Rapid7, Inc. (RPD) Business

Item 1. Business

Overview

Rapid7 is a global cybersecurity operations software and service provider on a mission to create a safer digital world by making cybersecurity simpler and more accessible. For twenty-five years, Rapid7 has partnered with customers across the globe representing a diverse range of industries and sizes to improve the efficacy and productivity of their security operations (“SecOps”). In today's rapidly evolving IT environment, customers are encountering escalating challenges due to the widening spectrum of attackers and techniques, including the proliferation of cyberattacks leveraging AI. We empower security professionals to manage a modern attack surface through our best-in-class AI-driven technology, leading-edge research, and broad, strategic expertise. Rapid7’s comprehensive security solutions, including our market-leading managed detection and response ("MDR") services, next-gen security information and event management ("SIEM"), and exposure management help our global customers unify exposure management with threat detection and response to prioritize and reduce material risk, and eliminate threats with greater speed, precision, and consistency.

We believe that Rapid7 is poised to expand the capabilities of today's SecOps teams through our integrated, open data security operations platform which is powered by our AI enabled detection and response, automation, and exposure management capabilities. Rapid7 enables the Security Operations Center (“SOC”) to understand their fragmented attack surface through an attacker's perspective, thereby allowing them to proactively reduce exposures and better detect and respond to threats. Enriched by years of industry-leading risk research and managed services expertise, our integrated AI-driven platform replaces reactive security with a preemptive, risk-aware approach that reduces attack surfaces and enables faster, more confident response through contextually rich insights and deep operational visibility.

In recent years, security leaders have increasingly prioritized consolidating fragmented point products into unified security operations platforms to improve visibility, operational efficiency, and risk outcomes. In 2022, Gartner reported that approximately 75% of organizations were pursuing security vendor consolidation as part of their SecOps strategies. This shift reflects mounting challenges associated with managing expanding attack surfaces, disconnected exposure data, escalating alert volume, and the need to continuously prioritize and respond to risk across complex environments. As a result, customers are seeking platforms that unify exposure management with threat detection and response, enabling them to identify where they are most vulnerable, anticipate how attackers may exploit those exposures, and respond with speed and precision. At the same time, customers are increasingly relying on MDR and adjacent managed services to deliver continuous expertise, higher-fidelity detection, and faster response outcomes that extend and augment internal SOC teams. In this context, organizations are prioritizing open, integrated security operations platforms that pair technology with expertise to deliver risk-aware detection and response across on-premise, cloud, identity, and external attack surfaces. We have been an active participant in advancing this shift toward consolidated SecOps by innovating across our open platform architecture, strengthening our exposure management and AI-driven SOC capabilities, and expanding our managed services portfolio. As we continue to execute on our SecOps consolidation strategy, we are advancing innovation across our core platform capabilities and managed services to accelerate customer value and deliver a frictionless, integrated security operations experience.

As the threat landscape continues to grow in complexity, customers are demonstrating demand for integrated expertise to support them in effectively managing their security technologies. The convergence of these key trends – security consolidation, AI-enabled SOC capabilities, integrated cloud security, and expertise driven outcomes – forms the foundation of what our customers require for the modern SOC. Our focus is to be the leading provider of integrated, AI-driven security solutions infused with human expertise for the modern SOC by providing risk-aware detection and response that outpaces attackers and strengthens security program maturity.

As of December 31, 2025, we had more than 11,500 global customers that rely on Rapid7 technology, services, and research to improve security outcomes and securely advance their organizations.

Revenue has increased from $535.4 million in 2021 to $859.8 million in 2025, representing a 13% compound annual growth rate.

In 2025, 2024 and 2023 recurring revenue, defined as revenue from term software licenses, content subscriptions, managed services, cloud-based subscriptions and maintenance and support, was 96%, 96% and 95%, respectively, of total revenue. We achieved net income of $23.4 million and $25.5 million in 2025 and 2024, respectively, and incurred a net loss of $152.8 million in 2023, as we continued to invest for long-term growth.

1

Table of Contents

Our Platform

Rapid7’s Command Platform is a unified threat exposure, detection and response platform that allows SecOps teams to integrate their critical security data by providing a unified view of vulnerabilities, exposures, and threats from endpoint to cloud to close security gaps and prevent attacks. By integrating native cloud, on premises and security monitoring data and correlating it with an organization’s ecosystem of third-party security, cloud, IT and business data, the Command Platform provides actionable visibility into a customer’s attack surface that has long been elusive. By providing the means to confidently discover, identify, prioritize and remediate exposures, detect threats, and respond effectively, the fully-integrated, AI-driven platform gives SecOps teams greater visibility they can trust.

Our Command Platform is delivered via integrated technology, managed services, threat intelligence, and threat-aware risk context, enabling us to anticipate, detect, and promptly respond to threats once identified. The platform was built using our extensive experience in collecting and analyzing data from diverse sources, including multi-cloud platforms, applications, endpoints and networks, and thus enables our customers to create and manage analytics-driven cybersecurity risk management programs. By utilizing our powerful proprietary analytics to assess and understand the context and relationships related to users, IT assets and cyber threats within a customer’s environment, our solutions make it faster and easier for teams to identify and remediate vulnerabilities, monitor for misconfigurations and malicious behavior, investigate and shutdown attacks, and automate operations.

Endpoint to Cloud Data Collection and Sharing

In response to our customers’ expanding digital footprints, we have invested in our capacity to gather, standardize, enrich, and correlate diverse telemetry within our platform. Our cloud architecture utilizes a combination of native collection technologies and application programming interfaces as well as third-party event sources, to scale in alignment with the digital transformation occurring within our customers’ organizations.

•Rapid7 Agent: Our universal endpoint agent, the R7 Agent, is a lightweight, software-based agent which can be installed on assets across on-premises and cloud environments to centralize and monitor data on our platform. This single agent enables a number of impactful use cases across the platform, including next-generation antivirus (“NGAV”), vulnerability scanning, endpoint detections, investigation and forensic search capabilities, and threat containment.

•Rapid7 Network Sensor: Our lightweight Network Sensor passively analyzes raw end-to-end network traffic to increase visibility into user activity, pinpoint real threats, and accelerate investigations with granular detail of attacker movement.

•Rapid7 Cloud Event Data Harvesting: Given the scale, complexity, and rapid evolution of modern dynamic cloud environments, real-time detection of risks and threats is paramount. Our event-driven harvesting offers visibility into changes made to vital cloud resources.

•Third-Party Integrations and Ecosystem: We have integrations for hundreds of different technologies and solutions to deliver visibility across a customer’s attack surface customized to their unique ecosystem.

•Orchestration and Automation: The connective tissue of our platform is our ability to orchestrate workflows across both our solutions and the customers’ wider security ecosystem. This connectivity enables our customers to focus on security outcomes, rather than systems integrations, and accelerates both tasks associated with the normal course of business, as well as time-sensitive containment and remediation activities to minimize exposure and eliminate threats.

Our Offerings

Offerings are consumed via our platform and delivered as either Software-as-a-Service (“SaaS”) solutions, managed services or professional services. Customers can consume consolidated software and/or managed service offerings that combine leading capabilities and lean into vendor consolidation to maximize security budgets.

Detection and Response

•Managed Threat Complete (“MTC”) is our flagship offering and unifies our leading detection and response behind MDR and the robust exposure management of Managed Vulnerability Management (“MVM”) delivered via a shared agent to prevent attacks across the kill chain, pinpoint advanced threats wherever they are, and respond confidently with unlimited incident response from an always-on MDR. Customers are also able to add NGAV which delivers high-fidelity prevention against both known static threats and suspicious behavior before they execute, or Managed Digital Risk Protection (“MDRP”), which searches for potential threats from stolen or leaked data and phishing attempts. MDR delivers end-to-end threat detection and response, encompassing 24x7 monitoring for incident containment and breach response. Rapid7's MDR service is designed to meet the speed and scale of modern cyber attacks by leveraging

2

Table of Contents

the Rapid7 AI Engine to deliver on the promise of the AI-SOC. With AI-automated alert triage that reduces false positives by up to 99.93% accuracy, agentic AI workflows to drive incident investigation, and AI-driven threat detection and advanced behavior analytics, our customers can take advantage of the latest innovation, while ensuring that the right guardrails are in place with our Transparency, AI trust, risk and security management ("TRiSM") framework.

•Incident Command is our new next-generation SIEM and Extended Detection and Response (“XDR”) solution that integrates threat intelligence, attack surface management and Security Orchestration, Automation and Response ("SOAR") to deliver complete visibility into our customers attack surface and threats. Incident Command leverages the AI-based detection and agentic AI capabilities developed and tested in our managed SOC to triage and investigate threats and ensure fast, accurate response. Incident Command provides high fidelity detections that eliminate alert noise to pinpoint incidents and accelerate response with expert recommendations and automation.

•Incident Response Services are proactive and responsive professional services to help customers prepare and respond to potential breaches.

•Threat Intelligence on the Rapid7 Command Platform is provided by Intelligence Hub, which delivers curated, high-confidence threat intelligence directly within the Rapid7 platform. It consolidates global threat data, adds context on actors and exploited vulnerabilities, and integrates with Incident Command and Exposure Command. By reducing noise and highlighting relevant, verified threats, it helps teams detect and respond faster with greater confidence. Additional threat intelligence offerings to support open, deep and dark web sources for leaks, impersonation, and emerging attacker activity are also available to meet our customers' needs for digital risk protection,

•Managed Digital Risk Protection ("MDRP") gives customers expert monitoring across the clear web, deep web, and dark web to spot the earliest signals of a targeted attack. Analysts act as an extension of the customer's team—identifying real threat indicators, confirming ransomware leakage, and rapidly executing takedowns—minimizing exposure and preventing breaches before they escalate.

•Vector Command is a continuous red-teaming and exposure validation service that validates the external attack surface exposures and tests defenses with continuous red team operations to provide trusted insights into the exposures that matter. An additional package that supports compliance-driven internal penetration and segmentation testing is also available as Vector Command Advanced.

Exposure Management

•Surface Command is the most accessible Attack Service Management (“ASM”) solution in the market, providing customers with a 360° attack surface view by integrating both the external attacker's perspective using External Attack Surface Management ("EASM") scanning together with critical insights into security posture and business context from internal assets with Cyber Asset Attack Surface Management ("CAASM"). This gives our customers the ability to detect and prioritize security issues from endpoint to cloud. Surface Command also supports exposure prioritization with our active risk prioritization, full stack automation and Remediation Hub, our centralized capability to drive prioritization and remediation across customer organizations.

•Exposure Command is an exposure management offering that provides complete attack surface visibility with proactive exposure mitigation and remediation prioritization optimized for hybrid environments. The solution is available in different packages. Exposure Command Essentials provides complete attack surface management and on-premises vulnerability management. Customers with advanced cloud security use cases can purchase Exposure Command Advanced or Ultimate to provide strong security for workloads leveraging real-time visibility, identity analysis, and automated remediation. The code-to-cloud protection also includes continuous web-app scanning and expanded risk coverage.

•Rapid7 Cloud Security is a cloud risk and compliance management solution that provides Cloud-Native Application Protection Platform (“CNAPP”) capabilities and enables organizations to securely accelerate cloud adoption with continuous security and compliance throughout the entire software development lifecycle.

•Rapid7 Vulnerability Management is a Vulnerability Management (“VM”) solution that provides visibility across on-premise and remote endpoints, enabling security teams to evaluate the business risk of vulnerabilities and configurations and share with their IT counterparts for remediation.

Other Capabilities and Services

•Rapid7 Application Security is a Dynamic Application Security Testing (“DAST”) tool, delivered via the cloud, that combines powerful application crawling and attack capabilities, flexibility in scan and scheduling, and accuracy in results with a modern user interface, intuitive workflows, and sensible data organization.

3

Table of Contents

•Managed Vulnerability Management offloads day-to-day VM operations to experts and extends coverage across the attack surface.

•Managed Application Security ("MAS") provides guidance from a dedicated security advisor and AppSec experts to validate application test results, reduce noise for the AppSec team assessing results, and save time for developers remediating issues.

•Penetration Testing is professional services that assess the modern attack surface for exposures with offerings covering internal and external networks, web applications, mobile applications, Internet of Things, wireless network testing, social engineering and red team attack simulation.

Our platform products are available globally and reduce the need for customers to manage a large, complex, data infrastructure. Customers can add expertise via our managed services delivered out of our SOCs located in the U.S., Ireland, India, Australia and the Czech Republic. Each of these SOCs is staffed with security analysts, threat engineers, incident responders and customer advisors that provide full-lifecycle support for our global managed services customers.

Our Growth Strategy

Our goal is to help customers command their attack surface by helping them anticipate, pinpoint, and act on exposure-led threats from endpoint to the cloud. The main drivers of our growth strategy are:

•Continued investments in product development: We intend to continue to invest in our product development to enhance our platform and deliver additional features to meet customer demand and grow our addressable markets.

•Grow our customer base: We believe we have a strong opportunity to address the security needs of resource constrained organizations of any size. We intend to continue investing in our sales and marketing efforts and foster the growth of our channel relationships to enable acquisition of these customers.

•Upsell and cross-sell to our existing customer base: We see significant opportunities to deepen our relationship with our existing customers. With a strong focus on customer experience, satisfaction, and the value proposition of our platform, we intend to expand customers' usage of products they own (upsell) and help them adopt additional products (cross-sell). Our platform consolidation offerings are helping our customers maximize their budgets and giving them command of their attack surface, becoming our most dominant customer acquisition and expansion motions.

•Expand our partner ecosystem

•Strategic Partnerships: By expanding our strategic technology partnerships, we enable our customers to succeed with our technology and platform in their ecosystem and deliver more value from their security operations program. Recent technology alliances that drive this experience include ServiceNow, Microsoft, AWS, GCP and Palo Alto Networks.

•Channel Partners: We maintain a global channel partner network that complements our sales organization. We have established strong co-sell relationships with strategic channel partners, who provide additional leverage through customer acquisition, deal execution and providing value in securing renewals. We are focused on expanding our public cloud marketplace motion to support our customers’ move to those models. We will continue to invest in partner models that enable us to create long term customer value.

•Managed Security Service Providers (“MSSPs”): Our platform products enable MSSPs to expand existing services to include detection and response (XDR/SIEM/MDR), vulnerability management, cloud security, threat intelligence, and application security. These relationships also allow us to leverage MSSP expertise to further expand our customer outreach.

•Strengthen our customer renewal rate: We intend to continue to drive customer satisfaction and renewals by offering professional services, support, and strong investments in customer success functions. Our customer success teams provide expertise to help our customers realize exceptional value and improve their security outcomes, leading to higher customer satisfaction.

•International expansion: We continue to make investments to expand our international presence. These include investments in infrastructure, sales and marketing, and strategic partnerships.

•Strategic M&A: We have and may continue to make acquisitions that enhance the value of our Command Platform and bolster our ability to solve emerging customer challenges, allowing us to deliver on the vision of becoming the SecOps leader.

4

Table of Contents

Research & Development

We also invest substantial resources in research and development to enhance our core technology platform and products, develop new end market-specific solutions and applications, and conduct product and quality assurance testing. We partner with leading universities near our key centers to propel research and innovation and build a talent pipeline. We employ product, engineering and research professionals with a diverse skill set that includes data collection and analytics, AI, SaaS delivery, cloud-native development, and deep security expertise, and research capabilities.

Our experienced research team regularly reviews trending insights from our Platform and broader open source community to prepare industry reports and resources. This includes regular threat reports, common vulnerabilities and exposures, and skunkworks research to spotlight specific security concerns. This focus and intentionality around understanding the attacker mindset is a big part of our Rapid7 culture and is infused into our product development and engineering ethos.

Our research and development teams are located in Boston, Massachusetts; Austin, Texas; Arlington, Virginia; Dublin and Galway, Ireland; Belfast, Northern Ireland; Tel Aviv, Israel; Prague, Czech Republic; and Pune, India providing us with exposure to worldwide engineering talent.

Rapid7 Labs: Open Source Community

Our industry-leading attack experts analyze vulnerabilities, misconfigurations, and threat data that includes tracking threat groups, to offer proactive guidance for organizations’ security programs. Leveraging threat intelligence from multiple sources including our free and open-source projects, we continuously enhance the detection stack for our products and services to improve the customer experience. Our open source projects that serve the community and enrich our offerings are:

•Metasploit: Our Metasploit framework has an active community of contributors and users, including security researchers who contribute modules to the Metasploit Framework that serve as a resource about real-world attacker techniques. The Metasploit community also provides us with visibility into the methods deployed by threat actors giving us a unique insight into the threat landscape.

•Velociraptor: Velociraptor is a unique, advanced open-source endpoint monitoring, digital forensic and cyber response platform. It provides users with the ability to more effectively respond to a wide range of digital forensic and cyber incident response investigations and data breaches. It is also the foundation for threat hunting for many organizations globally.

•AttackerKB: The AttackerKB was created in 2020 as a forum for the security community to discuss, analyze, and prioritize threats associated with the exploitation of vulnerabilities. This community-driven platform empowers security professionals to exchange information about vulnerabilities so they can better understand the impact and likelihood of being exploited.

•Project Lorelei: Project Lorelei began in 2014 to understand what attackers, researchers, and organizations are doing in, across, and against cloud environments and gain deeper insights into the tactics, techniques, and procedures employed by both bots and human attackers. Having gone through significant evolution, Lorelei provides a unique insight into new tactics being deployed by threat actors.

•Project Sonar: We conduct internet-wide scans across many services and protocols to gain insight into global exposures and vulnerabilities and collect data for platform analytics and preparation of core research reports.

Threat Intelligence and Detections Engineering

Rapid7’s threat content library leverages unique raw threat data from our open source communities, as well as expertly vetted third party intelligence, and insights from across our platform, to provide customers with a curated repository of detections and emergent threat coverage. With a combination of proprietary AI-driven detections and indicators of compromise mapped to the MITRE framework, our detection content spans both known and unknown threats across the threat life cycle. When analyzed against the diverse telemetry data, this content enables us to pinpoint threats across endpoints, network, users, cloud, and customers’ wider ecosystem. This library is leveraged by our Rapid7 MDR services as well as within our SIEM technology, meaning alerts are vetted in the field by our security experts, offering a feedback loop and ensuring strong signal-to-noise alerting.

Professional Services

Our professional services offerings include, but are not limited to: Penetration Testing, Cybersecurity Maturity Assessments, Security & Incident Response Program Development Services, Internet of Things & Internet Embedded Device testing as well as Threat Modeling, TableTop Exercises and Incident Response services. In addition, we offer deployment and training services related to our platform, to further help customers operationalize and customize their platform experience. By accessing our

5

Table of Contents

security talent, we help organizations develop an approach and road map to further mature and strengthen their security programs.

Our Customers

As of December 31, 2025, we had more than 11,500 customers in 150 countries, including 36% of the organizations in the Fortune 100. We define a customer as any entity that has an active Rapid7 recurring revenue contract as of the specified measurement date, excluding InsightOps and Logentries only customers with a contract value of less than $2,400 per year.

Our customers span a wide variety of industries including technology, energy, financial services, healthcare and life sciences, manufacturing, media and entertainment, retail, education, real estate, transportation, government and professional services, with customers in the services industry representing our largest industry in 2025 at 18% of our revenue. In 2025, 39% of our revenue was generated from enterprises, which we define as organizations that have either annual revenue greater than $1.0 billion or more than 2,500 employees, and the balance was generated from middle-market and small organizations.

Our revenue is not concentrated with any individual customer, and no customer represented more than 1% of our revenue in 2025, 2024 or 2023.

Our Competition

The markets we operate in are highly competitive, fragmented, and subject to technology change and innovation. We primarily compete with established and emerging security product vendors, including the following:

•large companies that incorporate security products into their products;

•security platform providers;

•managed detection and response service providers;

•XDR and SIEM vendors;

•cloud security vendors;

•exposure management vendors;

•vulnerability risk management vendors;

•application security vendors;

•threat intelligence vendors; and

•legacy security, systems management, MSSPs, and other IT vendors.

We compete on the basis of a number of factors, including:

•product functionality;

•breadth of offerings;

•depth and expertise of our security service providers;

•performance;

•brand name, reputation and customer satisfaction;

•ease of implementation, use and maintenance;

•total cost of ownership; and

•scalability, reliability and security.

Some of our competitors have greater sales, marketing and financial resources, more extensive geographic presence or greater brand awareness than we do. We may face future competition in our markets from other large, established companies, as well as from emerging companies. In addition, we expect that there is likely to be continued consolidation in our industry that could lead to increased price competition and other forms of competition. With the introduction of new technologies, the evolution of our offerings and new market entrants, we expect competition to intensify in the future. Conditions in our market could change rapidly and significantly as a result of technological advancements, including with respect to AI. Our competitors may more successfully incorporate AI into their products, gain or leverage superior access to certain AI technologies, and achieve higher market acceptance of their AI solutions. For further discussion of the risks related to AI, please see below under “Risks Related to Intellectual Property, Litigation and Government Regulation."

6

Table of Contents

Government Regulations

We are subject to various federal, state and international laws and regulations that affect our business, including those relating to the privacy and security of customer and employee personal information and export or import of our products to certain countries, governments or entities. Additional laws in all of these areas are likely to be passed in the future, which could result in significant limitations on or changes to the ways in which we can collect, use, host, store or transmit the personal information and data of our customers or employees, communicate with our customers, and deliver products and services, which may significantly increase our compliance costs.

Intellectual Property

Our future success and competitive position depends in part on our ability to protect our intellectual property and proprietary technologies. To safeguard these rights, we rely on a combination of patents, trademarks, copyrights, trade secrets, employee and third-party nondisclosure agreements, licensing arrangements and other contractual protections to protect our intellectual property in the United States and other jurisdictions.

We have over three hundred issued patents and a number of registered and unregistered trademarks. The standard length of our patents is 20 years and while the grant dates of our patents vary, we believe that the duration of our issued patents is sufficient when considering the expected lives of our products. We file patent applications to protect our intellectual property and have a number of patent applications pending. We require our employees, consultants and other third parties to enter into confidentiality and proprietary rights agreements and control access to software, documentation and other proprietary information. Although we rely on intellectual property rights, including trade secrets, patents, copyrights and trademarks, as well as contractual protections to establish and protect our proprietary rights, we believe that factors such as the technological and creative skills of our personnel, creation of new modules, features and functionality, and frequent enhancements to our solutions are more essential to establishing and maintaining our technology leadership position.

We also license software from third parties for integration into our offerings, including open source software and other software available on commercially reasonable terms. We believe our continuing research and product development are not materially dependent on any single license or other agreement with a third party relating to the development of our products.

Human Capital

Rapid7 is creating a more secure digital future for all by helping organizations strengthen their security programs in the face of accelerating digital transformation. We do this by building a dynamic and collaborative workplace where new ideas are welcome. Multidimensional teams leverage their combined expertise and passion to innovate and drive impact. By providing programs that support employee wellbeing and quality of life, we’re cultivating an environment where people can build fulfilling careers while advancing Rapid7’s mission and business goals.

As of December 31, 2025, we had 2,613 full-time employees, including 382 in product and service delivery and support, 986 in sales and marketing, 888 in research and development and 357 in general and administrative. As of December 31, 2025, we had 1,180 full-time employees in the U.S. and 1,433 full-time employees internationally. None of our U.S. employees are covered by collective bargaining agreements. We believe our employee relations are good and we have not experienced any work stoppages.

Compensation, Benefits and Well-being

Our compensation program is designed to attract and reward talented individuals who possess the skills necessary to support our business objectives, assist in the achievement of our strategic goals and create long-term value for our stockholders and fit within our company culture. In addition to their base salary, eligible employees are compensated for their contributions to Rapid7’s goals with short-term incentives and long-term equity awards tied to the value of our stock price. We believe that a compensation program with both short-term and long-term awards provides fair and competitive compensation and aligns employee and stockholder interests, including by incentivizing business and individual performance (pay for performance), motivating based on long-term company performance and integrating compensation with our business plans. In addition to cash and equity compensation, we also offer employees a wide array of benefits such as life and health (medical, dental and vision) insurance, travel benefits, paid time off and retirement benefits for all eligible full-time employees. We also provide emotional well-being services through our Employee Assistance Program.

All high performing employees globally are eligible to receive equity under our 2015 Equity Incentive Plan (the “2015 Plan”). Additionally, all employees in the United States, United Kingdom, Ireland, Canada, Australia, Germany, the Czech Republic and Israel may participate in our Employee Stock Purchase Plan (“ESPP”). As of December 31, 2025, over 90% of our employees were eligible to participate in the ESPP. Under the ESPP, employees may set aside up to 15% of their gross earnings, on an after-tax basis, to purchase our common shares at a discounted price, which is calculated at 85% of the lesser of: (i) the market value of our common stock at the beginning of each offering period and (ii) the market value of our common stock on the applicable purchase date.

7

Table of Contents

We have evolved to a hybrid-first model, in which our employees who are assigned to an office can divide their time between the office and home. We are often iterating our approach to ensure we are balancing the needs of the business with the desires of our people, but remain committed to our view that offices remain a vital environment for fostering mentorship, career development and collaboration. Additionally, we believe gathering in person allows our people to foster stronger relationships and trust, and helps to contribute to our great work culture, evidenced by Rapid7’s fourteen consecutive years of recognition as a Best Place to Work in Boston and achieving similar recognition in other locations where we operate. We build this culture, in part, through the feedback we receive from our employees through surveys as well as informal feedback channels throughout the year.

Talent Development

We believe in investing in the growth and development of all of our employees. “Never Done” is one of our core values, and our employees take advantage of a myriad of opportunities for continuous learning, both through internal training and development experiences, on-demand learning modules, and access to content-specific curriculum based on need and interest. We have designed and implemented learning experiences for our employees at every stage of their careers, including personalized leadership development experiences that build capabilities for both non-technical and technical leaders and managers at each stage of the leadership journey. These experiences align to our core values and promote the leadership skills and behaviors we believe are critical to the success of our mission, customers, and development of our people. As a supporter of internal career growth, we actively mentor and invest in the pipeline of our future leaders. Additionally, new employees engage in our global 90-day onboarding experience, which is intended to support the embodiment of our core values and shorten their time to create impact.

To supplement our internal learning experiences, as well as provide opportunities for independent study, employees have access to online education tools, including an online learning platform to build the necessary skills to grow and develop in one’s role. To further invest in the future of cybersecurity and to deliver on our company mission, we made available an online learning platform that accelerates learning across key roles in information technology, engineering, and data and analytics. These licenses prepare employees for certification exams and provide access to development environments. Additionally, employees have access to a platform that includes the most recent product training materials, as well as makes certification exams available at zero cost. Electronic certificates can be published to an employee’s LinkedIn professional profile, and the CPEs associated with the exam and learning materials help cybersecurity professionals maintain their minimum “continuing development” points for their professional certifications. Certifications include: Certified Information Systems Security Professional, Global Information Assurance Certification and Certified Professional Hacker. We believe our investment in these resources, along with flexible working environments, will support our employees in their pursuit of lifelong learning.

We believe we will positively impact the experience of our customers by focusing on the development and engagement of our employees.

Inclusion and Belonging

Fostering a culture that values the principles of inclusion and belonging is an essential and fundamental aspect of who we are. We strive to create an environment where every individual, regardless of their background, feels valued and empowered. Inclusion and belonging are key drivers of creativity and innovation. When teams embrace these drivers, they are able to make better business decisions, which ultimately drive better business outcomes.

We continue to cultivate a workplace where employees can work effectively across different backgrounds, perspectives, and regions. Our focus remains on building the skills and awareness needed to collaborate effectively in a global environment and communicate inclusively across differences.

Our commitment remains to invest in partnerships that align with our corporate values and advance our mission of building multidimensional teams reflective of the global population we support.

Community Involvement

We continue to give back to the communities where we live and work, and believe that this commitment aids our efforts to attract and retain exceptional employees. We partner with a variety of STEM and inclusion-focused programs to promote technology education for all. Beyond contributions of cash, we encourage employee volunteerism at all our locations.

In 2025, we executed our largest global give back campaign to date, Rapid7 Gives Back, engaging offices around the world in volunteer projects grounded in the needs of the communities where our employees live. Efforts ranged from community cleanup, support for organizations caring for the unhoused, food bank support, assistance for the elderly, neurodiversity education, and cyber upskilling initiatives.

8

Table of Contents

During this time we have successfully launched funded research projects to train the next generation of threat hunters, and launched countless initiatives helping develop and nurture talent from a wide array of backgrounds.

Corporate Information

Our principal executive offices are located at 120 Causeway Street, Boston, Massachusetts. Our telephone number is +1 617-247-1717. Our website address is www.rapid7.com.

“Rapid7,” the Rapid7 logo, and other trademarks or service marks of Rapid7, Inc. appearing in this Annual Report on Form 10-K are the property of Rapid7, Inc. This Annual Report on Form 10-K contains additional trade names, trademarks and service marks of others, which are the property of their respective owners. Solely for convenience, trademarks and trade names referred to in this Annual Report on Form 10-K may appear without the ® or TM symbols. The information contained on our website or information that may be accessed through links on our website is not incorporated by reference into this Annual Report on Form 10-K. Our website address is included in this Annual Report on Form 10-K solely as an inactive textual reference.

Available Information

Our Annual Report on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K and amendments to these reports filed pursuant to Sections 13(a) and 15(d) of the Securities Exchange Act of 1934, as amended, are made available free of charge on or through our website at investors.rapid7.com as soon as reasonably practicable after such reports are filed with, or furnished to, the SEC.