IPO: Rubrik - Last Line Of Defense (Pt.2)

Summary

• Rubrik's IPO marks the first cybersecurity vendor to go public in two years.
• In Part 2 we conduct a deep dive into Rubrik's competition, making comparisons vs. Commvault, Cohesity, Veeam, and cloud-native backup vendors.
• We also share a DCF valuation analysis.

How Did Rubrik Scale So Fast?

2014 to Pre-Pandemic

To have scaled to $600m+ of revenue in 10 years is no mean feat, though there has been a confluence of factors contributing to Rubrik's early success. The timing of Rubrik's founding was somewhat fortuitous, as Sinha created a security-first backup & recovery solution before knowing that ransomware was going to be the major catalyst for the company's growth.

The timing of Dell's acquisition of EMC, the largest market share vendor in the backup & recovery space, completed in September 2016, was also fortuitous, as VARs and SIs (Value Added Resellers & System Integrators) expected Dell (as they had taken on tons of debt to finance the M&A and needed to generate as much cash as possible) to sell EMC directly to customers, which compelled them to consider alternatives. This was just as Rubrik (RBRK) and Cohesity had really established PMF and began to press the GTM pedal. This gave Rubrik a substantial growth lever to further its name; however, it wasn't all luck, because Rubrik's better software enabled VARs and SIs to do relatively less hard work and thus increase their margins.

Credit for Rubrik's rapid growth should also be given to Sinha's approach to managing the PMF and GTM. Often a tech founder with an engineering background, like Sinha, can become excessively concerned with perfecting the PMF before willing to throw everything at the GTM motion. We've seen this at varying levels of company maturity with FSLY, HCP, ASAN, S, and OKTA, and startups such as Cohesity, and maybe Orca. Sinha, presumably thanks to his stint as a VC after working as an engineer at Oracle for 9 years, approached the development of his startup differently. Before he even had a MVP (Minimum Viable Product), he was recruiting a sales team and he managed to bring in $400k of orders. He also flipped the conventional startup GTM on its head by targeting the enterprise segment straight away, rather than the SMB market. Quite a daring approach, but it has paid off handsomely for him and Rubrik. And if this GTM-first approach is now deeply engrained in the company's DNA, then potentially we could see another success like CRWD or ZS.

To summarize, Rubrik's rapid scaling up until the pandemic has been attributed to ransomware, the changing landscape following the Dell/EMC merger, and Sinha's VC-influenced approach to developing a startup.

Pandemic to Present

The conditions of the pandemic elevated ransomware to a whole new level, as businesses globally shifted rapidly to remote work, significantly expanding their digital footprints and inadvertently their vulnerabilities. Cybercriminals seized the opportunity, launching sophisticated ransomware attacks that exploited weaknesses in security perimeters widened by this unprecedented transition. This ignited backup storage from something customers viewed as an inconvenience and a technology in which they only care about getting it at the cheapest price possible just so they can tick the compliance box, to something customers suddenly viewed as very important and hence were willing to pay more for better solutions. As a consequence, this lifted the market from commoditization to high innovation.

Amidst this surge in ransomware attacks, Rubrik effectively positioned itself by emphasizing its core marketing strategy centered around Data Resilience, Data Observability, and Data Recovery, as ultimately it is the data that the attackers are targeting. By focusing on these aspects, Rubrik aimed to assure potential customers of its robust capabilities in not just protecting data but also in providing clear insights into data health and ensuring rapid recovery from ransomware attacks.

Promoting data resilience is a particularly clever way to make you stand out amid the crowded cybersecurity landscape. By consistently sending the message of 'data resilience' to the cybersecurity market, Rubrik is implicitly stating that despite having a full arsenal of cybersecurity solutions, your organization is still going to get breached and become a victim, unless you have data resilience. And it is just a very different message to any other cybersecurity vendor who are touting prevention and detection/respond superiority, a lot of which are not entirely true promises, due to the reasons outlined in Part 1. And this is another difference versus Rubrik's claims, because Rubrik doesn't leave anything to chance by allowing its customers to set overly permissive rules and configurations etc.

Rubrik's cybersecurity strategy is firmly anchored in its Zero Trust Data Security framework, which focuses on minimizing administrative privileges and ensuring that all user configurations are stringently controlled to avoid overly permissive settings that could lead to security breaches. This approach, coupled with Role-Based Access Control (RBAC), significantly mitigates the risk of user errors and unauthorized access, by only granting permissions necessary for specific tasks. Rubrik's system employs predefined roles, such as Administrator and Read-Only Administrator, and allows for the creation of custom roles to meet the unique security needs of each organization. This role management supports the principle of least privilege, ensuring a secure and efficient environment.

Moreover, Rubrik's immutable storage design ensures that once data is written to the system, it cannot be altered or deleted, providing a safeguard against ransomware and other malicious attacks. This capability ensures that a clean, unmodified copy of data is always available for recovery, thus enhancing an enterprise's ability to rapidly bounce back after an incident. Rubrik's focus on resilience not only helps in thwarting attacks but also minimizes the downtime and operational impact, thereby supporting continuous business operations even in the face of security threats. This combination of strict role enforcement and immutable data storage forms the backbone of Rubrik's commitment to securing data and maintaining high recovery capabilities, and could be viewed as a real promise whereas many other vendors, even BoB, can't make this promise, not due to their ability to detect and stop threats, but due to the discretion operators are given when using them.

Competition

Overall, Rubrik has a number of direct and indirect competitors in the data backup space. Its most direct competitor is Cohesity as the two got started at a similar time with similar architectural innovation. For both legacy and cutting-edge cloud-native workloads, Rubrik also has competition from legacy vendors and cloud-native players. Furthermore, as Rubrik is targeting data protection and governance of primary production storage, its competitors in DLP and DSPM are vendors like Netskope, Wiz, PANW, AVGO, and others.

Generations of Backup Solutions

There are generally four generations of players. Gen 1 and 2 were born in the on-prem, pre-virtualization world, Gen 3 was born in the virtualization and early cloud era, and Gen 4 was born in the post-cloud world.

• Gen 1 players are DELL (EMC), IBM, and others, who are the earliest and oldest backup solution providers, started in the mainframe era when software was tightly coupled with hardware and backup solutions were provided as a natural extension of these vendors' storage solutions.
• Gen 2 players are the likes of Commvault (CVLT), Veritas, and others who emerged with a greater emphasis on backup functions for managing backup storage. These vendors developed backup software that could be run on different OEM hardware. However, similar to Gen 1 players, if you want to add more capacity and performance, you need to scale up, meaning the enterprise would need to buy a bigger box or upgrade the existing one. Due to the fragmentation and close-ended nature of enterprise IT solutions back then, these backup players had to develop complex data collection, formatting, and compression techniques to deliver an efficient backup system that can operate with many disparate systems.
• Gen 3 players are Cohesity, Rubrik, Veeam, and a few others. These providers often have scale-out software that can run backup jobs in distributed nodes, and if you need more capacity and performance, instead of turning off your existing backup appliance and upgrading it with a larger and more powerful one, you can simply add a new box and scale the system. These vendors typically support newer infrastructure like VMware virtualized environments, whereby the underlying infra is highly streamlined, or ORCL and MSFT's latest SQL databases. Because they don't need to support legacy IT infra, they can focus on performance, cost-effectiveness, and agility. For instance, these vendors can save data in their native form instead of transforming different sources of data backup into one vendor's proprietary format. By storing in native format, they can deliver way faster recovery because they don't need to go through the reverse transformation like Gen 2 players need to. Gen 3 players also support simple infrastructure backup for the cloud, and they can also support hybrid backup very well due to the era they got started in.
• Additionally, Gen 3 players are simply more modern in that they are easier to deploy, maintain, and upgrade. Gen 1 and 2 players often require the customer to have a team of 10 or more experts trained in their solutions, and be highly knowledgeable about how the system works. Gen 3 players typically require very little learning curve and less headcount required to run the solution. And Gen 3 solutions typically have consolidated dashboards, more automated features, and ease of use, which includes a scale-out as opposed to scale-up architecture.
• Gen 4 players started after the cloud matured and became more mainstream. Leading providers are Druva, Clumio, and AWS Backup. These players are 100% cloud-native, which gives them more room and runway for further innovation, but it also constrains their ability to cater to hybrid cloud customers and increases the costs by going through hyperscalers who need to charge 65%-75% gross margin for their IaaS. Although Gen 3 players also have good cloud backup, they are not 100% focused and they need to make sure their cloud backup and on-prem backup have more consistency and compatibility. This limits their ability to fully leverage the cloud-native features as they need to architect the system with the lowest common denominator. Gen 4 players remain a very small part of the market, and we expect them to continue slow and gradual adoption in near-to-intermediate-term future.