[Updated 9/21/18, 11:13 am. See below.] Rapid7 says it has acquired Komand, a small deal between two Boston companies that nevertheless fits into bigger trends in cybersecurity.
The acquisition price wasn’t disclosed in the initial deal announcement. Rapid7 (NASDAQ: [[ticker:RPD]]) later revealed it paid $14.8 million in cash, plus it offered potential payments of up to $5 million for hitting certain milestones and it doled out 295,600 shares of restricted Rapid7 stock, worth an aggregate of $5.3 million, to certain Komand employees, according to a document filed with the SEC and a company statement e-mailed to Xconomy. [Added updated deal terms. An earlier version of this story pegged the total compensation package at roughly $50 million, based on an Xconomy source’s knowledge.—Eds.]
Rapid7 says in a press release that Komand is not expected to have a “material financial impact” on its revenue or earnings per share this year. Komand’s 16 employees have joined Rapid7, according to an e-mailed statement attributed to Jeff Bray, Rapid7’s vice president of investor relations.
Komand, which provides software tools for automating security tasks, was founded in late 2015 by Jen Andre (pictured above). She previously co-founded local cybersecurity firm Threat Stack.
Komand raised $1.6 million from investors, says Andre, the company’s CEO. Those backers include Hack Secure—a cybersecurity investment syndicate managed by the venture firm Accomplice—and Stone Hammer Capital, according to Komand’s website. Hack Secure’s initial members included Rapid7 CEO Corey Thomas, Fortune reported last year.
When asked why Komand decided to sell this early, Andre says the company had “a lot of options” to raise additional capital, but the Rapid7 acquisition was the most attractive offer. The two companies align on product strategy and company culture, she says. She declined to share Komand’s revenue figures or how many customers it has.
“I don’t think any startup can really plan for an acquisition,” Andre says. “We weighed our options against the compelling offer by Rapid7 and it just made sense.”
Komand’s software aims to automate monotonous tasks for security teams and seamlessly connect their various tools with a library of software plugins offered by Komand. The idea is to make security teams more efficient so they can focus on quickly and effectively responding to cyber threats, while also freeing them up to spend more time on strategy and other big-picture activities. The company also launched an online community for cybersecurity professionals to share best practices and collaborate more.
Andre was a security analyst early in her career, and she says she was surprised that much of the work around detecting and responding to threats was so tedious and manual. Fast forward more than a decade, and that’s still the case for many security teams. At times, the problem is even worse now because security products and IT systems have grown more complex, she says.
“It’s very difficult for a security team to deal with and respond,” Andre says.
Komand markets itself as a “security orchestration and automation” company. Similar firms include New York-based Siemplify and Boston-based Hexadite, which was recently acquired by Microsoft. Since early 2016, other purchases of Boston-area cybersecurity-related companies include IBM Security’s acquisition of Resilient Systems, Cisco System’s acquisition of CloudLock, CA Technologies’ acquisition of Veracode, and HyTrust’s acquisition of DataGravity.
The 17-year-old Rapid7 has been mostly known for selling software that helps organizations find security flaws in their IT infrastructure and check whether they’ve been corrected. In recent years, the company has added more capabilities in data analytics, attack detection and response, and services to help large enterprises manage their security programs.
The Komand deal expands Rapid7’s offerings, says chief product officer Lee Weiner. For example, when Rapid7’s software finds a vulnerability in a client’s system, patching it currently involves a manual process, Weiner says. With Komand’s software, the flaw could be fixed automatically, he says. That means it should take fewer resources and less time for organizations to address security issues.
The addition of Komand fits into Rapid7’s efforts to simplify security for its customers. The goal is to lighten the burden on security teams dealing with the industry’s shortage of skilled workers.
“Security and IT solutions have to evolve to include context-driven automation [and] effective orchestration, to automate a lot of the things today that are manual,” Weiner says. “Solving this problem of security analytics and really addressing the broader IT and security needs can’t be done by humans alone.”