Revenue
$784.00M
2023
Valuation
$4.00B
2021
Growth Rate (y/y)
80%
2023
Funding
$565.20M
2021
Revenue
Sacra estimates that Rubrik hit $784M in annual recurring revenue (ARR) in 2023, up 47% from $533M in 2022.
At the beginning of 2023, Rubrik announced they'd crossed $500M in annual recurring revenue (ARR) from software.
Software
The majority of Rubrik’s revenue today comes from its subscription-based sales of its data management and security offerings.
SaaS, via Rubrik Go, is the most quickly growing part of the business. Rubrik’s Microsoft 365 SaaS offering is their fastest growing product, aided by a partnership the two companies signed in August 2021 and the 2,000+ mutual customers shared by them.
SaaS is not just creating more predictable revenue but driving companies in this space into new markets and generating more revenue opportunities. In Q1’22, 60% of Commvault’s new SaaS customers were net new customers of Commvault and more than 50% are using other Commvault products.
Gross margins on subscription software models across both data management and cybersecurity hover around 90%.
Services
Companies like Rubrik, Veeam, Cohesity, and Commvault derive a significant share of revenue from the customer and technical support that they offer in conjunction with their data protection software and SaaS.
That includes technical support and software updates, post-deployment training, consulting and design services, and customer education.
Gross margins across the professional services revenue of data replication companies tends to come in lower than the gross margin of software and products revenue at around roughly 80%.
Cost of revenue is also significantly higher than for software and products: for example, Commvault ($723M in total revenue for 2021) reported a cost of revenue for services at $82M and a cost of revenue for software at $27M.
Valuation
Rubrik has raised a total of $565.2M from investors like Bain Capital Ventures, Khosla Ventures, Microsoft and Lightspeed Venture Partners. The company was last valued at $4B after an investment made by Microsoft in 2021 for about a 5x multiple on revenue, which is within the typical range for companies in this space.
That's higher than slower growing competitors like the publicly listed Commvault, which is valued at $2.7B at a multiple of 3.5x, and Veeam, the largest data back-up vendor based in Europe, which is also priced around 3.5x.
Business Model
Rubrik started out selling its data management solution to customers via perpetual license and has since shifted to subscriptions, which today make up the majority of revenue.
Perpetual licenses
Rubrik’s original model hinged on selling its hardware-and-software integrated appliances to customers and charging them upfront.
For example, the Rubrik R6304 with 24TB of total storage retailed for $114,400 while the Rubrik R6404 with 32TB of storage retailed for $201,200.
Each “Brik” would come with a certain amount of available storage, Rubrik would drive additional revenue by selling additional Briks, each one of which could be added to the set-up to extend a customer’s total storage capacity. Rubrik would then provide support for that brick for the perpetual term of the license.
Subscriptions
Today, Rubrik primarily sells its data management and security product into enterprises via subscription through Rubrik Go, which allows customers to pay based on how much data they back up and saves them from needing to put up a large amount of capital upfront. Contracts are for 3 years with fixed yearly payments.
Rubrik generates more revenue with the more data that their customers need to back up and with the additional services that they layer on, including ransomware investigation and data governance features.
There are three tiers of subscription available:
- Foundation: the basic plan, 10TB of backup data
- Business: the Foundation plan, plus ransomware investigation
- Enterprise: 200TB of backups, plus incident containment, orchestrated app recovery, and sensitive data discovery
Additional features like Microsoft 365 integration can be bolted on to any of the above plans at an added yearly cost.
Product
Rubrik found its initial product-market fit by building “iCloud for data backups”.
Pre-Rubrik, backing up and restoring data was a full-time job for IT managers. Data was stored across databases, containers, VMs and physical hardware, and each would have its own protocol for backing up data, like snapshotting in VMware.
Different products would be responsible for replicating data, moving old data out of your data center and onto tape, maintaining a log of where all your data was located, and pulling that data out of storage when needed. The result was a fragmented and fragile market, with several different individual points of failure.
Rubrik’s first product was a vertically integrated appliance (the Rubrik “brick”) that brought all of these functions into one device. The brick was built with auto-discovery of a customer’s various VMs and databases, integrated file system and indexer to enable one-click recovery, and utilization of different clouds for the best economics on storage.
Today, Rubrik continues to service customers using physical Rubrik appliances for backups, but they’re moving aggressively—as are other data protection companies—to get more and more of their customers on Rubrik Go, their new SaaS-based backup solution.
On top of that core data backup product, Rubrik is layering on additional products that leverage the unique vantage point of their filesystem—with a particular focus on ransomware and cybersecurity and data governance.
Ransomware and cybersecurity
Over the last several years, Rubrik’s focus has strongly shifted from data backups to competing in the cybersecurity market.
Rubrik’s approach differs from that of vendors like SentinelOne and CrowdStrike. Those companies provide endpoint security, which protects corporate laptops, phones, and networks against attacks from outside. Rubrik’s approach assumes, to an extent, that an incursion will happen—and asks how data can be protected, recovered, and secured better for next time.
Since 2017, Rubrik has launched several products specifically focused on fighting ransomware. Rubrik Radar, for example, is a SaaS-based product that uses machine learning to monitor a customer’s environments and provide alerts in the event of any anomalies.
Rubrik recognized its database backup product was an ideal solution to help customers with recovering from and dealing with ransomware attacks for two key reasons:
- Immutable filesystem: Rubrik designed its database to be append-only from the start, meaning that even hackers who get into a customer’s system won’t be able to overwrite any data on their backups
- Timeline view: By continually making backups of a customer’s data, Rubrik gets a timeline perspective on that data that allows them to identify specifically what data is being compromised and when
Two massive ransomware attacks in 2017, WannaCry and NotPetya, launched this form of malware to top of mind across the IT world. In the most common type of ransomware attack, a hacker encrypts files on their target’s server and demands a monetary payment to unencrypt them.
Two big hires demonstrate Rubrik’s hard-pivot into security: Michael Mestrovich, the former CISO of the CIA, as Rubrik’s new Chief Information Security Officer, and former CISA (Cybersecurity and Infrastructure Security Agency) director Chris Krebs as chairperson of Rubrik’s new Chief Information Security Officer Advisory Board.
Data governance
Since the publication of the General Data Protection Regulation (GDPR), it’s become far more important for companies to understand what personally identifiable information (PII) they’re collecting from customers and how that data is being stored and used internally.
EU authorities can impose fines of up to $20M or 4% of worldwide turnover for doing this wrong, and it’s fueled the rise of an entire industry for data governance and compliance SaaS products like BigID and OneTrust.
Rubrik recognized that their immutable database and timeline view could be useful for this problem the same way it was useful for ransomware: as Rubrik monitors a customer’s data and environments, they can track how and when files are accessed by internal users just as easily as they can track intruders.
Rubrik Polaris Sonar discovers, classifies, and provides reports on all of the sensitive PII that is being stored by an organization: it tells customers if they’re storing SSNs or other kinds of sensitive data without realizing it, whether the access patterns and permissions on those files line up with regulations, and whether any internal employees have started suddenly accessing those files without the proper reason to do so.
Competition
Rubrik found product-market fit by capitalizing on this larger transition from on-premise data centers to multi-cloud and hybrid deployments and managed software to SaaS.
Now, 9/10 enterprises use one or more cloud providers while the average enterprise uses 137 SaaS apps.
Today, most of the major data protection companies, including Rubrik, public comps like Commvault, and private competitors like Cohesity are either selling value-added services on top to help companies catalog, search, and get analytics for their backed-up data, or moving in that direction.
Enterprise contracts are larger and provide more stable recurring revenue, and that’s where most of the bigger funded competitors are focused, while companies like Dell and IBM serve the SMB market alongside more recent companies like Arcserve.
Cloud service providers like Amazon, Microsoft and Google will likely be key acquirers in this space, if not direct competitive threats. The growing tendency for enterprise deployments to be multi-cloud means that data protection software is increasingly being designed for interoperability with all major clouds.
Third parties have more room to maneuver in this market, though they may eventually end up finding a home at the Amazons, Microsofts, and Googles of the space, as did Actifio, the enterprise SaaS backup platform acquired by and folded into Google Cloud in 2020.
Clumio initially set out to compete with Rubrik and Cohesity but has since narrowed its focus on serving AWS customers specifically with data protection for their IaaS, EC2 and native database instances. Other more focused "point solutions" in this market include Nightfall, which has taken a Rubrik-like approach specifically to the problem of protecting data across SaaS environments, ignoring VMs and on-premises data.
In Rubrik’s last fundraising round, Microsoft invested alongside a partnership whereby Rubrik’s software will be used to add data protection and cloud services via Microsoft 365 and Azure.
TAM Expansion
The total data replication and backups industry, between both traditional on-premises deployments and SaaS, is worth about $17B. However, the market is highly competitive with high pricing pressure, with players frequently offering discounts and incentives to close deals over competitors.
The trend we’re seeing across these companies like Rubrik, Cohesity, Veeam and Commvault is that backups are just act one—the wedge that gives them visibility and integration into all of the different SaaS applications, VMs, and cloud instances that their customers are operating.
From there, they’re looking to expand into other kinds of services that their visibility and integration makes them particularly well-positioned to solve.
Two of the biggest adjacent opportunities for Rubrik here are cybersecurity, a market projected to be worth about $200B by 2028, and the $40B market for data governance and compliance.
Data governance & compliance
Privacy and security startups raised $15B in VC in 2021 to address the growing global need for software that can find and classify personally identifiable information (PII) responsive to new regulatory regimes like GDPR and CCPA.
Enterprise companies with data spread out across warehouses, repos, S3 buckets, VMs and so on have the biggest need for software that can keep them in compliance with these new rules, and Rubrik and other data backup companies have the benefit that they’ve already been ingesting data from all those sources.
Future growth prospects in this space are significant. In the United States, 27 new online privacy bills were proposed in 2021—up from just two in all of 2018. Within the EU, there is regulatory appetite for more aggressive data privacy legislation to follow up on 2018's GDPR. It's unlikely that the burden on businesses to stay compliant will be going anywhere anytime soon.
Cybersecurity
In the cybersecurity space, Rubrik’s positioning as a backup provider and wide existing install base gives them an edge as they look to expand into markets like security information and event management (SIEM) and vulnerability assessment.
SIEM providers plug into an organization’s servers, endpoints and network devices and flag anomalous events that could be indicators of a security problem. They also leverage their wider dataset in order to detect threats that legacy providers might not be able to spot.
On the other hand, vulnerability assessment tools take a catalog of all of an organization’s security vulnerabilities—from misconfigured systems to missing 2FA installs—and provide reporting and recommendations around how they can be strengthened.
Platforms like Rubrik are likely to see tailwinds from consolidation over the next several years, with the average enterprise reporting that they have ~75 software security products in use today and want to consolidate vendors in the coming years.
At the same time, the continued migration of data to the cloud—and the growing threat posed by ransomware and other kinds of cybersecurity attacks—will mean that demand for security products like those sold by Rubrik are only likely to increase.
Risks
Category saturation: Within the data backup and management industry, there are a numbers of players near Rubrik's scale and with similar growth rates. Between Veeam, Commvault, Cohesity, Druva, OwnBackup, Acronis and others, it’s a crowded, increasingly commodified market where vendors have to discount to win—and if Rubrik fails to cement its new positioning as a security and compliance company, it'll be hard to meaningfully differentiate and expand their TAM.
Fundraising
Funding Rounds
|
||||||
|
||||||
|
||||||
|
||||||
|
||||||
|
||||||
|
||||||
|
||||||
|
||||||
|
||||||
View the source Certificate of Incorporation copy. |
News
DISCLAIMERS
This report is for information purposes only and is not to be used or considered as an offer or the solicitation of an offer to sell or to buy or subscribe for securities or other financial instruments. Nothing in this report constitutes investment, legal, accounting or tax advice or a representation that any investment or strategy is suitable or appropriate to your individual circumstances or otherwise constitutes a personal trade recommendation to you.
This research report has been prepared solely by Sacra and should not be considered a product of any person or entity that makes such report available, if any.
Information and opinions presented in the sections of the report were obtained or derived from sources Sacra believes are reliable, but Sacra makes no representation as to their accuracy or completeness. Past performance should not be taken as an indication or guarantee of future performance, and no representation or warranty, express or implied, is made regarding future performance. Information, opinions and estimates contained in this report reflect a determination at its original date of publication by Sacra and are subject to change without notice.
Sacra accepts no liability for loss arising from the use of the material presented in this report, except that this exclusion of liability does not apply to the extent that liability arises under specific statutes or regulations applicable to Sacra. Sacra may have issued, and may in the future issue, other reports that are inconsistent with, and reach different conclusions from, the information presented in this report. Those reports reflect different assumptions, views and analytical methods of the analysts who prepared them and Sacra is under no obligation to ensure that such other reports are brought to the attention of any recipient of this report.
All rights reserved. All material presented in this report, unless specifically indicated otherwise is under copyright to Sacra. Sacra reserves any and all intellectual property rights in the report. All trademarks, service marks and logos used in this report are trademarks or service marks or registered trademarks or service marks of Sacra. Any modification, copying, displaying, distributing, transmitting, publishing, licensing, creating derivative works from, or selling any report is strictly prohibited. None of the material, nor its content, nor any copy of it, may be altered in any way, transmitted to, copied or distributed to any other party, without the prior express written permission of Sacra. Any unauthorized duplication, redistribution or disclosure of this report will result in prosecution.