiently adjust our cost structure in response to significant revenue declines, which could adversely affect our operating results.

In addition, in order for our products to achieve their functional potential, our products must effectively integrate into our customers’ IT infrastructures, which have different specifications, utilize varied protocol standards, deploy products from multiple different vendors and contain multiple layers of products that have been added over time. Our customers’ IT infrastructures are also dynamic, with a myriad of devices and endpoints entering and exiting the customers’ IT systems on a regular basis, including remote devices, and our products must be able to effectively adapt to and track these changes. We must be able to interoperate and provide our security offerings to customers with these highly complex and customized networks, which requires significant coordination between our customers, our customer support teams and our channel partners.

Any failure by our customers to appropriately implement our products or any failure of our products to effectively integrate and operate within our customers’ IT infrastructures could result in customer dissatisfaction, impact the perceived reliability of our products, result in negative press coverage, negatively affect our reputation and harm our financial results.

Future acquisitionsOur success in acquiring and integrating other businesses, products or technologies could disrupt our business and harmimpact our financial condition and operating results.position.

In order to remain competitive, we have in the past and may in the future seek to acquire additional businesses, products or technologies. The environment for acquisitions in our industry is very competitive and acquisition candidate purchase prices will likely exceed what we would prefer to pay. We also may not find suitable acquisition candidates, and acquisitions we complete may be unsuccessful.

Achieving the anticipated benefits of past or future acquisitions will depend in part upon whether we can integrate acquired operations, products and technology in a timely and cost-effective manner and successfully market and sell these as new product offerings, including, foror as new features within our existing offerings. For example, the operations, productson March 14, 2023, we acquired Minerva Labs Ltd., a leading provider of anti-evasion and technology acquired in connection with our acquisitionransomware prevention technology. The integration of Komand in July 2017. The acquisition of Komand’s orchestration and automation technology is intended to help our customers automatically identify risks, respond to incidents and address issues faster and with less human intervention. The process of integrating a new business or technology into our product offerings, such as Komand and its technology, requires, among other things, coordination of administrative, sales and marketing, accounting and finance functions, and expansion of information and management systems. Integration of any future acquisition may prove to be difficult due to the necessity of coordinating geographically separate organizations and integrating personnel with disparate business backgrounds and accustomed to different corporate cultures.cultures and business operations and internal systems. We may need to implement or improve controls, procedures, and policies at a business that prior to the acquisition may have lacked sufficiently effective controls, procedures and policies. The acquisition and integration processes are complex, expensive and time consuming, and may cause an interruption of, or loss of momentum in, product development, sales activities and operations of both companies. Further, we may be unable to retain key personnel of an acquired company following the acquisition, including certain employees which we acquired in connection with our acquisition of Komand.acquisition. If we are unable to effectively execute or integrate acquisitions, the anticipated benefits of such acquisition, including sales or growth opportunities or targeted synergies may not be realized, and our business, financial condition and operating results could be adversely affected.

In addition, we may only be able to conduct limited due diligence on an acquired company’s operations or may discover that the products or technology acquired were not as capable as we thought based upon the initial or limited due diligence. Following an acquisition, we may be subject to unforeseen liabilities arising from an acquired company’s past or present operations and these liabilities may be greater than the warranty and indemnity limitations that we negotiate. Any unforeseen liability that is greater than these warranty and indemnity limitations could have a negative impact on our financial condition.

If we are unable to maintain successful relationships with our channel partners, our business operations, financial results and growth prospects could be adversely affected.

Our success is dependent in part upon establishing and maintaining relationships with a variety of channel partners that we utilize to extend our geographic reach and market penetration. We anticipate that we will continue to rely on these partners in order to help facilitate sales of our offerings as part of larger purchases in the United States and to grow our business internationally. For 2017the years ended December 31, 2023, 2022 and 2016,2021, we derived approximately 37%62%, 57% and 52%, respectively, of our revenue from sales of products and professional servicesservice offerings through channel partners, and the percentage of revenue derived from channel partners may increase in future periods. Our agreements with our channel partners are non-exclusive and do not prohibit them from working with our competitors or offering competing solutions, and some of our channel partners may have more established relationships with our competitors. If our channel partners choose to place greater emphasis on products of their own or those offered by our competitors or do not effectively market and sell our products and professional services,service offerings, our ability to grow our business and sell our products and professional services,service offerings, particularly in key international markets, may be adversely affected. In addition, our failure to recruit additional channel partners, or any reduction or delay in their sales of our products and professional servicesservice offerings or conflicts between channel sales and our direct sales and marketing activities may harm our results of operations. Finally, even if we are successful, our relationships with channel partners may not result in greater customer usage of our products and professional servicesservice offerings or increased revenue.

If we are not able to maintain and enhance our brand, our business and operating results may be adversely affected.

We believe that maintaining and enhancing our brand identity is critical to our relationships with our customers and channel partners and to our ability to attract new customers and channel partners. The successful promotion of our brand will depend largely upon our marketing efforts, our ability to continue to offer high-quality offerings and our ability to successfully differentiate our offerings from those of our competitors. Our brand promotion activities may not be successful or yield increased revenues. In addition, independent industry analysts often provide reviews of our offerings, as well as those of our competitors, and perception of our offerings in the marketplace may be significantly influenced by these reviews. If these reviews are negative, or less positive as compared to those of our competitors’ products and professional services, our brand may be adversely affected.

Moreover, it may be difficult to maintain and enhance our brand in connection with sales through channel or strategic partners. The promotion of our brand requires us to make substantial expenditures, and we anticipate that the expenditures will increase as our market becomes more competitive, as we expand into new markets and as more sales are generated through our channel partners. To the extent that these activities yield increased revenues, these revenues may not offset the increased expenses we incur. If we do not successfully maintain and enhance our brand, our business may not grow, we may have reduced pricing power relative to competitors with stronger brands, and we could lose customers and channel partners, all of which would adversely affect our business operations and financial results.

Our future performance depends on the continued services and contributions of our senior management, particularly Corey Thomas, our Chief Executive Officer, and other key employees to maintain high-quality customer support could have a material adverse effectexecute on our business.business plan and to identify and pursue new opportunities and product innovations. From time to time, there may be changes in our senior management team resulting from

the implementation and maintenancetermination or departure of our products. If we do not effectively assistexecutive officers and key employees. Our senior management and key employees are employed on an at-will basis, which means that they could terminate their employment with us at any time. The temporary or permanent loss of the services of our customers in deployingsenior management, particularly Mr. Thomas, or other key employees for any reason could significantly delay or prevent the achievement of our products, helpdevelopment and strategic objectives and harm our customers quickly resolve post-deployment issues or provide effective ongoing support, our ability to renew or sell additional products or professional services to existing customers would be adversely affectedbusiness, financial condition and our reputation with potential customers could be damaged. Further, to the extent that we are unsuccessful in hiring, training and retaining adequate technical and customer success personnel, our ability to provide adequate and timely support to our customers will be negatively impacted, and our customers’ satisfaction with our offerings will be adversely affected.results of operations.

We rely onuse third-party software and data to operate certain functions of our business.business and deliver our offerings that may be difficult to replace or that may cause errors or failures of our solutions, which could lead to lost customers or harm to our reputation and our operating results.

We rely onuse software vendors to operate certain critical functions of our business, including financial management, customer relationship management and human resource management. If we experience difficulties in implementing new software or if these services become unavailable due to extended outages or interruptions or because they are no longer available on commercially reasonable terms or prices, our expenses could increase, our ability to manage our finances could be interrupted and our processes for managing sales of our solutions and supporting our customers could be impaired until equivalent services, if available, are identified, obtained and integrated, all of which could harm our business.

We will need to maintain our relationships with third-party software and data providers, and to obtain software and data from such providers that do not contain errors or defects. Any failure to do so could adversely impact our ability to deliver effective solutions to our customers and could harm our operating results.

Our products contain third-party open source software components, and our failure to comply with the terms of the underlying open source software licenses could restrict our ability to sell our products.

We have entered, and intend to continue to enter, into technology alliance partnerships with third parties to support our future growth plans, including with certain of our actual or potential competitors. For example, through these technology alliance partnerships, we integrate with certain third-party application program interfaces or APIs,(“APIs”), which enhance our data collection capabilities in our customers’ IT environments. If these third parties no longer allow us to integrate with their APIs, or if we determine not to maintain these integrations, the functionality of our products may be reduced and our products may not be as marketable to certain potential customers. Technology alliance partnerships require significant coordination between the parties involved, particularly if a partner requires that we integrate its products with our products. Further, we have invested and will continue to invest significant time, money and resources to establish and maintain relationships with our technology alliance partners, but we have no assurance that any particular relationship will continue for any specific period of time, result in new offerings that we can effectively commercialize or result in enhancements to our existing offerings. In addition, while we believe that entering into technology alliance partnerships with certain of our actual or potential competitors is currently beneficial to our competitive position in the market, such partnerships may also give our competitors insight into our offerings that they may not otherwise have, thereby allowing them to compete more effectively against us.

We generate a portion of our revenue from our vulnerability management offerings that help organizations achieve and maintain compliance with regulations and industry standards both domestically and internationally. For example, many of our customers subscribe to our vulnerability management offerings to help them comply with the security standards developed and maintained by the Payment Card Industry Security Standards Council (the “PCI Council”), which apply to companies that process, transmit or store cardholder data. In addition, our vulnerability management offerings are used by customers in the health care industry to help them comply with numerous federal and state laws and regulations related to patient privacy. In particular, HIPAA, and the 2009 Health Information Technology for Economic and Clinical Health Act include privacy standards that protect individual privacy by limiting the uses and disclosures of individually identifiable health information and implementing data security standards. The continued utility of Metasploit depends in part on the continued contributions from security researchers.

customers’ cybersecurity defense and compliance efforts, our customers may lose confidence in our products and could resultswitch to products offered by our competitors or threaten or bring legal actions against us. In addition, if laws, regulations or standards related to data security, vulnerability management and other IT security and compliance requirements are relaxed or the penalties for non-compliance are changed in negative publicity, lossa manner that makes them less onerous, our customers may view government and industry regulatory compliance as less critical to their businesses, and our customers may be less willing to purchase our products. In any of these cases, our revenue and operating results could be harmed.

In addition, government and other customers may require our products to comply with certain privacy, security or other certifications and salesstandards. If our products are late in achieving or fail to achieve or maintain compliance with these certifications and increased costs to remedy any problem. Further, to the extent thatstandards, or our community of third parties is reduced in size or participants become less active,competitors achieve compliance with these certifications and standards, we may lose valuable insight into the dynamic threat landscapebe disqualified from selling our products to such customers, or may otherwise be at a competitive disadvantage, either of which would harm our business, results of operations, and our ability to quickly respond to new exploits, attacks and vulnerabilities may be reduced.financial condition.

A portion of our revenue is generated by sales to government entities, which are subject to a number of challenges and risks.

Selling to government entities can be highly competitive, expensive and time consuming, and often requires significant upfront time and expense without any assurance that we will win a sale. Government demand and payment for our products and professional servicesservice offerings may also be impacted by public sector budgetary cycles and funding authorizations, with funding reductions or delays adversely affecting public sector demand for our offerings. Government entities also have heightened sensitivity surrounding the purchase of cyber securitycybersecurity solutions due to the critical importance of their IT infrastructures, the nature of the information contained within those infrastructures and the fact that they are highly-visible targets for cyber attacks. For example, the conflict in Ukraine and associated activities in Ukraine and Russia may increase the risk of cyberattacks on various types of infrastructure and operations, and the United States government has warned companies to be prepared for a significant increase in Russian cyberattacks in response to the sanctions on Russia. Accordingly, increasing sales of our products and professional servicesservice offerings to government entities may be more challenging than selling to commercial organizations. Further, in the course of providing our products and professional servicesservice offerings to government entities, our employees and those of our channel partners may be exposed to sensitive government information. Any failure by us or our channel partners to safeguard and maintain the confidentiality of such information could subject us to liability and reputational harm, which could materially and adversely affect our results of operations and financial performance.

We are exposed to fluctuations in currency exchange rates, which could negatively affect our financial condition and results of operations.

Our reporting currency is the U.S. dollar and we generate a majority of our revenue in U.S. dollars. However, for the years ended December 31, 20172023, 2022 and 2016,2021 we incurred 13%17%, 16% and 15%, respectively, of our expenses outside of the United States in foreign currencies, primarily the British pound sterling and euro, principally with respect to salaries and related personnel expenses associated with our sales and research and development operations. Additionally, for the years ended December 31, 20172023, 2022 and 2016, 5%2021, 11%, 10% and 10%, respectively, of our revenue was generated in foreign currencies. Accordingly, changes in exchange rates may have an adverse effect on our business, operating results and financial condition. The exchange rate between the U.S. dollar and foreign currencies has fluctuated substantially in recent years and may continue to fluctuate substantially in the future. To date, we have not engagedfuture, including as a result of geopolitical factors such as the Israel-Hamas conflict, which has impacted the exchange rate between the U.S. dollar and the Israeli New Shekel. Furthermore, a strengthening of the U.S. dollar could increase the cost in anylocal currency of our products and services to customers outside the United States, which could adversely affect our business, results of operations, financial condition and cash flows. We enter into forward contracts designated as cash flow hedges in order to mitigate our exposure to foreign currency fluctuations resulting from certain operating expenses denominated in certain foreign currencies. These forward contracts and other hedging strategies and any such strategies, such as forward contracts, options and foreign exchange swaps related to transaction exposures that we may implement to mitigate this risk in the future may not eliminate our exposure to foreign exchange fluctuations.

Failure to protect our proprietary technology and intellectual property rights could substantially harm our business and operating results.

Our future success and competitive position depend in part on our ability to protect our intellectual property and proprietary technologies. To safeguard these rights, we rely on a combination of patent, trademark, copyright and trade secret laws and contractual protections in the United States and other jurisdictions, all of which provide only limited protection and may not now or in the future provide us with a competitive advantage.

We cannot assure you that any patents will issue from any patent applications, that patents that issue from such applications will give us the protection that we seek or that any such patents will not be challenged, invalidated, or circumvented. Any patents that may issue in the future from our pending or future patent applications may not provide sufficiently broad protection and may not be enforceable in actions against alleged infringers. We have registered the “Rapid7,” “Nexpose” and “Metasploit” names and logos in the United States and certain other countries. We have registrations and/or pending applications for additional marks in

In order to protect our unpatented proprietary technologies and processes, we rely on trade secret laws and confidentiality agreements with our employees, consultants, channel partners, vendors and others. Despite our efforts to protect our proprietary technology and trade secrets, unauthorized parties may attempt to misappropriate, reverse engineer or otherwise obtain and use them. In addition, others may independently discover our trade secrets, in which case we would not be able to assert trade secret rights, or develop similar technologies and processes. Further, the contractual provisions that we enter into may not prevent unauthorized use or disclosure of our proprietary technology or intellectual property rights and may not provide an adequate remedy in the event of unauthorized use or disclosure of our proprietary technology or intellectual property rights. Moreover, policing unauthorized use of our technologies, trade secrets and intellectual property is difficult, expensive and time-consuming, particularly in foreign countries where the laws may not be as protective of intellectual property rights as those in the United States and where mechanisms for enforcement of intellectual property rights may be weak. We may be unable to determine the extent of any unauthorized use or infringement of our solutions, technologies or intellectual property rights.

From time to time, legal action by us may be necessary to enforce our patents and other intellectual property rights, to protect our trade secrets, to determine the validity and scope of the intellectual property rights of others or to defend against claims of infringement or invalidity. Such litigation could result in substantial costs and diversion of resources and could result in impairment or loss of portions of our intellectual property. Furthermore, our efforts to enforce our intellectual property rights may be met with defenses, counterclaims and countersuits attacking the validity and enforceability of our intellectual property rights. Our failure to secure, protect and enforce our intellectual property rights could negatively affect our brand and adversely impact our business, operating results and financial condition.

Assertions by third parties of infringement or other violations by us of their intellectual property rights, whether or not correct, could result in significant costs and harm our business and operating results.

Patent and other intellectual property disputes are common in our industry. We are periodically involved in disputes brought by non-practicing entities alleging patent infringement and we may, from time to time, be involved in other such disputes in the ordinary course of our business. Some companies, including some of our competitors, own large numbers of patents, copyrights and trademarks, which they may use to assert claims against us. Many of these companies have the capability to dedicate substantially greater resources to enforce their intellectual property rights. Third parties have in the past and may in the future assert claims of infringement, misappropriation or other violations of intellectual property rights against us. TheyThird parties may also assert such claims against our customers or channel partners, whom we typically indemnify against claims that our solutions infringe, misappropriate or otherwise violate the intellectual property rights of third parties. As the numbers of products and competitors in our market increase and overlaps occur, claims of infringement, misappropriation and other violations of intellectual property rights may increase. Any claim of infringement, misappropriation or other violation of intellectual property rights by a third party, even those without merit, could cause us to incur substantial costs defending against the claim and could distract our management from our business.

The patent portfolios of our most significant competitors are larger than ours. This disparity may increase the risk that they may sue us for patent infringement and may limit our ability to counterclaim for patent infringement or settle through patent cross-licenses. In addition, future assertions of patent rights by third parties, and any resulting litigation, may involve patent holding companies or other adverse patent owners who have no relevant product revenues and against whom our own patents may therefore provide little or no deterrence or protection. There can be no assurance that we will not be found to infringe or otherwise violate any third-party intellectual property rights or to have done so in the past.

An adverse outcome of a dispute may require us to:

In addition, royalty or licensing agreements, if required or desirable, may be unavailable on terms acceptable to us, or at all, and

Any of the foregoing events could seriously harm our business, financial condition and results of operations.

AI is complex and subject to a rapidly evolving regulatory landscape. The use of AI may increase intellectual property, data privacy and cybersecurity, operational and technological risks, and our AI-related efforts may result in new or enhanced governmental or regulatory scrutiny, litigation, ethical concerns, or other complications that could adversely affect our business, reputation, or financial results or subject us to legal liability. In particular, the technologies underlying AI and their use cases are subject to complex transfer pricinga variety of laws, including intellectual property, data privacy and cybersecurity, consumer protection and equal opportunity laws. If we do not have sufficient rights to use the data on which AI relies, we may incur liability through the violation of such laws, third-party privacy or other rights or contracts to which we are a party. Changes in laws, rules, directives and regulations whichgoverning the use of AI may be challenged by taxing authorities.

Our products contain software licensed to us by third parties under so-called “open source” licenses, including the GNU General Public License, the GNU Lesser General Public License, the BSD License, the Apache License and others. From time to time, there have been claims against companies that distribute or use open source software in those jurisdictions.their products and services, asserting that such open source software infringes the claimants’ intellectual property rights. We could be subject to suits by parties claiming that what we believe to be licensed open source software infringes their intellectual property rights. Use and distribution of open source software may entail greater risks than use of third-party commercial software, as open source licensors generally do not provide warranties or other contractual protections regarding infringement claims or the quality of the code. In 2016,addition, certain open source licenses require that source code for software programs that are subject to the license be made available to the public and that any modifications or derivative works to such open source software continue to be licensed under the same terms.

Although we completedmonitor our use of open source software in an effort both to comply with the reorganizationterms of the applicable open source licenses and to avoid subjecting our products to conditions we do not intend, the terms of many open source licenses have not been interpreted by U.S. courts, and there is a risk that these licenses could be construed in a way that could impose unanticipated conditions or restrictions on our ability to commercialize our products. The terms of certain open source licenses require us to release the source code of our corporate structureapplications and intercompany relationships to more closely alignmake our corporate organizationapplications available under those open source licenses if we combine or distribute our applications with open source software in a certain manner. In the expansionevent that portions of our international business activities. Although we anticipate achieving a reduction in our overall effective tax rate in the future as a result of this reorganized corporate structure, we may not realize any benefits. Our intercompany relationshipsapplications are and will continuedetermined to be subject to complex transfer pricing regulations administered by taxing authorities in various jurisdictions. The relevant taxing authorities may disagree with our determinations as to the income and expenses attributable to specific jurisdictions. If such a disagreement were to occur, and our position were not sustained,an open source license, we could be required to pay additional taxes, interestpublicly release the affected portions of our source code, re-engineer all, or a portion of, those applications or otherwise be limited in the licensing of our applications. Disclosing our proprietary source code could allow our competitors to create similar products with lower development effort and penalties,time and ultimately, could result in a loss of sales for us. Disclosing the source code of our proprietary

software could also make it easier for cyber attackers and other third parties to discover vulnerabilities in or to defeat the protections of our products, which could result in one-time tax charges, higher effective tax rates, reduced cash flowsour products failing to provide our customers with the security they expect. Likewise, some open source projects have known security and lower overall profitabilityother vulnerabilities and architecture instabilities, or are otherwise subject to security attacks due to their wide availability, and are provided on an “as-is” basis. Any of these events could have a material adverse effect on our operations. In addition,business, operating results and financial condition.

We are subject to governmental export and import controls that could impair our ability to compete in international markets and/or subject us to liability if we are not in compliance with applicable laws.

Like other U.S.-based IT security products, our products are subject to U.S. export control and import laws and regulations, including the intended tax treatment of our reorganized corporate structure is not acceptedU.S. Export Administration Regulations and various economic and trade sanctions regulations administered by the applicable taxing authorities, changesU.S. Treasury Department’s Office of Foreign Assets Control. Exports of these products must be made in tax law negatively impactcompliance with these laws and regulations. Although we take precautions to prevent our products from being provided in violation of these laws, our products could be provided inadvertently in violation of such laws, despite the structure orprecautions we do not operate our business consistenttake. Compliance with the structurethese laws and applicable taxregulations is complex, and if we were to fail to comply with these laws and regulations, we and certain of our employees could be subject to substantial civil and criminal penalties, including fines for our company and responsible employees or managers, and, in extreme cases, incarceration of responsible employees and managers and the possible loss of export privileges. Complying with export control laws and regulations, including obtaining the necessary licenses or authorizations, for a particular sale may failbe time-consuming, is not guaranteed and may result in the delay or loss of sales opportunities. Changes in export or import laws and regulations, shifts in the enforcement or scope of existing laws and regulations, or changes in the countries, governments, persons, products or services targeted by such laws and regulations, could also result in decreased use of our products by, or in our decreased ability to achieve any tax advantagesexport or sell our products to, existing or potential customers. For example, in response to the Russia-Ukraine war, countries such as Canada, the United Kingdom, the European Union, the United States and other countries and organizations have implemented new and stricter sanctions and export controls against officials, individuals, regions, and industries in Russia, Ukraine and Belarus. Each country’s potential response to such sanctions, export controls, tensions, and military actions could damage or disrupt international commerce and the global economy and could have a resultmaterial adverse effect on our business and results of operations or impact our ability to continue to operate in affected regions.

We also incorporate encryption technology into our products. These encryption products may be exported outside of the reorganized corporate structure,United States only with the required export authorizations, including by a license, a license exception or other appropriate government authorizations, including the filing of a product classification request. In addition, various countries regulate the import and domestic use of certain encryption technology, including through import permitting and licensing requirements, and have enacted laws that could limit our future operating resultsability to distribute our products or could limit our customers’ ability to implement our products in those countries. Governmental regulation of encryption technology and financial conditionregulation of imports or exports of encryption products, or our failure to obtain required import or export approval for our products, when applicable, could harm our international sales and adversely affect our revenue. Compliance with applicable laws and regulations regarding the export and import of our products, including with respect to new products or changes in existing products, may be negatively impacted.create delays in the introduction of our products in international markets, prevent our customers with international operations from deploying our products globally or, in some cases, could prevent the export or import of our products to certain countries, governments, entities or persons altogether.

Our ability to use net operating losses to offset future taxable income may be subject to certain limitations.

As of December 31, 2017,2023, we had federal and state net operating loss carryforwards or NOLs,(“NOLs”), of $116.6$346.5 million and $81.0$293.5 million, respectively, available to offset future taxable income, a portion of which expireexpires in various years beginning in 20302024 if not utilized. A lack of future taxable income would adversely affect our ability to utilize these NOLs before they expire. Under the provisions of the Internal Revenue Code of 1986, as amended, or the Internal Revenue Code,(the “IRC”), substantial changes in our ownership may limit the amount of pre-change NOLs that can be utilized annually in the future to offset taxable income. IRC Section 382 of the Internal Revenue Code imposes limitations on a company’s ability to use NOLs if a company experiences a more-than-50-percentmore-than-50-percentage point ownership change over a three-year testing period. Based upon our historical analysis, as of December 31, 2017, we determined that although a small limitation on our historical NOLs exists, we do not expect this limitation to impair our ability to use our NOLs prior to expiration. However, if changes in our ownership occur in the future, our ability to use our NOLs may be further limited. For these reasons, we may not be able to utilize a material portion of the NOLs, even if we achieve profitability. If we are limited in our ability to use our NOLs in future years in which we have taxable income, we will pay more taxes than if we were able to fully utilize our NOLs. This could adversely affect our operating results, cash balances and the market price of our common stock.

ComprehensiveWe may have exposure to greater than anticipated tax reform bills could adversely affect our business and financial condition.liabilities.

We are subject to U.S. government has recently enacted comprehensive tax legislation that includes significant changes to the taxation of business entities. These changes include, among others, (i) a permanent reduction to the corporate income tax rate, (ii) a partial limitation on the deductibility of business interest expense, (iii) a shift of the U.S. taxation of multinational corporations from a tax on worldwide income to a territorial system (along with certain rules designed to prevent erosion of the U.S. income tax base) and (iv) a one-time tax imposed at lower rates on accumulated offshore earnings held in cash and illiquid assets, with the latter taxed at a further reduced rate. Notwithstanding the reduction in the corporate income tax rate, the overall impact of this tax reform is uncertain, and our business and financial condition could be adversely affected.

Our products may also contain undetected errors or defects. Errors or defects may be more likely when a product is first introduced or as new versions are released, or when we introduce an acquired company's products. We have experienced these errors or defects in the past in connection with new products, acquired products and product upgrades and we expect that these errors or defects will be found from time to time in the future in new, acquired or enhanced products after commercial release. Defects may cause our products to be vulnerable to attacks, cause them to fail to detect vulnerabilities or threats, or temporarily interrupt customers’ networking traffic. Any errors, defects, disruptions in service or other performance problems with our products may damage our customers’ businesses and could hurt our reputation. If our products or service offerings fail to detect vulnerabilities or threats for any reason, we may incur significant costs, the attention of our key personnel could be diverted, our customers may delay or withhold payment to us or elect not to renew or other significant customer relations problems may arise. We may also be subject to liability claims for damages related to errors or defects in our products. A material liability claim or other occurrence that harms our reputation or decreases market acceptance of our products may harm our business and operating results. Limitation of liability provisions in our standard terms and conditions and our other agreements may not

Since our business is subjectfocused on providing reliable security solutions to our customers, a security breach or other security incident, or the risksperception that one has occurred, could result in a loss of earthquakes, fire, power outages, floodscustomer confidence in the security of our offerings and other catastrophic events,damage to our brand, reduce the demand for our offerings, disrupt normal business operations, require us to spend material resources to investigate or correct the breach and to interruption by manmade problems suchprevent future security breaches and incidents, expose us to legal liabilities, including litigation, regulatory enforcement, and indemnity obligations, and adversely affect our revenues and operating results. These risks may increase as terrorism.we continue to grow the number and scale of our cloud services, and process, store, and transmit increasing amounts of data.

A significant natural disaster, suchAdditionally, we cannot be certain that our insurance coverage will be adequate for data security liabilities actually incurred, that insurance will cover any indemnification claims against us relating to any incident, that insurance will continue to be available to us on economically reasonable terms, or at all, or that any insurer will not deny coverage as an earthquake, fireto any future claim. The successful assertion of one or a flood,more large claims against us that exceed available insurance coverage, or a significant power outagethe occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could have a material adverse impacteffect on our business, including our financial condition, operating results, and financial condition. In addition, natural disasters could affectreputation.

If Metasploit were to be used by attackers to exploit vulnerabilities in the cybersecurity infrastructures of third parties, our channel partners’ ability to perform services for us on a timely basis. In the event we or our channel partners are hindered by any of the events discussed above, our ability to provide our products or professional services to customersreputation and business could be delayed.harmed.

In addition,Although Metasploit is a penetration testing tool that is intended to allow organizations to test the effectiveness of their cybersecurity programs, Metasploit has in the past and may in the future be used to exploit vulnerabilities in the cybersecurity infrastructures of third parties. While we have incorporated certain features into Metasploit to deter misuse, there is no guarantee that these controls will not be circumvented or that Metasploit will only be used defensively or for research purposes. Any actual or perceived security breach, malicious intrusion or theft of sensitive data in which Metasploit is believed to have been used could adversely affect perception of, and demand for, our facilitiesofferings. Further, the identification of new exploits and thosevulnerabilities by the Metasploit community may enhance the knowledge base of our third-party data centers and hosting providers are vulnerablecyber attackers or enable them to damage or interruption from human error, intentional bad acts, pandemics, earthquakes, hurricanes, floods, fires, war, terrorist attacks, power losses, hardware failures, systems failures, telecommunications failures and similar events. The occurrenceundertake new forms of a natural disaster, power failure or an act of terrorism, vandalism or other misconduct, a decision by a third party to close a facility on which we rely without adequate notice, or other unanticipated problems could result in lengthy interruptions in provision or delivery of our products, potentially leaving our customers vulnerable to cyber attacks. The occurrence ofIf any of the foregoing were to occur, we could suffer negative publicity and loss of customers and sales, as well as possible legal claims.

parties upon whom we rely) fail, or are perceived to have failed, to address and comply with data privacy and security obligations, we could face significant consequences. These consequences may include but are not limited to: government enforcement actions (e.g., investigations, fines, penalties, audits, inspections and similar consequences); litigation (including class-related claims); additional reporting requirements and oversight; bans on processing personal data; orders to destroy and not to use personal data; and imprisonment of company officials. Any of these events could damagehave a material adverse effect on our systems and hardware or could cause them to fail completely,reputation and our insurance maybusiness, and financial condition, including but not cover such eventslimited to: loss of customers; interruptions or may be insufficientstoppages in our business or operations; inability to compensate us forprocess personal data; inability to operate in specific jurisdictions; limitations in our ability to develop our products and professional services; management's time and other resource expenditures; adverse publicity; and revisions to our operations.

In the potentially significant losses, includingUnited States, federal, state and local governments have enacted numerous data privacy and cybersecurity laws (including data breach notification laws, personal data privacy laws and consumer protection laws). For example, at the potential harmfederal level, we are subject to the future growthrules and regulations promulgated under the authority of our business, that may result from interruptionsthe Federal Trade Commission, which regulates unfair or deceptive acts or practices, including with respect to data privacy and cybersecurity. At the state level, the California Consumer Privacy Act of 2018 (as updated by the California Privacy Rights Act, collectively, “CCPA”) imposes obligations on businesses, service providers, third parties and contractors to which it applies. These obligations include, but are not limited to, providing specific disclosures in our serviceprivacy notices and affording California residents certain rights related to their personal information. The CCPA allows for statutory fines for non-compliance (up to $7,500 per violation). Other states have enacted, or propose to enact, their own comprehensive data privacy laws and, in addition, laws in all 50 U.S. states generally require businesses to provide notice under certain circumstances to individuals whose personal information has been disclosed as a result of system failures.a data breach. If we become subject to new data privacy or security laws, the risk of enforcement action against us could increase because we may become subject to additional obligations, and the number of individuals or entities that can initiate actions against us may increase (including individuals, via a private right of action, and state actors).

AllInternationally, virtually every jurisdiction in which we operate has established its own data security and cyberprivacy legal frameworks with which we, and/or our customers, must comply, including the European Union's General Data Protection Regulation, 2016/679 (“GDPR”), laws implemented by European Union (“EU”) member states and, following the withdrawal of the aforementioned risksUnited Kingdom (“UK”) from the EU, the UK General Data Protection Regulation (i.e. a version of the GDPR as implemented into UK law) (“UK GDPR,” and collectively, the “European Data Protection Laws”). The UK’s decision to leave the EU and ongoing developments in the UK have created uncertainty with regard to data protection regulation in the UK. Going forward, there may be exacerbatedan increasing scope for divergence in the application, interpretation and enforcement of data protection laws as between the UK and EU. The European Data Protection Laws present significantly greater risks, compliance burdens and costs for companies with users and operations in the European Economic Area (“EEA”) and UK. Under the GDPR, fines of up to 20 million euros or up to 4% of the annual global turnover of the infringer, whichever is greater, could be imposed for significant non-compliance and similar levels of fines could also be imposed under the UK GDPR.

The European Data Protection Laws are broad in their application and apply when we do business with EU- and UK-based customers and when our U.S.-based customers collect, use and otherwise process personal data that originates from individuals residing in the EEA and UK. They also apply to transfers of personal data between us and our EU- and UK-based subsidiaries, including employee information. Further, many U.S. federal and state and other foreign government bodies and agencies have introduced, and are currently considering, additional laws and regulations. Non-compliance with these laws could result in penalties or significant legal liability. We could be adversely affected if legislation or regulations are expanded to require changes in our disaster recovery plansbusiness practices or if governing jurisdictions interpret or implement their legislation or regulations in ways that negatively affect our business, results of operations or financial condition.

In addition, certain jurisdictions have enacted data localization laws and cross-border personal data transfer laws. For example, the disaster recovery plans establishedEuropean Data Protection Laws impose strict rules on the transfer of personal data from the EEA, the UK and Switzerland (collectively, “Europe”), to so-called third countries, including the United States, unless the parties to the transfer have implemented specific safeguards to protect the transferred personal data. Although there are legal mechanisms to allow for the transfer of personal data from Europe to the United States, uncertainty remains about compliance and such mechanisms may not be available or applicable with respect to our personal data processing activities. For example, the “Standard Contractual Clauses” (“SCCs”) that are designed to be a valid mechanism by which parties can transfer personal data out of Europe to jurisdictions that are not found to provide an adequate level of protection, must be assessed on a case-by-case basis taking into account the legal regime applicable in the destination country. Specifically, the parties to the cross-border personal data transfer must evaluate the importing jurisdiction’s laws and implement supplemental security measures as necessary to protect the at-issue personal data. Additionally, in July 2023, the European Commission adopted an adequacy decision concluding that the United States ensures an adequate level of protection for personal data transferred from Europe under the EU-U.S. Data Privacy Framework (followed on October 2023 with the adoption of an adequacy decision in the UK for the UK-U.S. Data Bridge). However, such adequacy decisions do not foreclose, and are likely to face, future legal challenges, and it is likely that there will continue to be some uncertainty regarding the mechanisms by which parties transfer personal data out of Europe to jurisdictions such as the United States. If we cannot implement and maintain a valid mechanism for cross-border personal data transfers, we

may face increased exposure to regulatory actions, substantial fines and injunctions against processing (including prohibitions on transferring personal data out of the EU and UK). This may also reduce demand for our third-partyservices from companies subject to European Data Protection Laws. Loss of our ability to import personal data centersfrom Europe may also require us to increase our data processing capabilities in Europe at significant expense.

Moreover, while we strive to publish and hosting providers proveprominently display privacy policies that are accurate, comprehensive, and compliant with applicable laws, rules regulations and industry standards, we cannot ensure that our privacy policies and other statements regarding our practices will be sufficient to protect us from claims, proceedings, liability or adverse publicity relating to data privacy and security. Although we endeavor to comply with our privacy policies, we may at times fail to do so or be alleged to have failed to do so. If our public statements about our use, collection, disclosure and other processing of personal information, whether made through our privacy policies, information provided on our website, press statements or otherwise, are alleged to be inadequate. Todeceptive, unfair or misrepresentative of our actual practices, we may be subject to potential government or legal investigation or action, including by the extentFederal Trade Commission or applicable state attorneys general.

Our compliance efforts are further complicated by the fact that data privacy and security laws, rules, regulations and standards around the world are rapidly evolving, may be subject to uncertain or inconsistent interpretations and enforcement, and may conflict among various jurisdictions. Any failure or perceived failure by us to comply with our privacy policies, or applicable data privacy and security laws, rules, regulations, standards, certifications or contractual obligations, or any compromise of security that results in unauthorized access to, or unauthorized loss, destruction, use, modification, acquisition, disclosure, release or transfer of personal information, may result in requirements to modify or cease certain operations or practices, the expenditure of substantial costs, time and other resources, proceedings or actions against us, legal liability, governmental investigations, enforcement actions, claims, fines, judgments, awards, penalties, sanctions and costly litigation (including class actions). Further, there are active legislative discussions regarding the implementation of laws or regulations that could restrict the manner in which security research is conducted and that could restrict or possibly bar the conduct of penetration testing and the use of exploits, which are an essential component of our Metasploit product and our business strategy more generally. Any of the foregoing could harm our reputation, distract our management and technical personnel, increase our costs of doing business, adversely affect the demand for our products and services, and ultimately result in the imposition of liability, any of the above results in delayed or reduced customer sales,which could have a material adverse effect on our business, financial condition and results of operationsoperations.

Some organizations have been reluctant to use cloud solutions for cybersecurity, such as our InsightVM, InsightIDR, InsightAppSec, InsightConnect, InsightCloudSec and Threat Intelligence, because they have concerns regarding the risks associated with the reliability or security of the technology delivery model associated with this solution. If we or other cloud service providers experience security incidents, breaches of customer data, disruptions in service delivery or other problems, the market for cloud solutions as a whole may be negatively impacted, which could be adversely affected.harm our business.

Risks Related to our Common Stock

The market price of our common stock has been and is likely to continue to be volatile.

The market price of our common stock may be highly volatile and may fluctuate substantially as a result of a variety of factors, some of which are related in complex ways. Since shares of our common stock were sold in our initial public offering or IPO,(“IPO”), in July 2015 at a price of $16.00 per share, our stock price has ranged from an intraday low of $9.05 to an intraday high of $27.45$145.00 through March 1, 2018.February 16, 2024. Factors that may affect the market price of our common stock include:

Recently, the stock markets, and in particular the market on which our common stock is listed, have experienced extreme price and volume fluctuations that have affected and continue to affect the

The trading market for our common stock will depend,depends, in part, on the research and reports that securities or industry analysts publish about us or our business. We do not have any control over these analysts. If our financial performance fails to meet analyst estimates or one or more of the analysts who cover us downgrade our shares or change their opinion of our shares, our share price would likely decline. If one or more of these analysts cease coverage of our company or fail to regularly publish reports on us, we could lose visibility in the financial markets, which could cause our share price or trading volume to decline.

We do not intend to pay dividends for the foreseeable future and, as a result, your ability to achieve a return on your investment will depend on appreciation in the price of our common stock.

We have never declared or paid any cash dividends on our common stock and do not intend to pay any cash dividends in the foreseeable future. We anticipate that we will retain all of our future earnings for use in the development of our business and for general corporate purposes. Any determination to pay dividends in the future will be at the discretion of our board of directors. Accordingly, investors must rely on sales of their common stock after price appreciation, which may never occur, as the only way to realize any future gains on their investments.

In the future, we may sell additional shares of our common stock or the perception that these sales may occur, could cause our share priceequity-linked securities to decline.

In addition, our revolving credit facility contains, and any future additional indebtedness that we may incur may contain, financial and other restrictive covenants that limit our ability to operate our business, raise capital, pay dividends and/or make payments under our other indebtedness. If we fail to comply with these covenants or to make payments under our indebtedness when due, then we would be in default under that indebtedness, which could, in turn, result in that and our other indebtedness becoming immediately payable in full. Any such event of default under our revolving credit facility would give the lenders the right to terminate their commitments to provide additional loans under our revolving credit facility and to declare any and all borrowings outstanding, together with accrued and unpaid interest and fees, to be immediately due and payable. In addition, the lenders under our revolving credit facility would have the right to proceed against the collateral in which we granted a security interest to them, which consists of substantially all our assets. If the debt under our revolving credit facility were to be accelerated, we may not have sufficient cash or be able to borrow sufficient funds to refinance the debt or sell sufficient assets to repay the debt, which could immediately materially and adversely affect our cash flows, business, results of operations, financial condition and our ability to make payments under our indebtedness, including the Notes, when due. Further, the terms of any new or additional financing may be on terms that are more restrictive or on terms that are less desirable to us.

In the event the conditional conversion feature of the Notes is triggered, holders of the Notes will be entitled to convert their Notes at any time during specified periods at their option. If one or more holders elect to convert their Notes, unless we elect to satisfy our conversion obligation by delivering solely shares of our common stock are freely tradable without restriction(other than paying cash in lieu of delivering any fractional share), we would be required to settle a portion or all of our conversion obligation in cash, which could adversely affect our liquidity. As of December 31, 2023, the 2025 Notes, the 2027 Notes and the 2029 Notes were not convertible at the option of the holder. Whether the Notes will be convertible following the year ended December 31, 2023, will depend on the future satisfaction of a conversion condition. In addition, even if holders of Notes do not elect to convert their Notes, we could be required under applicable accounting rules to reclassify all or a portion of the Securities Actoutstanding principal of 1933,the Notes as amended, ora current rather than long-term liability, which would result in a material reduction of our net working capital.

The capped call transactions may affect the Securities Act, except for anyvalue of the Notes and our common stock.

In connection with the issuance of the 2023 Notes, the 2025 Notes, the 2027 Notes and the 2029 Notes, we entered into capped call transactions with certain counterparties (the “Capped Calls”). The Capped Calls cover, subject to customary adjustments, the number of shares of our common stock that may be heldinitially underlying each of the 2023 Notes, the 2025 Notes, the 2027 Notes and the 2029 Notes. The Capped Calls are expected to offset the potential dilution as a result of conversion of such Notes. In connection with establishing their initial hedge of the capped call transactions, the counterparties or acquired bytheir respective affiliates entered into various derivative transactions with respect to our directors, executive officers and other affiliates, as that term is definedcommon stock concurrently with or shortly after the pricings of the respective Notes, including with certain investors in the Securities Act,applicable Notes. The counterparties and/or or their respective affiliates may modify or unwind their hedge positions by entering into or unwinding various derivatives with respect to our common stock and/or purchasing or selling our common stock or other securities of ours in secondary market transactions prior to the maturity of the applicable Notes (and are likely to do so on each exercise date of the capped call transactions, which are subject

scheduled to restrictionsoccur during the applicable observation period relating to any conversion of the 2025 Notes on or after November 1, 2024, relating to any conversion of the 2027 Notes on or after December 15, 2026 or relating to any conversion of the 2029 Notes on or after December 15, 2028, in each case that is not in connection with a redemption). We redeemed the 2023 Notes in November 2021. As described elsewhere in this Annual Report on Form 10-K, the 2023 Capped Calls were not redeemed with the redemption of the 2023 Notes but were cash-settled via written notice provided to the counterparties on May 31, 2023; see the section entitled “Capped Calls” under Note 11 to our consolidated financial statements and “Management's Discussion and Analysis of Financial Condition and Results of Operations” included elsewhere in this report for information regarding our cash settlement of the Securities Act,2023 Capped Calls. We cannot make any prediction as to the direction or that may be issued under our equity incentive plans subject to vesting requirements. We are unable to predict themagnitude of any potential effect that these sales, particularly sales by our directors, executive officers, and significant stockholders,the transactions described above may have on the prevailingprices of the Notes or the shares of our common stock. Any of these activities could adversely affect the value of the Notes and our common stock.

The option counterparties are financial institutions, and we will be subject to the risk that one or more of the option counterparties may default or otherwise fail to perform, or may exercise certain rights to terminate, their obligations under the Capped Calls. Our exposure to the credit risk of the option counterparties will not be secured by any collateral. Recent global economic conditions have resulted in the actual or perceived failure or financial difficulties of many financial institutions. If an option counterparty becomes subject to insolvency proceedings, we will become an unsecured creditor in those proceedings with a claim equal to our exposure at the time under such transaction. Our exposure will depend on many factors but, generally, our exposure will increase if the market price or the volatility of our common stock increases. In addition, upon a default or other failure to perform, or a termination of obligations, by an option counterparty, we may suffer adverse tax consequences and more dilution than we currently anticipate with respect to our common stock. We can provide no assurances as to the financial stability or viability of the option counterparties.

Conversion of the Notes will dilute the ownership interest of existing stockholders, including holders who had previously converted their Notes, or may otherwise depress the price of our common stock.

Our business is subject to regulation by various federal, state, local and foreign governments. In June 2017,certain jurisdictions, these regulatory requirements may be more stringent than those in the United States. These laws and regulations may also impact our innovation and business drivers in developing new and emerging technologies, including those related to AI and machine learning. Noncompliance with applicable regulations or requirements could subject us to investigations, sanctions, mandatory product recalls, enforcement actions, disgorgement of profits, fines, damages, civil and criminal penalties, injunctions or other collateral consequences. If any governmental sanctions are imposed, or if we fileddo not prevail in any possible civil or criminal litigation, our business, results of operations, and financial condition could be materially adversely affected. In addition, responding to any action will likely result in a prospectus supplementsignificant diversion of management’s attention and resources and an increase in professional fees. Enforcement actions and sanctions could harm our business, reputation, results of operations and financial condition.

Our business is subject to the effective registration statement described above with respectrisks of climate change, pandemics, earthquakes, fire, power outages, floods and other catastrophic events, and to interruption by manmade problems such as terrorism.

A significant public health crisis, epidemic or pandemic, or climate change, or a natural disaster, such as an earthquake, fire or a flood, or a significant power outage could have a material adverse impact on our business, operating results and financial condition. In addition, public health crises, climate change, or natural disasters could affect our channel partners’ ability to perform services for us on a timely basis. In the sale of up to 2,800,000 shares ofevent we or our common stockchannel partners are hindered by two of our significant stockholders, which facilitated the resale by those holders of a portionany of the shares ofevents discussed above, our common stock they hold.ability to provide our products or service offerings to customers could be delayed.

In addition, our facilities and those of our third-party data centers and hosting providers are vulnerable to damage or interruption from human error, intentional bad acts, pandemics, earthquakes, hurricanes, floods, fires, war (including the Russia-Ukraine war and the Israel-Hamas conflict), terrorist attacks, power losses, hardware failures, systems failures, telecommunications failures and similar events. The occurrence of a public health crisis, climate change, natural disaster, power failure, war (including the Russia-Ukraine war and the Israel-Hamas conflict) or an act of terrorism, vandalism or other misconduct, a decision by a third party to close a facility on which we rely without adequate notice, or other unanticipated

problems could result in lengthy interruptions in provision or delivery of our products, potentially leaving our customers vulnerable to cyber attacks. The occurrence of any of the foregoing events could damage our systems and hardware or could cause them to fail completely, and our insurance may not cover such events or may be insufficient to compensate us for the potentially significant losses, including the potential harm to the future we may issue common stock or other securities in connection with a capital raise or acquisitions. The number of new sharesgrowth of our common stock issued in connection with a capital raise or acquisition could constitute a material portion of our then-outstanding shares of our common stock.

In addition, while the long-term effects of climate change on the global economy and the technology industry in particular are unclear, we recognize that there are inherent climate related risks wherever business is conducted. Any of our primary locations may be vulnerable to the adverse effects of climate change. Climate-related events, including the increasing frequency of extreme weather events and their impact on critical infrastructure in the United States and elsewhere, have the potential to disrupt our business, our third-party suppliers, and/or the business of our customers, and may cause us to experience higher attrition, losses and additional costs to maintain and resume operations. Transitional climate change risks that result from a less active trading marketshift to a low-carbon economy may subject us to increased regulations, reporting requirements, standards, or expectations regarding the environmental impacts of our business and untimely or inaccurate disclosure could adversely affect our reputation, business or financial performance.

All of the aforementioned risks may be exacerbated if our disaster recovery plans or the disaster recovery plans established for our common stockthird-party data centers and hosting providers prove to be inadequate. To the extent that any of the above results in delayed or reduced customer sales, our stock price maybusiness, financial condition and results of operations could be more volatile.adversely affected.

We are obligated to maintain proper and effective internal controls over financial reporting and any failure to maintain the adequacy of these internal controls may adversely affect investor confidence in our company and, as a result, the value of our common stock.

We have been and are required, pursuant to Section 404 of the Sarbanes-Oxley Act or (“Section 404,404”), to furnish a report by management on, among other things, the effectiveness of our internal control over financial reporting on an annual basis. This assessment includes disclosure of any material weaknesses identified by our management in our internal control over financial reporting. During the evaluation and testing process, if we identify one or more material weaknesses in our internal control over financial reporting, we will be unable to assert that our internal controls are effective. While we have established certain procedures and control over our financial reporting processes, we cannot assure you that these efforts will prevent restatements of our financial statements in the future.

Our independent registered public accounting firm will not beis also required, pursuant to attestSection 404, to report annually on the effectiveness of our internal control over financial reporting until our first annual reportreporting. This assessment is required to be filed with the SEC following the date we no longer qualify as an “emerging growth company,” as definedinclude disclosure of any material weaknesses identified by our management in the JOBS Act. At such time,our internal control over financial reporting. For future reporting periods, our independent registered public accounting firm may issue a report that is adverse in the event it is not satisfied with the level at which our controls are documented, designed or operating. We may not be able to remediate any future material weaknesses, or to complete our evaluation, testing and any required remediation in a timely fashion. We will be required to disclose significant changes made in our internal control procedures on a quarterly basis.

Our compliance with Section 404 will require that we incur substantial accounting expense and expend significant management efforts. We currently do not have an internal audit group, and we may need to hire additional accounting and financial staff with appropriate public company experience and technical accounting knowledge and compile the system and process documentation necessary to perform the evaluation needed to comply with Section 404. Any failure to maintain internal control over financial reporting could severely inhibit our ability to accurately report our financial condition or results of operations. If we are unable to assertconclude that our internal control over financial reporting is effective, or if our independent registered public accounting firm is unable to express an opinion on the effectiveness ofthat our internal controls when it is required to issue such opinion, weover financial reporting are effective, investors could lose investor confidence in the accuracy and completeness of our financial reports, which could cause the market price of our common stock couldto decline, and

Anti-takeover provisions in our charter documents, our indenture and under Delaware law could make an acquisition ofacquiring us more difficult, limit attempts by our stockholders to replace or remove our current management and limit the market price of our common stock.

Provisions in our amended and restated certificate of incorporation and amended and restated bylaws may have the effect of delaying or preventing a change in control or changes in our management. Among other things, our amended and restated certificate of incorporation and amended and restated bylaws include provisions that:

These provisions may frustrate or prevent any attempts by our stockholders to replace or remove our current management by making it more difficult for stockholders to replace members of our board of directors, who are responsible for appointing the members of our management.

In addition, because we are incorporated in Delaware, we are governed by the provisions of Section 203 of the Delaware General Corporation Law, which generally prohibits a Delaware corporation from engaging in any of a broad range of business combinations with any “interested” stockholder for a period of three years following the date on which the stockholder became

an “interested” stockholder. Any of the foregoing provisions could limit could limit the opportunity for our stockholders to receive a premium for their shares of our common stock and could also affect the price that some investors are willing to pay for our common stock.

Our amended and restated certificate of incorporation designates the Court of Chancery of the State of Delaware as the exclusive forum for certain litigation that may be initiated by our stockholders, which could limit our stockholders’ ability to obtain a favorable judicial forum for disputes with us.

Pursuant to our amended and restated certificate of incorporation, unless we consent in writing to the selection of an alternative forum, the Court of Chancery of the State of Delaware is the sole and exclusive forum for (1) any derivative action or proceeding brought on our behalf, (2) any action asserting a claim of breach of a fiduciary duty owed by any of our directors, officers or other employees to us or our stockholders, (3) any action asserting a claim arising pursuant to any provision of the Delaware General Corporation Law, our amended and restated certificate of incorporation or our amended and restated bylaws or (4) any action asserting a claim governed by the internal affairs doctrine. Our amended and restated certificate of incorporation further provides that any person or entity purchasing or otherwise acquiring any interest in shares of our common stock is deemed to have notice of and consented to the foregoing provision. The forum selection clause in our amended and restated certificate of incorporation may limit our stockholders’ ability to obtain a favorable judicial forum for disputes with us.

We believe that our current facilities are suitable and adequate to meet our current needs. We intend to add new facilities or expand existing facilities as we add employees, and we believe that suitable additional or substitute space will be available as needed to accommodate any such expansion of our operations.

Not applicable.

Our common stock is listed on the Nasdaq Global Market under the symbol “RPD” since July 17, 2015. Our initial public offering was priced at $16.00 per share on July 16, 2015.

As of December 31, 2017,2023, there were 11533 holders of record of our common stock, including Cede & Co., a nominee for The Depository Trust Company or DTC,(“DTC”), which holds shares of our common stock on behalf of an indeterminate number of beneficial owners. All of the shares of common stock held by brokerage firms, banks and other financial institutions as nominees for beneficial owners are deposited into participant accounts at DTC, and are considered to be held of record by Cede & Co. as one stockholder. Because many of our shares are held by brokers and other institutions on behalf of stockholders, we are unable to estimate the total number of stockholders represented by these record holders.

The following graph shows a comparison from July 17, 2015 (the date our common stock commenced trading on the Nasdaq Global Market)December 31, 2018 through December 31, 20172023 of the cumulative total return for an investment of $100 in our common stock, the Nasdaq Global Market and the Nasdaq Computer Index. Data for the Nasdaq Global Market and the Nasdaq Computer Index assume reinvestment of dividends.