Rubrik is an American cloud data management and data security company based in California, founded in 2014.

Rubrik started as a challenger to traditional storage and disaster-recovery vendors, but has since evolved into a cybersecurity-driven data protection platform.

Rubrik helps companies to stay resilient against attacks and recover fast when disaster strikes, protecting enterprise workloads across on-premise, cloud, and SaaS environments.

Today, Rubrik has over 6,000 customers, including Fortune 500 names like Nvidia, Pepsi, Goldman Sachs and Adobe.

This deep dive will explore Rubrik’s journey, business model, industry dynamics, and competitive positioning. We’ll analyse how Rubrik stacks up against peers like Cohesity, Veeam, and Commvault in the $50+ billion data resilience market.

We will also break down the bull case for Rubrik, examine key risks, review recent financial performance, and conclude with my personal thoughts on Rubrik as an investment.

Table of Contents

1. Introduction

2. Company History

3. Value Proposition

4. Business Model

5. Product Offerings

6. Rubrik Security Cloud

7. Addressable Market

8. Competitive Landscape

9. The Big Four Comparison

10. Competitive Advantage

11. Bull Thesis

12. GabGrowth Quality Score

13. Risks

14. Financials

15. Ownership & Management

16. Valuation

17. Concluding Thoughts (What I am personally doing)

1. Introduction

I personally find enterprise software businesses to be very difficult to understand as they often operate within a black box. I’m sure I’m not alone and hence I thought I would start by giving a short introduction of what the company does and how exactly it provides value to its customers.

Rubrik started as a backup and restoration software business. The early vision was about disrupting legacy backup vendors who mostly designed for human error or natural disasters, but not for modern threats like ransomware.

That threat exploded into the mainstream around 2017. Attacks like WannaCry and NotPetya crippled global giants from the NHS and Telefonica to Maersk and FedEx, costing billions in damages. These events made it clear that ransomware could bring entire organisations and governments to a halt.

Here’s how ransomware works. Every business has tons of data spread across SaaS apps and cloud platforms such as Microsoft 365, AWS, Azure, and even old-school servers in their offices. This is critical to how the business functions. Hackers and bad actors often go after that data, encrypt it and then demand ransom. Companies often pay because downtime is expensive.

Rubrik’s platform is built to counter this. The company has steadily expanded from basic backup into a broader suite centered on zero-trust security, anomaly detection, automated recovery, identity resilience, and compliance. Its software locks down immutable backups, monitors for unusual activity, and enables rapid rollback to a clean state when an attack occurs.

Today, Rubrik protects data across virtually any environment through its flagship product: Rubrik Security Cloud (RSC), which bundles together data protection, data security posture, threat detection & recovery, identity resilience into a single platform.

2. Company History

2014-2015: Founding & Early Launch

Rubrik was founded in Palo Alto in January 2014 by Bipul Sinha (a former venture capitalist at Lightspeed Venture Partners) along with engineers Arvind Jain, Soham Mazumdar, and Arvind Nithrakashyap.

Bipul observed that legacy backup systems (e.g. Veritas, EMC, Commvault) were cumbersome and ill-suited for the emerging cloud era, so the founding team set out to “make enterprise data backup beautiful” with a simplified, scale-out appliance approach.

By integrating software and hardware in a turnkey solution, Rubrik allowed enterprises to automate data protection across on-premises and cloud environments with a user-friendly, policy-driven platform.

2016-2019: Rapid Growth and Unicorn Status

Rubrik’s early execution was rapid. The company launched its first Cloud Data Management appliance in 2015, offering instant data backups and Google-like search for recovery. This resonated with enterprises frustrated by slow, complex legacy backup tools. By 2017, Rubrik had raised a Series D at a $1.3B unicorn valuation.

In 2018, it acquired Datos IO, adding capabilities to protect NoSQL databases in an effort to expand its suite of products and coverage. Growth continued for Rubrik, which led to a 2019 funding round valuing the business at $3.3B.

2020-2021: Pivot to Cybersecurity

Entering the 2020s, Rubrik pivoted its branding toward cybersecurity. The rise of ransomware attacks made data backups a critical last line of defence for organisations. Rubrik invested in features like anomaly detection and immutable storage. In 2021, Microsoft made a strategic investment, valuing Rubrik at $4B.

Rubrik’s evolution continued with key acquisitions to broaden its platform. In 2020 it bought Igneous’s assets, enhancing unstructured data management for cloud archival. In 2023, Rubrik acquired Laminar, an Israeli data security posture management startup, integrating deeper cloud data visibility and scanning into Rubrik’s suite. And in mid-2025, Rubrik agreed to acquire Predibase, an AI/LLM infrastructure startup, aiming to “accelerate agentic AI adoption” on its data platform.

2024: IPO Milestone

Rubrik went public on the NYSE in April 2024, raising $752M at a ~$5.6B market cap. The IPO marked one of the first major tech listings after 2022’s market lull, and Rubrik’s strong debut signalled investor appetite for cyber-related growth stories.

Founder Bipul Sinha remains CEO and Chairman, owning about 7% of the company post-IPO and with stock options that could bring his ownership of the business over the 10% mark. Under his leadership, Rubrik has grown to ~3,200 employees and over $1 billion in annual run-rate revenue, while consistently appearing as a Leader in Gartner’s Magic Quadrant for data protection for six years running.

3. Value Proposition & Positioning

I think the first question that comes to our mind is where exactly in the cybersecurity value chain Rubrik lies. There are tons of businesses already operating in this space, such as CrowdStrike, Palo Alto Networks, Zscaler and many more in the cloud and identity space.

Rubrik sits in the data resilience layer of the value chain. When prevention by companies like Crowdstrike fails, Rubrik is there to ensure that enterprises can recover data and maintain business continuity.

Rubrik’s core argument for its value proposition is simply that prevention and detection tools aren’t enough to prevent increasingly smart hackers, and cyberattacks are inevitable. I think this is hard to argue against.

Rubrik assumes that at some point, attackers will get in. That’s when they matter. Rubrik locks down clean copies of data that can’t be tampered with, monitors data for signs of ransomware or unusual activity and if an attack happens, it helps companies quickly recover systems and identities to a safe state.

4. Business Model

Rubrik generates revenue from selling subscriptions to its Rubrik Security Cloud platform, which encompasses data backup, recovery, and an expanding suite of security and compliance features. Roughly 96% of Rubrik’s revenue is recurring subscription fees for software and cloud services.

Customers typically sign annual or multi-year agreements to use Rubrik’s software to protect their data across on-premises and cloud workloads. This subscription-heavy model (only ~10% of revenue comes from one-time appliance sales or services) provides Rubrik with a predictable revenue stream and high gross margins near 80%.

Rubrik’s go-to-market approach targets enterprises and large organisations, often via a direct sales force supplemented by channel partners. The company has over 2,500 enterprise customers that each generate $100k+ in ARR.

Sales cycles involve persuading enterprises to replace legacy backup systems with Rubrik’s platform, or adopt Rubrik to protect new cloud workloads. Rubrik leverages strategic partnerships to bolster its sales motion. For example, its close partnership with Microsoft makes Rubrik a preferred backup solution for Microsoft 365 and Azure workloads. Similarly, Rubrik partners with security players like CrowdStrike to integrate threat intelligence and offer incident response capabilities alongside data recovery.

Management has indicated a focus on balancing growth with margin improvement, aiming to eventually reach the kind of 20%+ operating margins seen in mature software peers.

5. Product Offerings

Rubrik’s main subscription product, which also accounts for the vast majority of its revenues, is the Rubrik Security Cloud (RSC).

This is Rubrik’s core platform offering that helps businesses protect data across SaaS apps such as Microsoft 365 and Salesforce, cloud workloads such as AWS, Azure, GCP as well as on-prem servers and unstructured file data.

Within this core tier of products is the Data Protection & Backup module and the Cyber Recovery & Mass Recovery module.

Rubrik also has upsell modules such as Threat Analytics/Anomaly Detection, Threat Containment, Sensitive Data Monitoring & User Intelligence, and Rubrik Cloud Vault. These add value and drives higher contract sizes, making Rubrik a security platform, not just a backup option.

Rubrik is also attempting to differentiate and win a larger share of the cybersecurity wallet with its new offerings such as Identity Security/Identity Resilience, AI Acceleration & Data Security for AI, and Professional Services (Consulting, Accelerators etc).

This is how Rubrik is attempting to position itself as not just a backup vendor, but as the resilience layer of cybersecurity.

6. Rubrik Security Cloud

For this section, I will focus entirely on Rubrik’s main platform module. Rubrik Security Cloud (RSC) is built to function as a unified data security and resilience platform for modern hybrid and cloud-first purposes. This section might be slightly technical, but I have tried to explain it in simple layman terms, to the best of my ability.

The main proposition of this product is to protect data from modern threats such as ransomware, keep sensitive information safe, and ensure that when something goes wrong, companies can bounce back quickly.

Flexible Protection

RSC gives organisations flexibility in how they protect their data. Companies can run scheduled backups at set intervals, much like traditional systems, or they can enable continuous data protection, which works like a security camera recording every change in real time.

Zero-Trust Architecture

All of this data is stored securely in encrypted form, either in the cloud, on-premises, or in Rubrik’s own vaults. Unlike older systems that assume everything on the network is safe, RSC is built on a zero-trust model. Every backup is placed in an immutable, air-gapped environment separated from the network so hackers can’t touch it, yet always available through a simple dashboard.

Ransomware Defence

Where RSC really stands out is in its ability to help organisations withstand ransomware attacks. Its AI-driven analytics continuously scan for unusual patterns, like large volumes of files suddenly being encrypted. If something suspicious is found, it can alert the team and even work hand-in-hand with partners like CrowdStrike to contain the threat at the endpoint. If attackers succeed in locking up live data, Rubrik ensures clean copies are waiting. Instead of rebuilding entire systems, businesses can restore exactly what they need, whether it be a single file, or even a whole application in minutes.

Protecting Identity Systems

In addition to protecting data, RSC also safeguards identity systems like Active Directory and Entra ID (both Microsoft systems). Think of these as the “master key” for a company’s computers they control who can log in, what they can access, and what they can change. Hackers often target this master key first, because if they break it, even IT admins can’t start recovery. Rubrik solves this with Identity Recovery, which keeps secure copies of identity systems, monitors them for suspicious changes (like fake admin accounts suddenly appearing), and can rapidly rebuild them. This means businesses can quickly get the keys back and keep restoring systems, even if attackers try to lock them out.

Data Visibility & Compliance

Beyond just backup and recovery, RSC also helps companies understand and manage their data. Its built-in Data Security Posture Management (DSPM) tools automatically scan backups for sensitive information, highlight compliance risks, and give teams confidence that regulations are being met. This visibility is increasingly important as enterprises spread data across SaaS apps, public clouds, and on-prem environments. RSC covers all of these in one platform from Microsoft 365 and Salesforce to AWS, Azure, GCP, and traditional databases eliminating the silos that usually make data protection messy.

Automation & Scalability

Everything is designed to be automated and scalable. Because RSC is delivered as SaaS, it grows with the business without requiring hardware refreshes or manual upkeep. Its API-first design means it can be plugged directly into security operations, so playbooks like isolating an endpoint and instantly restoring clean data can happen automatically. It can even orchestrate full application recovery in the cloud, keeping businesses running when disaster strikes.

Summary

In short, Rubrik Security Cloud brings together backup, threat detection, compliance, and rapid recovery into one seamless platform. By combining zero-trust security with AI, automation, and broad workload coverage, it reduces both risk and complexity. For companies facing rising ransomware attacks and fragmented IT environments, RSC is a cyber-resilience platform, not just a data recovery tool.

7. Addressable Market

Rubrik is targeting the ransomware market which despite being 35 years old, is the fastest growing type of cybercrime and shows no signs of slowing down.

Increasing Occurrence of Ransomware

There is estimated to be a new attack every 2 seconds.

78% of the IT professionals surveyed by Semperis revealed that they had been hit with an attempt in the past year, with 69% of the attempts resulting in a ransom payment being paid.

Data from Absolute Security, which surveyed 500 CISOs based in the US through Censuswide, found 72% of respondents’ firms had dealt with ransomware attacks in the 12 months prior to the survey.

Respondents registered extreme concern over the potential cost of ransomware attacks, with nearly three quarters (73%) indicating a successful ransomware attack could critically incapacitate their business.

Ransomware Risk in Dollars

Ransomware is predicted to cost victims around $275B annually by 2031 according to Cybersecurity Ventures. The pace of growth is incredible, with the cost estimated to be over $20B on a monthly basis in 2031, up from $20B per year in 2021. This cost includes damage, downtime, recovery costs, and ransom payments.

The average cost of a ransomware attack in 2024 was around $5.13M, up from $0.76M in 2019, a 574% increase in just 5 years.

The average recovery time is estimated to be ~24 days and the indirect costs such as downtime, reputational harm, remediation often dwarf actual ransom payments.

Ransomware Protection & Cyber Resilience Market Size

The ransomware protection market was estimated at $27.2 billion in 2024 and is expected to grow to around $99.8 billion by 2033, at a compound annual growth rate (CAGR) of ~15.8%.

More generally, the cyber resiliency/cyber recovery market (overlapping with “data resiliency”) is growing rapidly. A 360iResearch estimate forecasts the cybersecurity-converged data resilience market to reach $34.4 billion in 2025 and $79.1 billion by 2030.

What this means for Rubrik

Rubrik is going head-on towards the recovery side of the ransomware equation. Given the scale and growth of the ransomware market and the increasing investments by companies, I believe it is perfectly positioned to capture a meaningful share of ransomware-related security budgets.

The larger and more costly ransomware becomes, the more valuable Rubrik’s recovery and cyber resilience tools become.

8. Competitive Landscape

The cybersecurity sector is often split into the “big four” buckets: identity & access management, endpoint security, network & cloud security, and backup & data protection.

Below, I’ll try to strip the jargon and explain in layman terms what each of these sectors do, and what value they provide.

Each sector has a different competitive landscape, and the reason I believe Rubrik is an interesting business to look at, is that they operate in perhaps the least competitive sector of the four.

This is what each sector does and how I would rank them in terms of competitiveness:

1. Endpoint Security

Every device that connects to a network is called an “endpoint”. Hackers often try to break in through these and with the large amount of devices available, this is also the most competitive sector. There are dozens of vendors from CrowdStrike, Microsoft Defender, Sentinel One to Palo Alto Networks.

All vendors say that they can stop attacks with AI, and this makes it difficult to stand out. Additionally, Microsoft bundles it for free, making price pressure increasingly intense.

2. Network & Cloud Security

All company data typically flow through networks, both private servers (office servers) and public servers (internet/cloud).

Cybersecurity companies operating in this space are essentially the security guards at the gates, checking all traffic that goes in and out, ensuring that only the right people access the right apps.

There are many large, established players in this space including Palo Alto Networks, Zscaler, Cloudflare, Cisco and Fortinet. This space is growing quickly but many vendors overlap in what they can offer.

3. Identity & Access Management

This is about securing people rather than a device or network. Sometimes bad actors get access to devices or networks first-hand. The aim of companies in this sector is to control logins, passwords, single sign-on and multi-factor authentication.

When you login to Gmail and it texts your phone a code, that is part of identity management. There are many businesses operating in this sector too, from Okta and Ping Identity to CyberArk and Microsoft Azure AD.

Microsoft Azure AD dominates this space because it’s bundled with Office 365 while Okta is the independent leader. There are fewer players here than endpoint or network, but Microsoft’s presence again makes competition intense for others.

4. Backup & Data Protection

In this space, Rubrik is currently one of the leaders alongside Cohesity, Veeam and legacy vendors such as Dell EMC and Commvault.

Rubrik’s closest direct rival is Cohesity, founded by Mohit Aron, who was previously the co-founder and CTO of Nutanix. Interestingly, Rubrik’s founder and CEO Bipul Sinha was a venture partner at Lightspeed who invested in Nutanix and Bipul was on the board of Nutanix from 2009 to 2017. Hence, the two crossed paths and knew each other, ultimately becoming direct rivals. Both companies were born around the same time with the same mission of modernising enterprise backup, making it cloud-native, and positioning it as a security tool.

Another formidable competitor in the space is Veeam, which has built its reputation as the go-to solution for backing up VMware and virtualised environments. It has a massive installed base, particularly in Europe, and is now moving deeper into cloud and ransomware recovery. While Rubrik pitches itself as a “cyber resilience” company, Veeam is still widely viewed as a reliable, flexible backup vendor.

The legacy vendor space is led by Commvault, that has been in the enterprise backup market for decades. It is well-established and trusted, but often criticised for being complex and less agile. To stay relevant, Commvault is rebranding itself as a cyber resilience platform, with cloud-native offerings and a SaaS platform called Metallic. Its challenge is to shake off its “legacy” image while competing with nimbler players like Rubrik and Cohesity.

Similarly, Dell EMC has been in enterprise storage and backup for decades. Its products like Data Domain and Networker were industry standards long before Rubrik and Cohesity even existed. Its strengths lie in scale, reliability, and deep customer relationships across the Fortune 500. However, Dell EMC’s solutions are often viewed as complex, hardware-centric, and slower to adapt to the cloud era. While it still defends a massive installed base, newer entrants like Rubrik and Cohesity are chipping away by offering simpler, cloud-native, and security-focused alternatives.

9. Big Four Comparison

Within this landscape, Rubrik’s primary competitors are Cohesity, Veeam, and Commvault, along with a mix of legacy platform vendors and smaller specialists. We’ll compare Rubrik to its key rivals on strategy, scale, and performance.