I want a full summery for this article it’s due in 24 hours from now..
it’s types in word documents the long is one and half pages
That Corey Thomas, vice president at Boston-based Rapid7, Inc., was about to enter his investor’s boardroom to negotiate a potential acquisition of Metasploit, LLC, was already an unlikely achievement of sorts. After all, Rapid7 was a venture-backed, corporate client-focused cybersecurity company, and Metasploit was a white-hat hacker community with a reputation that ranged from esoteric to “notorious.” And awaiting Thomas for the deliberations wasn’t a typical business partner, but rather HD Moore, Metasploit’s founder, chief contributor, and in 2009 one of the most well-known hackers on the planet. The groundwork that had been laid to convince Moore to come to Boston for the discussions would all be for naught if Thomas couldn’t come to terms with Moore . . . and if Thomas couldn’t persuade his own executive team and board of directors that whatever package he ultimately agreed to with Moore was a reasonable one, even though an acquisition of Metasploit would come with no meaningful revenue and considerable execution, legal and reputational risks.
Three founders had grown Rapid7 to now close to 100 employees and $11 million in annual revenue. Bookings were up 29% over 2008 at the vulnerability management firm. A new executive team was in place, as was substantial financial investment from Bain Capital Ventures.1 But Rapid7 had yet to break out from the crowd and generate elevated attention in the evolving space of security testing. Thomas lamented, “We were 5th or 6th on a list of 7.” Metasploit, he believed, could change that.
Metasploit was a framework for exploitation testing of computer networks and systems. A small group of unpaid contributors wrote “exploits,” software code that, when used maliciously, could penetrate vulnerabilities in corporate or other networks. The community made the code freely available. Moore led the charge. He was Metasploit’s chief contributor and defender, in particular, against those who thought his efforts enabled the very hacking he contended to combat.
Thomas and colleagues had first suggested earlier in the year that Rapid7 acquire Metasploit, buying its intellectual property (domains, trademarks, and copyrights, though not its code, which was publically available) and hiring Moore.2 They had piqued the interest of their leadership team and of Moore, who was already contemplating ways to formalize (and potentially monetize) Metasploit. But now, an acquisition would depend on deft navigation of final details, including:
Economic terms: How much should Rapid7 pay for Metasploit, in what forms, and how much up front or via an earn-out for Moore?
Senior Lecturer Mitchell Weiss, Professor Paul Gompers, and Research Associate Silpa Kovvali prepared this case. It was reviewed and approved before publication by a company designate. Funding for the development of this case was provided by Harvard Business School and not by the company. HBS cases are developed solely as the basis for class discussion. Cases are not intended to serve as endorsements, sources of primary data, or illustrations of effective or ineffective management.
Copyright © 2017 President and Fellows of Harvard College. To order copies or request permission to reproduce materials, call 1-800-545-7685, write Harvard Business School Publishing, Boston, MA 02163, or go to www.hbsp.harvard.edu. This publication may not be digitized, photocopied, or otherwise reproduced, posted, or transmitted, without the permission of Harvard Business School.
Product commitments: What future resources would Rapid7 promise for enhancing the Metasploit project and what guarantees would they make about keeping it free and freely available?
Team integration: What would Moore’s role be at Rapid7? What part of the organization would he have responsibility for? Which of his co-contributors would he bring along, and how? Would he relocate from Austin, Texas?
In 2000, Tas Giakouminakis, Chad Loder, and Alan Matthews were executives at Percussion, a Boston-based software company that specialized in web content management.3 (See Exhibit 3 for founder bios.) Through their interactions with Percussion’s customers, they came to realize that security management at firms, much like the industry itself, was highly fragmented. While customers might have a sense of weaknesses over their network and the web, or in their hardware or software systems, or in databases they used for storage, they complained that they lacked a cohesive, all- encompassing picture of vulnerabilities across all of these platforms. In addition, they could not assess the relative threat these vulnerabilities posed. Giakouminakis, Loder, and Matthews founded Rapid7 intent upon filling this void.4 In the few years after its founding, Rapid7 generated buzz and headlines after discovering major security flaws in software from Apple, IBM, and Microsoft.5
In July of 2005, the company released the fourth version of its signature product, NeXpose. The vulnerability management tool allowed Rapid7’s data center to perform a vulnerability scan and then deliver results to clients, and offered a second benefit. Rather than having to transfer potentially sensitive information to Rapid7 and cede control of the security management process, customers could continue to store their own data and run the scans internally. In addition to the privacy benefits, this process gave customers a picture of security threats from without and within. “The upshot is customers can perform an external as well as internal inspection of their networks, obtaining a more complete picture of vulnerabilities and policy violations in their enterprise,” Matthews, then Rapid7 president, said.6
NeXpose fueled meaningful growth over the next few years. By 2008, bookings and revenue were $10.3 million and $6.1 million, respectively. Rapid7 provided security to retailers like Barney’s and Trader Joe’s, educational institutions like California State University and the University of Oklahoma, media companies like the New York Times, and public clients like the Commonwealth of Massachusetts.7
In September of 2008, Rapid7 secured $7 million in venture financing from Bain Capital Ventures.8 Ben Holzman of Bain Capital was drawn to the company’s innovative and passionate technical team led by Giakouminakis. He was also excited by how much the company had accomplished with limited resources and impressed by the company’s sales team (he called theirs a “hot-rod culture”) and how it meshed with the rest of the organization.
The influx of capital allowed the company to expand its executive team, including hiring Thomas,9 a CFO, and a new president-COO, Mike Tuchen. Tuchen, who would be named CEO within the next year,10 came to Rapid7 from Microsoft where he managed Microsoft’s SQL Server Marketing. CFO Timothy O’Toole was a CPA with experience in and knowledge of the Massachusetts tech corridor.11 (See Exhibit 4 for executive team bios.) The funding would also be used for building out the sales team, starting a marketing effort in earnest, addressing technical debt that had accrued in the product, and making sure NeXpose’s features stayed at the cutting edge.
The NeXpose launch fueled Rapid7’s growth, but not enough for the company to break out from the (increasing) pack of competitors in the space. (See Exhibit 1 for industry overview and Exhibit 8 for new venture investments.) Thomas put it in stark terms: “The company had been around a long time and wasn’t that relevant.” The new team was in place to help the company try to break-through. “Mike Tuchen, Corey Thomas, the team, the board, the investors…everyone was willing to make bets to make it relevant.” Holzman concurred. “There was no desire within the company, board, or investment base,” he said, “to do anything but try to grow something big.”
Tuchen joined with enthusiasm for the team of strong and creative engineers. He knew that one of his tasks would be to help re-ignite growth. He aimed to update some engineering processes and to scale the engineering team, and to maintain the very high energy, very “go-for-it” culture. He loved the way that showed through in the sales organization. “We deliberately put the sales floor right when you walked in, and with sales being sales, it seemed like a party going on. People throwing balls. With people joking back and forth. People having fun. It was very high energy. The founders got that started. We were going to make a lot of changes, but I knew this was something we were going to keep.”
In joining Rapid7, Thomas was willing to make a bet, too. He wanted to join a company where he would have independence and agency in driving success. “I get to bet on myself. To me, I value that more than some marquee name.” Thomas’s interest in technology had begun at an early age, when he was constantly building and designing. At Vanderbilt University, where he received his undergraduate education, he double-majored in electrical engineering and computer science. After graduating, he worked at Deloitte Consulting for two years before attending Harvard Business School. Determined to gain new and varied experiences, he spent a few years at Microsoft before joining the tech startup Parallels, which focused on virtual desktops and remote access.12 He joined Rapid7 as vice president of marketing,13 and a year later had transitioned to vice president of products and operations.14
Beyond Vulnerability Scanning
Thomas began to formulate his vision for Rapid7 as he got situated in his new roles. “I think about how to capture people’s attention in areas they care about. If you can do that, you can make money. You need to keep your promise that if customers buy they will get a better experience. But first, you need to capture their attention, and unfortunately, there isn’t a formula for that.”
Rapid7 was just one of many companies in the populated and complex security management sector. Rapid7’s area of focus, vulnerability scanning and management, was described as a $2.7 billion market. At the end of 2007, the five largest companies in this area held only 30.5% of market share combined. (See Exhibit 2 for market share breakdown.) IBM, Symantec, and HP had all dipped their toes in. Many companies in the highly fragmented space provided vulnerability management among a handful of other focused offerings. Rapid7 faced competition from tech behemoths and smaller companies like Qualys, nCircle, and Securia.15
Vulnerability scanning and management extended across a broad array of functionalities: testing a client’s systems for potential threats, exposing any flaws or weaknesses in its cyber-security, determining and ranking the extent and severity of each threat, and presenting this information. Services sometimes extended to working with clients’ IT departments to help them remediate identified flaws. They often also included compliance management, which ensured that clients were providing legally mandated levels of security, particularly in the handling of sensitive information. A central goal was to preempt any potential attacks by informing a client of its vulnerabilities.
“We got to this notion,” Thomas recalled, “that for a customer it was not about how many vulnerabilities you had. It was which will lead to compromise. What will cause you to be exploited? That gets closer to relevance. People care about vulnerability, but what they really care about is getting to compromise. So one thesis was that if we can get closer to getting people to understand their likelihood of being compromised, then we can start to really get their attention.” And a way of really getting customers to understand the likelihood their factory machinery could be stopped or their payrolls re-routed? Exploit code.16
Exploit code was a useful, albeit controversial, tool in vulnerability management. Exploits went further than traditional vulnerability scanning. Rather than simply identifying a glitch, exploit code, true to its name, actually took advantage of it. Exploits essentially consisted of the code a hacker might use to compromise a client’s security, either to access and steal proprietary information or to attack its systems. Penetration testers (also called “pen testers”) used exploits as a way to triage vulnerabilities by testing how much damage a bad actor who had identified one might be able to do. For this reason, a few firms such as Core Security and Saint had adopted exploits into their vulnerability management products.17
Exploit technology thus enjoyed something of a maligned reputation in the corporate world. Since it derived its utility from its intrusiveness, some governments and businesses were wary of its use. Still, many smaller companies that could not afford comprehensive security management relied upon cheaper vulnerability offerings like Immunity’s Security,18 and used them in conjunction with an open source exploit product like milw0rm19 or the Metasploit Framework.20
Rapid7 likewise created a Metasploit integration for NeXpose, which allowed customers to draw on exploit code created by Metasploit’s community to test their own systems. By early 2009, Thomas began to prefer a bolder move. “Acquiring Metasploit could catapult us up. Metasploit was notorious— actually in a negative way. But for me, notorious was a way to capture attention. We had to go get HD.”
In October of 2003, HD Moore was working at Digital Defense, Inc., a network security company21 where, like the founders of Rapid7, he was deeply frustrated with the market’s current offerings. In particular, Moore felt the company’s existing database of exploits was wanting, but “the pace of work was such that we never had time to build anything useful for the long-term.”22 In his spare time, Moore coded his own exploits, initially as a fun project. After he’d compiled eleven different exploits, he released them publicly under the name Metasploit 1.0.23
This initial dump of exploit code was widely panned, but Moore’s inclusive leadership philosophy made use of this criticism. One developer responded with what Moore characterized as “a particularly nasty e-mail, ripping on the quality, the overall design, and generally saying how awful the whole things was. This person . . . became the second developer on the project.”24 When critics told Moore his project was terrible, he challenged them to build something better. In 2004, Moore and a collaborator, Spoonm, released a new version of the project with 19 exploits and 27 payloads. Matt Miller (aka Skape), joined Moore and Spoonm, as a contributor, and their work began to grow in popularity.25
Moore grew the community to seventeen members,26 all uncompensated. Contributors all worked remotely, submitting code occasionally from their respective workplaces and homes into the publicly
available and freely accessible repository. Moore motivated community members by acknowledging their ideas, even if their implementation was sloppy. More experienced, senior members of the Metasploit team would often clean up error-ridden code from new contributors, usually accepting no credit for their work at all. After receiving this initial encouragement, Moore generally found that contributors quickly got up to speed. Eventually their submissions required few edits, if any at all.27 The acknowledgment inspired members of the Metasploit community to feel vested in and loyal to the project and, most importantly, to continue to contribute. “Credit,” Moore said, “is [the] main form of currency in the open-source world.”28
While Moore was held in high esteem by members of the Metasploit Project, he was a lightning rod of controversy outside of it. Steve Ballmer, CEO of Microsoft, Inc. had once said at the company’s Worldwide Partner Conference, “I can tell you I wish those people just would be quiet. It would be best for the world. That’s not going to happen, so we have to work in the right fashion with these security researchers.” Moore put the quote on Metasploit’s website.29 Members of the Metasploit Project and, in particular, Moore, characterized themselves as white-hat hackers who engaged in hacking for benevolent purposes—to make companies aware of holes in their security rather than take advantage of them. But their aggressive approach was met with mixed responses. In July of 2006, Moore launched a “month of browser bugs,” during which he released an exploit a day for a major Internet browser.30 Some companies like Mozilla Firefox, another open-source project,31 were grateful for the reveals. “They even sent me a T-shirt,” Moore recalled.32 Others were less gracious. After one exploit release that required Microsoft to release an early update to its browser, Moore faced harsh criticism from some product managers, with one calling him the “spawn of the devil.”33 Metasploit stood by its approach. Skape declared, “The Metasploit staff doesn’t enforce anyone’s idea of ‘responsible disclosure.’”34 Moore concurred. “Admins cry, ‘You can break into my systems now.’ Well, you should patch your systems.”35
This open-source mentality, however, also demanded that Metasploit protect itself from another kind of unwelcome intruder— companies looking to sell its code for profit. In 2006, Moore created Metasploit LLC explicitly to prevent Metasploit from becoming a commercial product.36 Moore shared ownership of Metasploit LLC with Spoonm and Skape.
The move required Metasploit to address some intellectual property issues and, in particular, to decide how to license code contributed by its still unpaid contributors. The company initially settled on a free-as-in-beer license.37 In contrast with a free-as-in-speech alternative, a free-as-in-beer license gave users the right to use the product as given, with no expectations, but also no right to study, redistribute, or modify the underlying code.38 In early 2008, when Spoonm and Skape left the Metasploit community, Moore had to attract more contributors to share the burden of core development. (A 2007 migration of the product from Perl programming language to Ruby required 150,000 new lines of code and took over 18 months.39) So, Metasploit LLC modified its license structure again to make sure that no matter what changes it made to its licenses in the future, developers would always have access to code they’d written. Moore also took special pains to ensure the Metasploit name was protected, and that Metasploit LLC owned all of the domains, trademarks, and copyrights that the Metasploit Framework entailed. (See Exhibit 5 for a timeline of Metasploit’s licensing.)
Moore’s efforts to resolve Metasploit’s intellectual property issues left unaddressed a second set of concerns that had emerged. Contributions from some members in the Metasploit community had dwindled, and Moore’s own time keeping the framework up-to-date and high quality was limited by commitments to his full-time job. He began thinking about leaving his company to turn Metasploit into one.
Rapid7 and Metasploit Collaboration
The Rapid7/Metasploit collaboration began as a relatively straightforward product integration. Loder, one of Rapid7’s technical co-founders, suggested it and received swift approval from Tuchen, by then the firm’s CEO. “Loder came up to me one time and said, ‘Mike, we should integrate Metasploit into our product.’” Tuchen recalled. “And this sounded like a pretty good idea, and it sounded like not a bunch of work, so I said, ‘Sure.’” Moore agreed with the concept, too, and he and Loder went about the integration mostly on their own.
Loder, Thomas, and Tuchen and others were pleased with the early results of the integration, but began to see its limits. “Metasploit was completely free. We did the product integration, and that added some value for customers. But neither we nor anyone in the world were really monetizing it. No one had really taken a business approach to it. Moore had built it up to 20,000 downloads per month, but he was just one person and not even full time,” Tuchen noted. Thomas elaborated, “We want to use high-quality exploit data to help prioritize risk and get better insight into which attacks are most likely. But, could we invest and contribute to the project over time for a more robust database at our disposal?” he wondered.40
Should Rapid7 Acquire Metasploit?
Loder, Tuchen, Thomas and their venture partners at Bain, Ben Holzman and Ben Nye, began discussing an acquisition by Rapid7 of Metasploit. Thomas was for buying Metasploit, but laid out the tensions in doing so: “Our team, our investors, they liked the brand, they understood the shift from vulnerability to exploitability. The strategy, and the marketing they understood; the business model, they didn’t.” Holzman echoed the sentiment: An acquisition could, “differentiate us from a product capability point of view: There was no one else in the world that has the world’s most widely used source of open-source exploit tools. There is only one of those, and that’s Metasploit. But our discussions had to start with, what is it? They have a product they don’t sell. What would we really be buying?”
Holzman also laid out a second issue of concern: “Can the team execute on this? When you are a startup, you are under-resourced to begin with. You don’t even have the bandwidth to manage the day to day. In order to make it successful, what is really required from our team? How much of a distraction would it be?” It was a concern that Thomas had in other contexts been sympathetic to, noting, “Small companies can only really do one thing well.”
Tuchen captured a third issue the team needed to consider. In addition to the database of 400-plus exploits, he looked at the 20,000 Metasploit downloads a month and saw a valuable lead stream (“It could be gasoline for sales and marketing”) but recognized that Rapid7 couldn’t fully control who was doing the downloading and what they did next. “Penetration testing has positive attributes, but bad guys also use these tools. It’s a risk, but I don’t think there is a real way to assess that risk.” There were some measures Rapid7 could take if they owned Metasploit to deter criminals from making use of what would become a signature product. “We could make sure we only sold to commercial entities in the parts of the world we felt confident were above-board. Our sales could be done through our own sales team through the phone so we knew who we were talking to. We could know where the purchase order was going, and we could control commercial distribution. But what you can’t control—other than through some very blunt things like IP blocking—you can’t control who downloads it. What we could say about this was that Metasploit existed whether we owned it or not, that there were other tools like it, that bad guys were going to do something anyway, and that we weren’t going to make things worse by buying it.”
Thomas put a fourth and fifth issue in frank terms: “The whole Metasploit community hated Rapid7 and customers didn’t like Metasploit.” Testing Thomas had done with customers about their perception of Metasploit as a potential acquisition target hadn’t gone well: customer perception was that Rapid7 would then be affiliated with a hacker tool and that hackers were widely perceived negatively. But Thomas wasn’t feeling deterred. “Those concerns could be managed. It comes back to our thesis: that knowing exploitability is more important than knowing vulnerability. Why people are hackable is because they don’t test. And if I could get Metasploit, I could give customers the tools. This is a lethal weapon. And I could say to them: Do you want this in enemy hands or friendly hands? Pick.” There would also be unhappy lawyers and government officials and regulatory risk to go along with the customer risk, and Thomas noted wryly, “It would launch my career in politics.”
Thomas was given the go-ahead to pursue Moore and his project, but a purchase of Metasploit wasn’t the only possible path forward.
Rapid7 could instead continue with the status quo: an informal partnership between Rapid7 and Metasploit LLC. Thomas noted, “I told HD want we wanted to do. He said, ‘It’s open source. Just use it.’” The partnership had proven successful enough to spawn talks of an acquisition. Continuing an informal partnership would still allow Rapid7 to piggyback on the discoveries of Metasploit’s community to provide a more robust offering to its paid clients. Rapid7 could avoid the costs and disruption of an acquisition, avoid major reputational risks, and maintain full control over its process.
Alternatively, Rapid7 could hire HD Moore without acquiring Metasploit LLC. By 2009, Moore had become “synonymous” with the Metasploit Project,41 and a successful acquisition was likely to require Moore’s continued involvement and support anyway. Maybe hiring Moore without formally acquiring Metasploit offered a cheaper and less risky alternative, along with a pathway to his fellow Metasploit collaborators. However, given Moore’s dedication to Metasploit LLC, it was unclear whether he’d be willing to abandon the Metasploit Project itself. And hiring Moore without buying Metasploit would not bring the same “brand” recognition. Metasploit was more widely known than Rapid7 (for both good and bad reasons).
A third possibility that had some traction in the open-source world would be to license Metasploit from Moore’s group for building into a proprietary Rapid7 product. Perhaps Moore could keep the open source version of the framework, but grant Rapid7 some sort branding rights or exclusive access to parts of the codebase, in exchange for revenue which would support the open source version.
Terms for an Acquisition
Thomas preferred an acquisition to each of these alternatives, so he was especially focused on outdoing them with acquisition terms that would be better for Rapid7 and for Moore. He and Loder invited Moore to come up to Boston to try to work out a deal. Nye would host the meeting at Bain Capital and join Thomas for the discussions. On the table, were at least three main buckets of issues: economic terms, commitments to Metasploit, and how to integrate Moore and the Rapid7 team.
Thomas and Moore had completed some preliminary discussions about payment before Moore’s trip to Boston. Moore had wanted a large upfront payment. Thomas had already told him that was not in the cards. Thomas was prepared to offer the Metasploit founder:
A small portion of Rapid7’s equity;
An upfront cash payment; and
An earn-out that would be comprised of some percentage of sales for the next four years and paid to Moore so long as he stayed that duration. Product Commitments Thomas was sensitive to the needs to win over the Metasploit community. But he was also confident in Moore’s capacity to do that if he were so motivated. “HD has a strong personality, so I didn’t think a lot of people would speak out. But I also I wanted to give him some ammunition to say, ‘Hey, we are going to make Metasploit a lot better.’” Tuchen, Thomas, Moore and others had done some brainstorming around a version of a commercial product that could be priced near $3,000 per user per year to go with the non-commercial one.42 Thomas estimated that, at least in the first year post- acquisition, some percentage of the monthly Metasploit users could be converted to the commercial product each month, and some portion each month would become customers of NeXpose. He also hoped the “bump” from the news would increase NeXpose volumes, on top of the leads generated from Metasploit. Prices for NeXpose at the time ranged from $25,000 per client for a Class C license to $235,000 for an enterprise license.43 Clients would generally pay an additional 15% for support services.44 Though they hoped to integrate Metasploit technology into NeXpose, they didn’t anticipate a corresponding raise in prices. Moore proved open to a paid version, but specific on points that he felt would be essential to keep for his open-source community. Thomas felt his investors wouldn’t like “forever” commitments, but believed it was important to commit to Moore that:
Metasploit would always continue to exist as an open-source product in some fashion, even as they built a commercial product on top of it;
Rapid7’s next two releases would be upgrades to this open-source offering and not to their own NeXpose product; and
Rapid7 would release at least one upgrade per year to Metasploit and would fund Metasploit in perpetuity. The Metasploit community would look to the letter and the spirit of Rapid7’s commitments. Metasploit contributor Tod Beardsley expressed concern that Metasploit would be “used only as a shingle to sell some weaksauce Metasploit Professional product that Real Hackers wouldn’t ever use anyway.”45 Beardsley noted that if “Metasploit’s open development would dry up, the contributors would flee and the massive open source user base would find something else to develop and deliver their exploits with.” Rapid7’s NeXpose also had brand equity it had cultivated among demanding, high-end clients. This brand might be cheapened if it were viewed as a minor upgrade from a free and open-source offering. If Rapid7 were to move forward with an acquisition that promised maintenance and enhancement in perpetuity of an open-source product, it might alleviate some skepticism among the Metasploit community, but exacerbate tensions within its own staff, investors, and customers. Rapid7 would acquire all of the intellectual property controlled by Metasploit. This would include the website, Metasploit.com, and the label “Metasploit.” Moore would have to make sure Spoonm and Skape signed away their rights to these. Whether Moore wanted to share the economics was up to him, 8
but they hadn’t been contributors to the project for some time, and Thomas wanted to deal exclusively with Moore.
How NeXpose and Metasploit would co-exist as brands Thomas would leave mostly undetermined for now. Rapid7’s two technical co-founders felt attached to the NeXpose brand.
Integrating the Team
Moore was an essential reason for the transaction. So securing his commitment to Rapid7 through the economic terms and otherwise was key. In addition to the earn-out, Thomas favored the following arrangements:
Moore would join Rapid7 as Chief Security Officer;
Moore would be chief architect of the Metasploit product, including a new commercial version, and would lead a team of six engineers; and Moore could lead the team from his location in Austin, TX, and Thomas would not be proscriptive about where the other engineers worked from. This last concession was potentially an especially tricky one. Moore’s contributor community had dwindled somewhat, and the question of which ones would (or would be qualified to) trade their existence as volunteer contributors for hired hands was not entirely clear. In addition, Thomas’ investors were already leery of Rapid7’s bi-coastal nature. With headquarters in Boston and an office in Los Angeles, would it work to have Moore in Texas and his team in Iowa, in Colorado, in wherever? If Thomas got things just right, perhaps the acquisition might allow Rapid7 to retain access and goodwill among the Metasploit community. “In a quickly evolving market like pen testing, access to that community is invaluable for a commercial vendor,” wrote one tech blogger.46 The acquisition perhaps created the potential to attract more unpaid contributors, if parts of Metasploit stayed open source, and the community could serve as a pipeline of potential paid employees. But things could swing the other way, too. Beardsley articulated the concerns of the Metasploit community: “If Rapid7 was going to fund (and therefore, control) the development of the Metasploit Framework, why would anyone contribute to it anymore? Why give away work product for free when Rapid7 is just going to turn around and sell it.”47 Thomas also had to get his own sales team to buy in to the new product offerings. He left that for another day, but had the strong sense that the existing group didn’t want to take the quota for a new Metasploit commercial product. They seemed to be enthusiastic about the pop the company could get from the news, but didn’t want to be held to account for selling beyond what they already were. Thomas, who would be in charge of integrating the acquisition if it happened and essentially product managing Metasploit, had come to like Moore. He saw him as “very fast, very smart, hyper analytical.” He also knew that Moore and his collaborators saw themselves as true-believers and even as “crusaders.” Thomas would have to find a way to make Moore feel at home at Rapid7. Hot Rods and Hackers? As Thomas and Nye prepared for Moore, the rest of the Rapid7 leadership were well aware of the stakes. A successful acquisition and post-acquisition integration would provide lead-generation for Rapid7, enhance the suite of products they had for current customers, enlarge (if not enhance) their own reputation with a brand that was better known than their own, bring a top-notch security engineer 9
in-house, take on a greater breadth of vulnerability management functions, and position the company squarely in the exploit management space. Moreover, “HD Moore and the whole Metasploit approach would allow us to get insight into the attacker mentality,” Tuchen felt. At the same time, he noted the risks: “75% of acquisitions or more fail. We looked at that and said ‘What are the odds we can make this one successful?’” Thomas also noted that the extent of the leap they would be taking, but felt that was to be expected given the company’s ambitious goals. “If you want to become relevant overnight, it’s not a risk-free transaction,” he said.
Thomas entered the meeting with Moore with all this on his mind and more. At the final steps of a negotiation, a score of other issues arise. Thomas thought of these “edge cases” as the things that break agreements, but the details that “a good contract should address.” “Termination clauses, if things don’t perform well, if investments aren’t made, etc.” he said, “how do you deal with the unexpected?”
Thomas, who had a great deal of confidence in his negotiation skills, maintained that any deal that was worth doing must involve a degree of compromise. “If both parties want a 10, acquirers should get between a 6 and 7. They shouldn’t get an 8 or a 9. That means the seller only gets 1 or 2. I don’t want to buy a company that will take a 1 or 2.” In the terms he had prepared, would Rapid7 find its fair share? Would Moore see, and get, his?
2008: $2.2 billion
2006 to 2012 CAGR:
Cisco Juniper Checkpoint Fortinet
Port scanning, securing virtual access to networks, data encryption, blocking unauthorized access
Front-line defense for network; hardened operating system/appliance; monitors traffic inbound and outbound; blocks unauthorized ports.
2008: $1.8 billion
2006 to 2012 CAGR: 11.5%
Detect unauthorized network or resource access; detect suspicious behavior.
Monitors network traffic for suspicious behavior; use of heuristics to detect unauthorized access; advanced systems will automatically shut down intruder access.
2008: $1.9 billion
2005 to 2013 CAGR: 15.1%
Websense Trend Micro McAfee
Scan inbound and outbound e-mail and Web content for malicious content. Filter Web access according to corporate policies. E-mail spam filtering.
Software Appliance Service
Designed to reduce the amount of incoming spam and malicious content originating from e- mail and the Web onto corporate e-mail systems. Uses heuristics and blacklists to identify potentially malicious content and to filter Web sites.
Data Loss Prevention/
2008: $2.9 billion
2008 to 2012 CAGR: 11.5%
Symantec Trend Micro
Prevent external and internal users from accessing sensitive data. Auditing of access to data and automated systems to prevent dissemination of data through unauthorized channels. Includes full disk encryption solutions.
Software Appliance Service
Based on rule-based engines, Messaging and DLP systems e designed to prevent the leakage of data through intentional and inadvertent means. Sophisticated systems can stop the print jobs, copying of data on to USB memory sticks, or outbound e-mailing of sensitive files.
Unified Threat Management
2008: $1.7 billion
2006 to 2012 CAGR: 23.6%
Fortinet Cisco Juniper SonicWALL
Single appliance or software blade platform designed to provide multiple applications. (IDS/IPS/
firewall/VPN/ messaging/content security).
UTM consolidates a number of applications but creates a critical point of failure; potential bottleneck in the network where security processing is taking place; cheaper security solution for small office/remote office locations.
Endpoint Security Software
2008: $6.4 billion
2007 to 2012 CAGR: 11.7%
Symantec McAfee Trend Micro Sophos
Detect and mitigate viruses, spyware, Trojans, and other malware at the endpoint.
Anti-malware solutions are differentiated based on speed of response/update to new threats; accuracy in detecting threats; speed/performance degradation on end- computer.
Security Information and Event Management
2008: $0.7 billion
2006 to 2012 CAGR: 25.5%
Arc sight Loglogic EMC CA Cisco
Log aggregation function coupled with event correlation engine and unified administration/patch management solutions.
SIEM starts with basic log management capabilities designed to collect and aggregate logs from a variety of different security and enterprise sources. These logs are then subject to analysis through event correlation engines that sift through the raw data.
Identity and Access Management
2008: $3.6 billion
2007 to 2012 CAGR: 11.1%
IBM CA EMC VeriSign Oracle
Unauthorized account access; unauthorized resource access.
Software Appliance Services
Multi-factor authentication to provide stronger identity verification. Third-party SSL certification to confirm identity. Reputation monitoring for Web sites to notify consumers of threats. Network access control to monitor and restrict access to network resources.
Vulnerability/ Risk Management
2008: $2.7 billion
2006 to 2012 CAGR: 18.7%
IBM Symantec HP
Port scanning; operating system vulnerabilities; process weaknesses; compliance violations.
Software Appliance Services
Security auditing services used to identify and remediate risks and vulnerabilities for network- and end-point-based security. Identifies potential vulnerabilities in port management, operating systems, passwords, and user processes.
2008: $0.6 billion
2008 to 2013 CAGR: 31.3%
Google McAfee Symantec Barracuda Scansafe
In the cloud services designed to prevent denial of service attacks, provide third-party e-mail/Web filtering, and vulnerability/risk assessment, among other services.
Cloud services such as DNS management are focused on protecting access to Web sites through prevention of distributed denial of service attacks. Other services include third-party filtering of e-mail/Web content or provisioning of clean pipes that have been checked for viruses and Trojan horses.
2007: $42.5 billion
2007 to 2012 CAGR: 14%
Symantec Cisco McAfee IBM Trend Micro Check Point
All forms of cyber-security threats and compliance requirements
Software Appliance Service Hybrid
Includes all cyber-security-related capabilities
Source: Jonathan Ho, “Security Technology: The New Age of Cyber-Security,” William Blair & Company Equity Research, September 17, 2009. *The total market estimate from IDC includes segments such as broader IT security services revenue that fall outside the scope of this report.
Exhibit 2 Security and Vulnerability Management Software Vendor Share
Source: Jonathan Ho, “Security Technology: The New Age of Cyber-Security,” William Blair & Company Equity Research, September 17, 2009.
Exhibit 3 Rapid7 Founder Bios Tas Giakouminakis
Tas Giakouminakis served as Rapid7’s Chief Technology Officer. Prior to founding Rapid7, Tas Giakouminakis helped form Percussion Software, where he led the development of Percussion’s first product. He has also developed software in the security and risk areas for CitiCorp.
Chad Loder served as Rapid7’s Vice President of Engineering. Before he co-founded Rapid7, he was a Principal Developer at Percussion Software and has also held positions at both Cognex and IBM.
Alan Matthews served as Rapid7’s CEO prior to Tuchen, and chairman of the board of directors since July 2008. Previously, Alan was a consultant to the investment banking group at Merill Lynch. He has also developed mortgage-backed securities software at First Boston, coordinated and operated a computer graphics lab at HBO/Time Warner, and served as a programmer and designer for the VM operating system at IBM in the United Kingdom.
Source: “Leadership,” Rapid7, https://www.rapid7.com/about/leadership, accessed November 2016. Munroe, Amanda, “Rapid7 Extends Executive Management Team with New and Existing Talent,” BusinessWire, September 1, 2009, http://www.businesswire.com/news/home/20090901005837/en/Rapid7-Extends-Executive-Management-Team- Existing-Talent, accessed November 2016.
Exhibit 4 Rapid7 Executive Team Bios Corey Thomas, Vice President of Products and Operations
Prior to joining Rapid7 as Vice President of Marketing, Thomas’s previous positions included VP of Marketing at Parallels, Inc., a virtualization technology company, Group Project Manager of the Microsoft Server and Tools division, launching the worldwide availability of SQL Server 2005 and steering product planning for Microsoft’s data platform, and a consultant at Deloitte Consulting. Corey received a B.E. in electrical engineering and computer science from Vanderbilt University and an MBA from Harvard Business School.
Timothy O’Toole, CFO Prior to joining Rapid7 as CFO in late 2008, O’Toole was the CFO of Burlington, Mass.-based Mzinga,
and before that was VP of finance at BladeLogic, including during the firm’s IPO in 2007.
Mike Tuchen, CEO
Prior to joining Rapid7 as COO, Tuchen was the general manager of Microsoft’s SQL Server Marketing team, with which he led worldwide strategic planning and revenue-generating efforts, including product marketing, field programs, product planning and partner strategy. Tuchen has had two stints at Microsoft totaling nine years and in an expanding range of product development and marketing roles.
Alspach, Kyle, “Dyn hires former Rapid7 CFO,” Boston Business Journal, December 5, 2013, http://www.bizjournals.com/boston/blog/techflash/2013/12/dyn-hires-former-rapid7-cfo.html, accessed November 2016. Bryant, Beth, “Rapid7 Expands Executive Team with Appointment of Tech Industry Veterans as President/COO and CFO,” BusinessWire, September 17, 2008, http://www.businesswire.com/news/home/20080917005650/en/Rapid7-Expands-Executive-Team-Appointment- Tech-Industry, accessed November 2016. “Leadership,” Rapid7, https://www.rapid7.com/about/leadership, accessed November 2016.
Exhibit 5 Metasploit License Timeline
– October, 2003: Metasploit 1.0 released
– April, 2004: Metasploit 2.x released under a Perl Artistic License; license was open, and allowed others to modify the code and release it as their own for commercial gain.
– November, 2006: Metasploit 3.0 released under a free-as-in-beer license after formation of Metasploit, LLC; core developers assigned their copyrights to Metasploit LLC; Metasploit LLC gave each developer a personal license to modify and commercialize the product if they chose
– October, 2008: Metasploit 3.2 released; project transitioned from free-as-in-beer to BSD license; BSD license ensured that core contributors would not lose access to their work if licenses were.