Rubrik, Inc. (NYSE:RBRK) Q3 2025 Earnings Call Transcript December 5, 2024
Rubrik, Inc. beats earnings expectations. Reported EPS is $-0.21, expectations were $-0.4.
Operator: Good afternoon, everyone. Welcome to the Rubrik Third Quarter Fiscal Year 2025 Results Conference Call. At this time, all participants are in a listen-only mode. Later you will have the opportunity to ask questions during the question-and-answer session. [Operator Instructions] Also today’s call is being recorded. [Operator Instructions]. Now at this time, I’ll turn things over to Melissa Franchi, Vice President, Head of Investor Relations at Rubrik. Please go ahead, ma’am.
Melissa Franchi: Hello, everyone. Welcome to Rubrik’s third quarter fiscal year 2025 financial results conference call. On the call with me today are Bipul Sinha, CEO, Chairman and Co-Founder of Rubrik; and Kiran Choudary, Chief Financial Officer. Our earnings press release was issued today after the market closed and may be downloaded from the Investor Relations page at www. ir.rubric.com. Also on this page, you’ll be able to find a slide deck with financial highlights that, along with our earnings release, include a reconciliation of GAAP to non-GAAP financial results. These measures should not be considered in isolation from or as a substitute for financial information prepared in accordance with GAAP. During this call, we will make forward-looking statements including statements regarding our financial outlook for the fourth quarter and full fiscal year 2025, our expectations regarding market trends, our market position, opportunities, including with respect to Generative AI, growth strategy, product initiatives and expectations regarding those initiatives and our go-to-market motions.
These statements are early predictions that are based on what we believe today, and actual results may differ materially. These forward-looking statements are subject to risks and other factors that could affect our performance and financial results, which we discussed in detail in our filings with the SEC. Rubrik assumes no obligation to update any forward-looking statements we may make on today’s call. With that, I’ll hand the call over to Bipul.
Bipul Sinha: Thank you, Melissa, and thank you, everyone, for joining us today. Now let’s get started. Rubrik delivered another outstanding quarter. We not only achieved very strong growth at the scale, but also generated positive free cash flow. We are incredibly proud to have surpassed $1 billion in subscription ARR, growing 38% year-over-year. And we did this in just over 10 years since Rubrik was founded, a big milestone for us. This quarter, once again, we have exceeded all top line and profitability guided metrics. And more importantly, we are raising our outlook for the rest of the fiscal ’25. There are the five key numbers that highlight yet another positive quarter for Rubrik. First, and this is a record, we added $83 million in net new subscription ARR, a clear indication that we are winning the cyber resilience market.
Second, our subscription revenue was over $221 million, growing 55% year-over-year. Third, our subscription ARR remained strong above 120%. Fourth, customers with $100,000 or more in subscription ARR reached 2,085 growing 32% year-over-year. And finally, on profitability, we once again made material improvement in subscription ARR contribution margin, up 1,100 basis points year-over-year. On the cash generation front, we are very happy to report we had over $15 million in free cash flow this quarter. Once again, these results are only possible because Rubrik is winning the cyber resilience market. Now let’s look at why we are winning. Cyber Resilience is the number one topic in cybersecurity. There is a broad realization that cyberattacks and breaches are inevitable.
Q&A Session
Follow Rubrik Inc.
Follow Rubrik Inc.
And therefore, organizations have to be resilient against such attacks. Rubrik has a unique architecture and solution for cyber recovery and resilience. This is what is powering our growth and market momentum. Let me unpack this in three parts. Number one, Rubrik delivered the fastest cyber recovery for our customers. This is due to our unique AI-powered zero trust architecture. Number two, Rubrik Security Cloud, or RSC, offers a differentiated single platform for automated data management and security control across all workloads across enterprise, cloud and SaaS applications. And number three, we are the only vendor in the market that combines fast cyber recovery with data security posture management, or DSPM. We believe DSPM plus cyber recovery is the only way to deliver complete cyber resilience.
In summary, enterprises are turning to Rubrik as their trusted cyber resilience partner because we can confidently meet the cyber recovery time objective, or RTO. Let’s talk about how our focus on cyber resilience drove these strong results in the third quarter and how our investments in innovation are enabling us to deliver even greater value to our customers over the long run. At the outset, Rubrik built a unique zero-trust architecture that combines data and metadata from business applications. This architecture allows us to apply AI and machine learning directly to the business data to provide customers with the visibility into the scope of the attack, the time of infection, the sensitivity of the impacted data and the ability to do malware hunting and quarantine.
We deliver all these functionalities natively not with bolt-on security tools or third-party integrations. This differentiated architecture enables us to uniquely precalculate clean recovery points so that our customers can deliver the fastest cyber recovery times. This transforms cyber recovery from a long drawn affair with significant business disruption and loss through a simple and efficient recovery operations with minimal impact. This is why we continue to win the vast majority of deals in competitive situations. Let me give you a few examples. This quarter, a global engineering and construction service provider selected Rubrik to protect its entire data ecosystem, including SaaS data protection for Microsoft 365. This was driven by a board mandate seeking to consolidate multiple backup providers and improve cyber recovery times.
In a proof of concept with other new gen backup providers, Rubrik was the only vendor that beat the required RTO of less than 4 hours for their mission-critical applications. Another logo win was with a Fortune 20 health care company that selected Rubrik as their only cyber resilience partner. After a thorough evaluation, we were the only immutable cyber resilience provider that could meet the organization’s RTO, both on-premises as well as in the cloud. In addition, adoption of RSC Enterprise addition allows this customer to rip and replace six disparate new gen and legacy backup vendors while delivering superior cybersecurity functionality. And lastly, we had a win this quarter with Simpler, a health care technology company that provides access to systems critical to patient care across 5,000 hospitals and networks in the U.S. Rubrik was selected over other new gen and legacy backup vendors due to our strong cyber resilience and cybersecurity capabilities.
Simpler CEO remarked, quote downtime can be a matter of life and death in health care industry. Rubrik was the only vendor that met our security standards, met recovery objectives for our business and demonstrated a commitment to continued innovations to combat modern adversaries, unquote. We continue to drive innovation to expand the reach of Rubrik Security Cloud platform. We recently added Postgres SQL and Red Hat OpenShift virtualization to our growing portfolio of hybrid cloud workloads. This expands our wallet share within enterprises that are transforming their hybrid cloud solutions. Turning now to the success we are seeing in protecting public cloud and SaaS applications. Enterprises are adopting Rubrik cloud protection for our simplified policy management across multiple cloud and SaaS workloads, our fast recovery times and our ability to drive immediate cost savings.
As more businesses move more workloads to public cloud infrastructure and adopt SaaS applications. Rubrik cloud protection becomes an even more essential component of enterprise security stack. Let me highlight a few examples of new logos as well as expansion wins with cloud protection. This quarter, a pharmaceutical giant selected Rubrik to protect its AWS cloud data estate after evaluating multiple new gen and legacy backup providers. This customer consolidated disparate cloud-native and legacy backup deployments into Rubrik’s single platform. This resulted in a 35% total cost of ownership savings for the customer compared to the prior backup solution for AWS all while providing faster recovery times and superior cybersecurity features. Another new logo is an Indian multinational company that selected Rubrik Cloud native protection for the Azure environment in Q3.
This company simplified its vendor landscape with Rubrik, replacing multiple legacy and cloud-native backup providers. This drove 40% hard cost savings compared to their prior deployments. In a notable expansion deal, a top Japanese automaker selected Rubrik to put its large and critical M365 environment after evaluating Rubrik against a legacy backup provider. This customer selected Rubrik for our superior security features and ease of use for the IT and security teams. Now moving on to data security posture management, or DSPM. DSPM provides visibility into sensitive data exposure to minimize surface area of attack and the risk of data exfiltration. We are the only vendor in the market to offer DSPM plus cyber recovery in an integrated platform.
This allows us to deliver complete cyber resilience before, during and after an attack. Our complete cyber resilience value proposition is resonating with customers as demonstrated by growing volume of DSPM deals, which nearly doubled quarter-on-quarter in Q3. One example of a DSPM win, a large health care organization added DSPM and Rubrik Security Cloud enterprise addition for their enterprise workload to their existing Rubrik footprint, which was purchased just last quarter. This customer displaced an existing DSPM vendor with Rubrik Solutions as we offered superior capabilities around managing consumer data risk as well as the ability to deliver a fast recovery in case of a cyberattack. In addition, the adoption of AI applications such as M365 CoPilot brings an urgency to DSPM adoption.
What makes CoPilot such a powerful tool is its ability to leverage content across the company to provide accurate and relevant insight? However, companies need to have the right data security controls in place to ensure sensitive data remains secure when using AI tools such as CoPilot. This quarter, we announced Rubrik DSPM for M365 CoPilot. This new set of capabilities not only helps enterprises reduce the risk of sensitive data exposure and exfiltration, but also helps them accelerate the secure adoption of CoPilot. Rubrik’s powerful classification engine is designed to continuously and autonomously discover and classify all known and unknown data at a very rapid rate. Rubrik DSPM for M365 CoPilot is designed to ensure sensitive data is correctly classified, labeled and segmented while ensuring right access permissions.
This allows customers to leverage the power of CoPilot while safeguarding sensitive data from the risk of exposure all within our comprehensive cyber resilience platform. Next, innovation is absolutely critical to building an enduring company. So let’s talk about some of the big ideas that we are working on. As some of you might have read in our IPO prospectus, Rubrik pie design perpetually lives on the frontier of innovation and our long-term success depends upon our ability to continuously paid and commercialize pioneering products. In this vein, just this week at AWS Reinvent, we announced Rubrik Annapurna, which, along with an exciting new partnership with AWS will accelerate the development of trusted gen AI applications. There are three parts to this groundbreaking innovation: Number one, Rubrik Annapurna API service will allow customers to have ready to go access to all business data to quickly build more powerful and trusted gen AI applications; number two, Annapurna will deliver secure data embedding powered by RSC; and number three, Rubrik Annapurna leverages all enterprise data and metadata in RSC to easily set and manage data access controls for AI applications.
We believe we are uniquely positioned to enable AI adoption in a secure and compliant manner, which is a top priority for enterprises. We are excited about what we can do with Annapurna because Rubrik extracts, manages and secure the most important real estate in the brave new world of Gen AI, business data. However, I would like to note that we are in the very early innings of a multiyear strategy for Rubrik to be the secure data infrastructure platform for Gen AI applications. We look forward to providing more color on this road map as it advances in the next several years. Now let’s discuss a few notable updates to our partnership across the security and data landscape. A key component of our go-to-market machine. Our strategic partnership focused first and foremost, on creating more value for our joint customers through product integrations so that one plus one equals more than two for our customers.
A few examples from Q3. This quarter, Rubrik became the first data security platform vendor to integrate with Okta’s identity threat protection. RSC provides visibility into user access to data and automatically monitors for changes to access permission to sensitive data. The data context from RSC, combined with threat context from other security tools, allows Okta to orchestrate tailored response based on policy configuration and assist user risk levels. This integration helps companies manage risk around sensitive data access and respond to identity-based threats and attacks faster and more effectively. We also announced a new partnership with Pure Storage. Joining forces to deliver a complete cyber resilience solution. This partnership combines the strength of RSC with Pure Storage FlashArray and FlashBlade to deliver a secure approach to data protection across short-term and long-term storage needs.
As an example, Rubrik plus Pure’s FlashArray and FlashBlade can reduce backup windows from hours to minutes and Rubrik allows Pure customers to find anomalies, hunt for threats and discover sensitive data in their production environment. Lastly, let me discuss business efficiency and profitability. As discussed last quarter, we are focused on delivering leverage and profitability in our business model. Our Q3 results demonstrate this commitment with subscription ARR attribution margin up by over 1,100 basis points year-on-year. We look forward to continued improvements based on our increasing scale, our focus on efficiency in go-to-market and our disciplined investment for growth. We are incredibly proud to have surpassed $1 billion in subscription ARR with this level of growth and improving profitability.
Thank you very much to all Rubrikans for helping achieve this milestone and more importantly, for your relentless focus on innovation and getting the next horizon for Rubrik. We are also very grateful to our customers, partners and investors for their continued support. But let me be very clear, it is still very early days of the Rubrik story. We are creating a new vision for the cybersecurity industry based on cyber resilience. I am personally even more excited than I was at our founding in 2014 for what’s ahead for Rubrik. With that, I’m pleased to pass it over to our Chief Financial Officer, Kiran Choudary.
Kiran Choudary: Thank you, Bipul. Good afternoon, everyone, and thank you for joining us today. We posted outstanding results in the third quarter, and we exceeded our guidance across all metrics. Q3 was highlighted by strong top line growth at scale due to our leadership in the growing market for cyber resilience, significant expansions within our existing customer base and strong continued improvement and profitability. Let me start by briefly recapping our third quarter fiscal 2025 financial results and key operating metrics, and then I’ll provide guidance for the fourth quarter and full year fiscal 2025. All comparisons, unless otherwise noted, are on a year-over-year basis. Subscription ARR best illustrates the momentum of our business, and we are incredibly proud to have surpassed $1 billion in Q3, growing 38%.
We added $83 million in net new subscription ARR. We continue to drive adoption of our Rubrik Security Cloud, which resulted in $769 million of cloud ARR up 69%. Our subscription ARR growth benefited approximately 2 percentage points from transitioning our declining maintenance base to subscription. We have a differentiated land-and-expand model where we have multiple avenues to acquire new customers and expand relationship with our customers after their initial contract. We can expand the growth of data and applications already secured by Rubrik through the expansion of our footprint of applications secured and or by the addition of more security functionality. As a result, we continue to see a strong subscription net retention rate which remained over 120% in the third quarter.
All vectors of expansion are healthy contributors to our net retention rate, highlighting the meaningful runway we have to more deeply penetrate our customer base. Adoption of additional security functionality remains at approximately one third of our subscription net retention rate, stable from last quarter, but up from approximately a quarter in the year ago period. We ended the third quarter with 2,085 customers with subscription ARR of $100,000 or more, up 32%. These larger customers now contribute 83% of our subscription ARR, up from 79% in the year ago period as we become an increasingly strategic partner to our enterprise customers. For our third quarter in fiscal 2025, subscription revenue was $222 million, up 55%. Total revenue was $236 million, up 43%.
The Q3 revenue outperformance relative to our guidance reflects our strong ARR growth and higher-than-expected upfront and non-recurring revenue. This is due to higher-than-expected new sales and renewals of RSC private from regulated and government verticals in Q3 as well as the extension of transition licenses to some of our customers as they progress through the adoption of Rubrik Security Cloud. Turning to the geographic mix of revenue. Revenue from Americas grew 46% to $169 million. Revenue from outside Americas grew 35% to $67 million. Before turning to gross margins, expenses and profitability, I would like to note that I will be discussing non-GAAP results going forward. We are committed to balancing strong growth of scale with improving profitability.
We are focused on delivering strong gross margins, improving our subscription ARR contribution margin and growing free cash flow. We are achieving this leveraging the benefits of scale as well as improving efficiencies and management of parts across the business. Our non-GAAP gross margin was 79% in the third quarter compared to 80% in the year-ago period. Our gross margins continue to benefit from improved efficiency of our customer support organization offset by continued investments in our cloud hosting infrastructure. We benefit from onetime cloud hosting credits this quarter, which bolstered our gross margins by approximately 150 basis points. The gross margin also benefited from the revenue outperformance, including the higher-than-expected nonrecurring revenue.
These benefits are non-recurring in nature, and we anticipate total gross margin to stay at the lower end of our long-term target of 75% to 80%. As a reminder, we look at subscription ARR contribution margin as a key measure of operating leverage supporting our path to profitability. We believe the improvement in our subscription ARR contribution margin demonstrates our ability to drive operating leverage and profitability at scale. Subscription ARR contribution margin was negative 3% in the last 12 months ended October 31 compared to negative 14% in the year ago period, an improvement of over 1,100 basis points. The improvement in subscription ARR contribution margin was driven by our growing scale and continued focus on driving leverage across the organization.
In particular, our sales and marketing expense as a percentage of subscription ARR moved down approximately 1,000 basis points year-on-year. We expect to see further improvements in sales and marketing as we deliver on greater organizational efficiencies, improving cost of acquisition and a ramping renewal base. Free cash flow was $15.6 million compared to $3.5 million in the third quarter of fiscal 2024. This increase was driven by improved scale, operating leverage and working capital improvements offset by a slightly higher mix of annual and monthly consumption payments and shorter contract terms relative to year ago period. Turning to our outlook. We remain confident about the strength of the cyber resilience market and demand for our differentiated offerings.
We believe these drivers alongside our strong and consistent execution will deliver strong subscription ARR growth ahead. Revenue and revenue growth can fluctuate during the number of variables, including the pace at which we had new Rubrik Security Cloud customers, or RSC, and the pace at which we continue to migrate our existing customers to RSC. In terms of operating expenses, we plan to continue to invest into this enormous opportunity ahead of us while delivering efficient growth at scale. Now turning to guidance for the fourth quarter and full year fiscal 2025. In Q4, we expect revenue of $231.5 million to $233.5 million, up 32% to 33%. We expect non-GAAP EPS of negative $0.41 on to negative $0.37 based on approximately 187 million weighted average shares outstanding.
For the full year of fiscal 2025, we are pleased to raise our guidance across both our top line and profitability metrics. We now expect subscription ARR in the range of $1.57 billion to $1.61 billion, reflecting a year-over-year growth rate of approximately 35%. We expect total revenue for the full year fiscal 2025 in the range of $860 million to $862 million, implying approximately 37% growth. We expect non-GAAP subscription ARR contribution margins between negative 3% and negative 2%, reflecting further margin improvement from Q3. We expect non-GAAP EPS of negative $1.86 to negative $1.82 based on approximately 154 million weighted average shares outstanding for the full year. We expect free cash flow of negative $45 million to negative $39 million or negative $22 million to negative $16 million, excluding the $23 million in onetime payroll tax associated with our IPO.
And finally, while we are still early in our planning for next year, I wanted to call out a few high-level modeling points for fiscal 2026. As a reminder, the benefit for subscription ARR growth from the conversion of maintenance to subscription has been moderating, and we saw approximately 2 points of benefit in Q3. We are not expecting any benefit to growth from converting maintenance to subscription ARR in fiscal 2026. In addition, historically, we see higher net new subscription ARR in the second half of the year versus the first half. As we have discussed previously, we had an exceptional start to fiscal 2025, which offset typical seasonality. In fiscal 2026, we expect to see more normalized quarterly seasonality in subscription ARR. In terms of profitability, we have made strong progress in business efficiency so far this fiscal year, and we also continue to stay focused on free cash flow generation.
Based on where we stand right now, after completing the third quarter, we expect to deliver breakeven or better subscription ARR contribution margin and modestly positive free cash flow for the fiscal year 2026. We look forward to providing our fiscal year 2026 outlook on our Q4 fiscal 2025 earnings call. In closing, we are pleased with our performance in the third quarter and our higher outlook for the full year. Looking forward, we believe we are well positioned to continue to deliver efficient and durable growth given the large and growing opportunity for cyber resilience and our leadership, innovation and ability to execute on our vision. We look forward to seeing many of you on the road in the coming months, including at the upcoming Barclays conference.
With that, we’d like to open up the call for any questions.
Operator: Thank you so much. [Operator Instructions] We’ll go first this afternoon to Saket Kalia at Barclays.
Saket Kalia: Okay. Great. Thanks, guys. Thanks for taking my questions here and congrats on reaching the $1 billion ARR mark.
Bipul Sinha: Thank you, Saket.
Saket Kalia: Absolutely. Bipul, maybe just to start with you. In your prepared remarks, I thought you had some great examples of customer wins where cloud backup seemed like the main reason for the win. And I think that some of us sometimes wonder what backup for cloud applications and cloud workloads look like since the cloud presumably provides some sort of native backup. So maybe the question is, can you just talk about what you hear from customers about their desire to use third-party data protection tools like Rubrik for cloud workloads versus maybe relying on a backup solution from their cloud provider. There was a lot there, but does that make sense?
Bipul Sinha: It does. Rubrik has a huge opportunity in the cloud. And the reason is that cyber resilience is needed, wherever your application and data resides. But the fundamental question is that you have your data in three clouds, five SaaS applications and five data centers, and you can’t have different methods to do cyber recovery in different places because if you have to turn 30 knobs when you are — you had a bad breach, you will be down for a very long time. So customers are looking for a single policy engine and single security control to actually deliver cyber recovery across all of their data estates. And that’s why we are winning in the cloud because we have a very comprehensive solution for all the native cloud providers as well as data centers as well as SaaS applications such as Salesforce and M365.
As an example, this quarter in Q3, a Fortune 500 insurance company came to us to actually replace their native backup solution on their cloud platform with Rubrik cloud-native protection because they wanted the consolidated, again, policy management and security controls across all of their data so that they can have a native data threat engine that would be provided for complete visibility, control and being able to confidently do cyber recovery when the inevitable cyber attack happens.
Saket Kalia: Got it. That makes a ton of sense. Kiran, maybe for my follow-up for you, the contribution margin here continues to improve. And it was great to hear that, that can be breakeven next year. And you correct me there if I’m wrong. But maybe the question is, how do you sort of think about that in terms of your pace of investments going into next year? And how long of a lag do you think about sort of reported operating income sort of following that contribution margin?
Kiran Choudary: Sure, Saket, and thanks for the question. So we are very pleased with the progression we have made in margin to date. This quarter, we delivered minus 3% subscription margin, which was almost 100 basis points better than the last quarter, Q2 and 1,100-plus basis points year-over-year. But really the drivers of the progression in margin are twofold. One is the top line scale and outperformance but also the work we’ve been doing on efficiency, both across sales and marketing and R&D in terms of the big investment areas for us. And we look to improve that further based on the guidance we gave for Q4 finishing up this year. And I did mention in my prepared remarks that based on where we are today after the third quarter, our goal is to be subscription are contribution margin breakeven or better next fiscal year.
So that’s how we are thinking about the goal is to build a profitable growth business here. Now when it comes to the operating margin, we expect that to follow after subscription margin. Normally, I would think that we will follow within a few quarters. But just to remind everybody that we went through a cloud transformation, we are nearing the end of it, but that suppressed our revenue under top line accounting perspective for some time. And because of that, they’ll lag will be a little longer. But subscription era margin is the leading indicator for op margin over time.
Saket Kalia: Very helpful, guys. Thanks.
Operator: Thank you. We go next now to Fatima Boolani at Citi.
Fatima Boolani: Good afternoon, thank you for taking my question. Kiran, you made an interesting point on the prepared remarks that I wanted to drill into with regards to DSPM deals doubling in volume sequentially. I wanted to ask about how much this is contributing to the pipeline and or potentially shortening some of your deal cycles? And then I have a follow-up for Kiran, please. Thank you.
Bipul Sinha: Thanks, Fatima. Let me give you a little bit of a business color, and then Kiran might add some more details. In terms of like DSPM, we are continuing to see a strong traction with DSPM and as I mentioned in the prepared remarks, that number of customers doubled quarter-over-quarter in Q3. The issue is DSPM provides data risk and data threat visibility. And then combination of DSPM plus cyber recovery is the complete cyber resilience. And since generative is now pulling data from the nooks and crannies of enterprise applications, folks need to understand the sensitivity of the content to be able to deliver responsible AI. And that is also our attempt in terms of the Rubrik DSPM for Microsoft CoPilot. In fact, the health care organization in Q3 added DSPM to their existing Rubrik footprint because their Chief Information and Digital Officer was concerned about their ability to recover quickly and they actually replaced their existing DSPM vendor to be able to offer superior cyber resilience capability and be able to understand the data risk, data threat and to be able to deliver fast cyber recovery.
Kiran Choudary: Just to add — I think on your sales cycles question, DSPM is still a relatively smaller part of our business, so it’s not influencing our overall sales cycles, which have been stable this year.
Fatima Boolani: Thank you, Kiran. And just on the free cash flow outlook, the preliminary outlook you shared for fiscal ’26. Very much appreciate that color looking out. But you did talk about some consumption-related headwinds that are starting to peak into the profile this year. I’m wondering if you can give us a quick refresher on what some of the parts of the product portfolio are more catered to the consumption modality, if you will, of pricing. And how much of an impact that could potentially have as maybe sort of a headwind for next year to think about? Thank you.
Kiran Choudary: Sure. So apart this not consumption specifically. It is more related to the shorter term and shorter invoicing cycles for some of our cloud and SaaS products as we progress more into selling some of these products, some of our customers prefer to buy it, the data security portion from us in line with how they purchase the core cloud or SaaS products like Microsoft 365. So we have seen over the past several quarters a bit of shortening on contract cycles as well as invoice cycles. And that is what I referred to as modest headwinds to free cash flow through this year as well. And as we think about next year, we’re not giving guidance or an outlook yet. We’ll do that after Q4 call. But in regards to the comment on cash flow positive, as a modeling point, we would expect some further modest compression as well.
Fatima Boolani: Very clear, thank you.
Operator: We’ll go next to now to Kash Rangan at Goldman Sachs.
Kash Rangan: Hi, thanks very much. Congratulations to the Rubrik team. My question to you, Bipul, is — and I have one for Kiran as well. You’ve always maintained the view that the TAM for Rubrik in this cycle is not just a replacement of the legacy technology, but also participation of the broader pool available to you in cybersecurity, right? I mean that would make it truly a more sustainable growth company. I’m wondering if you could point to any evidence in the quarter and evidence in the pipeline that you see that the TAM in cybersecurity, which is a vast bigger pool of spending than the legacy business and how that is helping your business? And are you able to participate in those new budgets? And also Kiran, congratulations on the operating efficiency improvement. How sustainable is this improvement that we saw going forward? Thank you so much.
Bipul Sinha: Thanks, Kash. So if you think about what Rubrik did to the backup and recovery industry, we transformed this market from backup and recovery for humanity recovery or natural disaster recovery into a cyber disaster recovery platform. We call it cyber recovery, cyber resilience. And that has really expanded the TAM for this market because to be able to deliver cyber resilience, you fundamentally assume that attacks are inevitable. And if attacks are inevitable, then you have to think about what are we doing before actual attack happens? So how do you assess the risk? Then during an illegal activity, run time, how do you assess the threat? And finally, if the breach has happened, then how do you deliver faster cyber recovery to be able to keep your applications up and running.
And what Rubrik did was all these three pieces, Rubrik built into a single platform, Rubrik Security Cloud, which combines DSPM plus cyber recovery on a single platform. And that’s the unique architecture that we created from day one. And it is not something that is bolt-on or you can convert into. This is inherent to our architecture. And that platform is the unique solution in the market where market is looking for a cyber resilient solution, not looking for legacy backup recovery solution. So if you look at our transaction, about half of our new customers adopt Enterprise Edition, which is the full cyber recovery solutions in their first purchase. And if you look at our NRR, about third of our NRR comes from the cyber data security product attach that we are doing on our Rubrik Security Cloud platform.
So essentially, we have transformed this market from this legacy backup recovery approach to a cyber resilience platform, a data security platform to be make sure that folks can do cloud transformation, digital transformation confidently and keep their services up and running even when confronted with an attack.
Kiran Choudary: And Kash, just to answer your second question, you had on operating efficiency. So we are really pleased with the progress we’ve had over the past several quarters, both in terms of subscription ARR contribution margin as well as cash margins. If you look at the drivers for them in terms of the big investment areas, sales and marketing and R&D, we expect many of these drivers to continue, including the ability to drive higher productivity from multiple products, our focus on enabling the sales and go-to-market teams and lowering the cost of acquisition with targeted marketing as well as no partner leverage. And I’ll say that renewals are still a minority of our business, and we expect that to grow in contribution.
And with that, we get natural leverage as well. On R&D, we continue to hire talent globally with a particular focus on our India center where we’ve hired great talent over the past years, and we expect that to continue as well. So many of these drivers will see it continuing, but of course, they will moderate over time in terms of the improvements we see.
Kash Rangan: Terrific, thank you so much. Happy holidays.
Kiran Choudary: Thank you, Kash.
Operator: Thank you. We’ll go next now to Andrew Nowinski at Wells Fargo.
Andrew Nowinski: Hey, good afternoon. Congrats on another great quarter and particularly, the improvement in contribution margin, I think, really stood out. I just wanted to ask a question. So coming back from the Wells Fargo TMT conference this week. I mean it was really clear that data protection, DSPM and of course, cyber resilience, I think, were top of mind for many organizations. That really stood out to us as like the one key takeaway based on the strong growth you’re seeing in your cloud ARR. I mean, it looks like you’re seeing this, too. And I’m wondering if there’s inflection in demand for DSPM and cyber recovery is related to an inflection, maybe in Gen AI rollouts? Or is it something else? Just wondering if you could pinpoint what’s driving this inflection. Thank you.
Bipul Sinha: Thank you, Andrew. In terms of Gen AI, Gen AI is certainly a driver for a lot of enterprise activities right now because Gen AI is forcing people to focus on data to understand the integrity of the data, to understand the sensitivity of the data, to understand potential risk of the data, to understand who has access to what data and what they can do with data. And if you look at where we play, Rubrik is the data security platform. We — at the outset, our goal was to transform backup and recovery, which was a legacy platform into a data security platform to deliver cyber resilience. And so our cyber recovery together delivers our customers an understanding of data risk and delivers data integrity and availability.
And so truly, the Gen AI initiatives bring the focus back into data, and that definitely is a tailwind for this market. Having said that, obviously, digital transformation, cloud transformation, application — SaaS application adoption. And everything that is accelerating throughout the year is also contributing. So it’s a broad set of capabilities and broad set of market drivers driving the secular tailwind for this market.
Andrew Nowinski: Thanks, Bipul. And maybe as a follow-up to that, I think your enterprise addition gets about a 75% uplift over the foundation addition. I’m wondering if you could just give us an update on maybe the adoption rate of the enterprise addition over the last six months since your IPO of how that’s maybe changed and what you’re seeing there? Thank you.
Kiran Choudary: So enterprise addition continues to be the flagship platform for cyber recovery. And we are also attaching DSPM to bring the security and threat perspective into it. And we are continuing to see a strong adoption of enterprise edition. About half of our new customers adopt — continue to adopt enterprise edition at the outset. And as I mentioned before, nearly third of our NRR is actually coming from the adoption of data security product, which includes a lot of enterprise edition cyber recovery plus DSPM offerings that we have.
Andrew Nowinski: Thank you. Keep up the good work.
Kiran Choudary: Thank you.
Operator: We’ll go next now to Brad Zelnick at Deutsche Bank.
Brad Zelnick: Great. Thanks so much. And congrats on the strong execution. The entire team has so much to be proud of. Bipul, I wanted to start by asking you about Annapurna, the goddess of nourishment. Can you talk about the vision and evolution leading up to this week’s announcement? What we should expect in terms of availability across other cloud platforms? And is this something you expect to price and monetize implicitly or explicitly.
Bipul Sinha: Thank you so much, Brad. This is a very important question for us. Look, Rubrik is an ambitious company. And from the outset, we had actually decided to make Rubrik a company that lives on the frontier of innovation. And our goal is to build pioneering and commercially successful products to really do real transformation and prospective change at our customers. And we want to build a long-term, long-lasting company, long-term profitable company. And long-term companies cannot just focus on what is in front of them, but they create horizons, and that horizon is three to five years out. Just like in the past, back in 2016 and ’17, we were working on cyber recovery. And the set of capabilities that we built then is finding success in the marketplace today.
So we always think about what do we do today that three to four years out can change the game of the industry, can change the game of the market. And Annapurna is a very important multiyear strategy for Rubrik because if you think about what Rubrik is, we are a centralized data platform with data security built into it, where we pull data for a multitude of enterprise application and create a common data metadata format with data security built into it. And as you know, Gen AI is forcing businesses to extract data from multiple applications to be fed into the model. And we have a ready-made next gen data lake because we use this data lake to recover, application is kind of like a reverse ETL back into the production applications. We can use the same data infrastructure, data security building to it to deliver data into RAG or gen AI or whatever workflow they want to use to build powerful LLM apps.
But LLM apps that are trusted, that has security that has responsible AI built into it. Obviously, the secure data embedding that is powered by Rubrik Security Cloud and access control and all of that is inherent to our platform. And our goal is we started with Amazon Bedrock, but it is designed in an API-first platform, it is equally applicable to GCP, Azure, bring your own model, a third-party set of frameworks, whether it’s Langchain or Llama index or whatever folks are using to build their Gen AI applications, LLM applications. We will actually will do market experimentation just like in the past four, five years ago, we did experimentation with the data security products. We’ll figure out messaging product markets that pricing, what price to customers will sustain, what value we are creating for them.
And as we make more progress on the path to monetization, packaging, pricing, Annapurna we’ll keep you updated in the next several years. I mean, this is, again, a long-term thing for Rubrik, but this is a very exciting new area and we are working really hard on it.
Brad Zelnick: Super exciting, Bipul. Maybe a quick follow-up for Kiran. You’re clearly taking market share, and it seems even more so in a quarter like this. Is there anything that you can share with us in terms of win rates and where the share might be coming from? Thanks so much, guys. Congrats again.
Bipul Sinha: Let me take this question, Kiran. We continue to win a vast majority of peers against other new gen as well as legacy backup and recovery vendor. And this is because, as I mentioned before, we are the only vendor in the marketplace that has a unique Zero Trust platform that combines DSPM and cyber recovery in a single platform. So we have the full understanding of data risk data threat and cyber recovery and architecture matters when it comes to data and data security and availability of applications. And because of we build this architecture grounds up, when the customers sees our product, there is a reaction, positive reaction that happens and this product can be like — you can’t build this product by bolting on 30 different cybersecurity products or pivoting into cybersecurity.
This was the decision that we made day one where we said data, metadata and data threat engine is in a single platform. So we took a risky bet 10 years ago, but we were right in that risky bet, and we are reaping the awards of unique architecture.
Brad Zelnick: Thank you.
Operator: We’ll go next now to John DiFucci at Guggenheim Securities.
John DiFucci: Thank you. By the way, this Q&A, this is really helpful and really appreciate people your answer to Kash’s question. He always asks good ones. But we all get that from investors. Like why is this going to last and that was helpful. That was really — that was clear as to why this — why you’re not going to be Veritas in 1999 by the time 2000, I don’t know [indiscernible] came along or whatever. But my question here is on partnerships. You spoke about technology partnerships, but there’s — and by the way, you need to have everything you’re talking about. The one thing that really hasn’t been hit on here is go-to-market. So can you talk a little bit more about go-to-market partnerships? We all know that you have a really strong go-to-market team, but our field work indicates that you sign more VARs. We’re just hearing more VARs and more reseller partnerships.
And they want they wanted to partner with you and those that focus on security, and they’re already starting to see early traction. This is the traditional way that enterprise security is sold. So can you talk a little bit about your efforts there? And what is what we’re hearing right? And how should we think about go-to-market partnerships, that contribution going forward? Thank you.
Bipul Sinha: Thank you, John. Really appreciate your comments. If you think about Rubrik’s go-to-market strategy, we are a technology platform company with a multiproduct that is sold on this platform. And we — and it is a global product. We actually sell our products all around the world, and then the routes to market is critical for us to have long-term success. So when we think about go-to-market route to market in multiple ways. Number one is, as you mentioned, the VAR because we are 100% indirect business, we work with VAR and VAR take our product and attach some of their services to it to take us to their trusted customers. So that’s one motion. The second motion is GSI partners, whether it’s global SIs or regional SIs, they again do — they operationalize Rubrik for their trusted customer.
If you look at the third way is our technology alliance partner from Zscaler to CrowdStrike, to Pure Storage, to Cisco, we work with all of them to actually take our product to market. And we have a co-engineered solution with these technology partners where one plus one is more than two. So that end customers see bigger value from Rubrik partnership with, for example, Zscaler where we provide the Zscaler customers full visibility into the threat of a data passing over the network. And that value is, again, one product alone can’t deliver. And this is where we are actually creating this multifaceted go-to-market strategy to comprehensively deliver cyber resilience solution around the world across whatever trusted adviser partner products that our customers have.
John DiFucci: And that all makes sense, Bipul. But in the technology partnerships, they come out with big announcements, and we look at those, and they’re interesting and we hear about them in the field. But is what I said happening like am I just like noticing it more? Or are more and more, and the first two you mentioned, VARs and GSIs, is there greater engagement over the last quarter or two than there has been more — are you signing more partnerships with VARs and GSIs or it’s just something that, I don’t know, maybe a it’s been happening and I just didn’t — I think we’re trying to pay attention, but is it happening more?
Bipul Sinha: It is definitely happening more, but it has been happening for last many quarters because what has happened is that in the last couple of years, the customers are demanding for cyber resilient solutions, cyber resiliency. They are asking for how do I keep my services up and running even when I’m breached, even how do I keep my hospitals up and take — even when it is breached. How do kids go to school when the school is breached? And when the GSIs and VARs here this question, they’re not thinking about backup and recovery. They are saying that how do I bring a complete cyber resilience solution and protect our customers. And it is doing two things to the VARs and GSI. One is they are not having a discussion around infrastructure and dollar per terabyte.
We are having a strategic dialogue with the customer around risk and risk mitigation. And then the second thing is that it actually broadens their scope in the enterprise from just infrastructure into infrastructure plus cybersecurity. So you really noticed it, right? Large GSIs, large VARs and mini VARs and mini GSIs are taking Rubrik to market because there success with their end customer depends upon their ability to drive cyber resiliency. And that’s why you are noticing more and more folks are signing up the tubes.
John DiFucci: Got it. Well, keep it up guys because you know this, what we saw tonight is rare. Thanks.
Melissa Franchi: Thank you, John.
Operator: Thank you. And ladies and gentlemen, that is all the time we do have for questions today. At this time, I would like to turn things back over to you, Mr. Sinha for any closing comments.
Bipul Sinha: In closing, I would like to thank all our customers, all our partners, all our Rubrikons as well as all our investors for your continued support. These are still very early days of Rubrik because company’s life is in decades, not in years. And we just finished the first decade of Rubrik and has entered the next decade. We want to build a long-term large profitable business, and we look forward to working closely with you to learn from you to understand where the market is moving and how do we continue to build market-defining products to keep our customers secure and make sure that they can do digital transformation confidently. Thank you so much.
Operator: Thank you, Mr. Sinha. Again, ladies and gentlemen, that will conclude the Rubrik third quarter fiscal 2025 results call. Again, thanks so much for joining us, everyone, and we wish you all a great remainder of your day. Goodbye.
