Click here to access our Rubrik dataset.

Sacra estimates that Rubrik hit $784M in annual recurring revenue (ARR) in 2023, up 47% from $533M in 2022.

At the beginning of 2023, Rubrik announced they'd crossed $500M in annual recurring revenue (ARR) from software.

The majority of Rubrik’s revenue today comes from its subscription-based sales of its data management and security offerings.

SaaS, via Rubrik Go, is the most quickly growing part of the business. Rubrik’s Microsoft 365 SaaS offering is their fastest growing product, aided by a partnership the two companies signed in August 2021 and the 2,000+ mutual customers shared by them.

SaaS is not just creating more predictable revenue but driving companies in this space into new markets and generating more revenue opportunities. In Q1’22, 60% of Commvault’s new SaaS customers were net new customers of Commvault and more than 50% are using other Commvault products.

Gross margins on subscription software models across both data management and cybersecurity hover around 90%.

Companies like Rubrik, Veeam, Cohesity, and Commvault derive a significant share of revenue from the customer and technical support that they offer in conjunction with their data protection software and SaaS.

That includes technical support and software updates, post-deployment training, consulting and design services, and customer education.

Gross margins across the professional services revenue of data replication companies tends to come in lower than the gross margin of software and products revenue at around roughly 80%.

Cost of revenue is also significantly higher than for software and products: for example, Commvault ($723M in total revenue for 2021) reported a cost of revenue for services at $82M and a cost of revenue for software at $27M.

Rubrik has raised a total of $565.2M from investors like Bain Capital Ventures, Khosla Ventures, Microsoft and Lightspeed Venture Partners. The company was last valued at $4B after an investment made by Microsoft in 2021 for about a 5x multiple on revenue, which is within the typical range for companies in this space.

That's higher than slower growing competitors like the publicly listed Commvault, which is valued at $2.7B at a multiple of 3.5x, and Veeam, the largest data back-up vendor based in Europe, which is also priced around 3.5x.

Rubrik started out selling its data management solution to customers via perpetual license and has since shifted to subscriptions, which today make up the majority of revenue.

Rubrik’s original model hinged on selling its hardware-and-software integrated appliances to customers and charging them upfront.

For example, the Rubrik R6304 with 24TB of total storage retailed for $114,400 while the Rubrik R6404 with 32TB of storage retailed for $201,200.

Each “Brik” would come with a certain amount of available storage, Rubrik would drive additional revenue by selling additional Briks, each one of which could be added to the set-up to extend a customer’s total storage capacity. Rubrik would then provide support for that brick for the perpetual term of the license.

Today, Rubrik primarily sells its data management and security product into enterprises via subscription through Rubrik Go, which allows customers to pay based on how much data they back up and saves them from needing to put up a large amount of capital upfront. Contracts are for 3 years with fixed yearly payments.

Rubrik generates more revenue with the more data that their customers need to back up and with the additional services that they layer on, including ransomware investigation and data governance features.

There are three tiers of subscription available:

Additional features like Microsoft 365 integration can be bolted on to any of the above plans at an added yearly cost.

Rubrik found its initial product-market fit by building “iCloud for data backups”.

Pre-Rubrik, backing up and restoring data was a full-time job for IT managers. Data was stored across databases, containers, VMs and physical hardware, and each would have its own protocol for backing up data, like snapshotting in VMware.

Different products would be responsible for replicating data, moving old data out of your data center and onto tape, maintaining a log of where all your data was located, and pulling that data out of storage when needed. The result was a fragmented and fragile market, with several different individual points of failure.

Rubrik’s first product was a vertically integrated appliance (the Rubrik “brick”) that brought all of these functions into one device. The brick was built with auto-discovery of a customer’s various VMs and databases, integrated file system and indexer to enable one-click recovery, and utilization of different clouds for the best economics on storage.

Today, Rubrik continues to service customers using physical Rubrik appliances for backups, but they’re moving aggressively—as are other data protection companies—to get more and more of their customers on Rubrik Go, their new SaaS-based backup solution.

On top of that core data backup product, Rubrik is layering on additional products that leverage the unique vantage point of their filesystem—with a particular focus on ransomware and cybersecurity and data governance.

Over the last several years, Rubrik’s focus has strongly shifted from data backups to competing in the cybersecurity market.

Rubrik’s approach differs from that of vendors like SentinelOne and CrowdStrike. Those companies provide endpoint security, which protects corporate laptops, phones, and networks against attacks from outside. Rubrik’s approach assumes, to an extent, that an incursion will happen—and asks how data can be protected, recovered, and secured better for next time.

Since 2017, Rubrik has launched several products specifically focused on fighting ransomware. Rubrik Radar, for example, is a SaaS-based product that uses machine learning to monitor a customer’s environments and provide alerts in the event of any anomalies.

Rubrik recognized its database backup product was an ideal solution to help customers with recovering from and dealing with ransomware attacks for two key reasons:

Rubrik found product-market fit by capitalizing on this larger transition from on-premise data centers to multi-cloud and hybrid deployments and managed software to SaaS.

Now, 9/10 enterprises use one or more cloud providers while the average enterprise uses 137 SaaS apps.

Today, most of the major data protection companies, including Rubrik, public comps like Commvault, and private competitors like Cohesity are either selling value-added services on top to help companies catalog, search, and get analytics for their backed-up data, or moving in that direction.

Enterprise contracts are larger and provide more stable recurring revenue, and that’s where most of the bigger funded competitors are focused, while companies like Dell and IBM serve the SMB market alongside more recent companies like Arcserve.

Cloud service providers like Amazon, Microsoft and Google will likely be key acquirers in this space, if not direct competitive threats. The growing tendency for enterprise deployments to be multi-cloud means that data protection software is increasingly being designed for interoperability with all major clouds.

Third parties have more room to maneuver in this market, though they may eventually end up finding a home at the Amazons, Microsofts, and Googles of the space, as did Actifio, the enterprise SaaS backup platform acquired by and folded into Google Cloud in 2020.

Clumio initially set out to compete with Rubrik and Cohesity but has since narrowed its focus on serving AWS customers specifically with data protection for their IaaS, EC2 and native database instances. Other more focused "point solutions" in this market include Nightfall, which has taken a Rubrik-like approach specifically to the problem of protecting data across SaaS environments, ignoring VMs and on-premises data.

In Rubrik’s last fundraising round, Microsoft invested alongside a partnership whereby Rubrik’s software will be used to add data protection and cloud services via Microsoft 365 and Azure.

The total data replication and backups industry, between both traditional on-premises deployments and SaaS, is worth about $17B. However, the market is highly competitive with high pricing pressure, with players frequently offering discounts and incentives to close deals over competitors.

The trend we’re seeing across these companies like Rubrik, Cohesity, Veeam and Commvault is that backups are just act one—the wedge that gives them visibility and integration into all of the different SaaS applications, VMs, and cloud instances that their customers are operating.

From there, they’re looking to expand into other kinds of services that their visibility and integration makes them particularly well-positioned to solve.

Two of the biggest adjacent opportunities for Rubrik here are cybersecurity, a market projected to be worth about $200B by 2028, and the $40B market for data governance and compliance.

Privacy and security startups raised $15B in VC in 2021 to address the growing global need for software that can find and classify personally identifiable information (PII) responsive to new regulatory regimes like GDPR and CCPA.

Enterprise companies with data spread out across warehouses, repos, S3 buckets, VMs and so on have the biggest need for software that can keep them in compliance with these new rules, and Rubrik and other data backup companies have the benefit that they’ve already been ingesting data from all those sources.

Future growth prospects in this space are significant. In the United States, 27 new online privacy bills were proposed in 2021—up from just two in all of 2018. Within the EU, there is regulatory appetite for more aggressive data privacy legislation to follow up on 2018's GDPR. It's unlikely that the burden on businesses to stay compliant will be going anywhere anytime soon.

In the cybersecurity space, Rubrik’s positioning as a backup provider and wide existing install base gives them an edge as they look to expand into markets like security information and event management (SIEM) and vulnerability assessment.

SIEM providers plug into an organization’s servers, endpoints and network devices and flag anomalous events that could be indicators of a security problem. They also leverage their wider dataset in order to detect threats that legacy providers might not be able to spot.

On the other hand, vulnerability assessment tools take a catalog of all of an organization’s security vulnerabilities—from misconfigured systems to missing 2FA installs—and provide reporting and recommendations around how they can be strengthened.

Platforms like Rubrik are likely to see tailwinds from consolidation over the next several years, with the average enterprise reporting that they have ~75 software security products in use today and want to consolidate vendors in the coming years.

At the same time, the continued migration of data to the cloud—and the growing threat posed by ransomware and other kinds of cybersecurity attacks—will mean that demand for security products like those sold by Rubrik are only likely to increase.

Category saturation: Within the data backup and management industry, there are a numbers of players near Rubrik's scale and with similar growth rates. Between Veeam, Commvault, Cohesity, Druva, OwnBackup, Acronis and others, it’s a crowded, increasingly commodified market where vendors have to discount to win—and if Rubrik fails to cement its new positioning as a security and compliance company, it'll be hard to meaningfully differentiate and expand their TAM.