Hey, thank you to everyone for joining us today. I'm Mike Cikos, and with me, I'm pleased to announce that we have the CFO of JFrog, Mr. Jacob Shulman. Just to handle some very quick logistics, this is a fireside format. I have questions I've prepared on my side, but to make this as interactive as possible, if you do have questions, feel free to ping them through the chat box on your interface, and I'll make sure I get to those while we have Jacob here. If not, feel free to email me at mcikos@needhamco.com. With that, Jacob, thank you very much for the time today. We really do appreciate it.
Thank you very much, Mike, for having us at the conference.
Terrific. And so just to jump right into it, for maybe some of the investors who are newer to the name or maybe dusting it off, to start things, but can you give us a quick overview of JFrog and the value it's providing for customers today, primary incumbents you're replacing, and just anything on the market more generally, and the TAM that you guys are pursuing?
Sure, absolutely. So JFrog is a company in the DevOps space. We came to this world to automate software releases. Pretty much every company today becomes a software company. The world completely changed. You know how different is financial world with the software, but it pretty much touches every aspect of our life. So every company became a software company, and we provide value of very quick and secure software releases for these customers. I know that it could be a very complicated and technical area, but at a high level, people know software engineers writing the code and then software running on machines. What in between, people typically don't know, but that's a huge industry, huge market, full of manual, inefficient, siloed, and vulnerable processes. And JFrog built a platform to automate the software releases from developer keystroke to pretty much any edge.
Our main value is automation of these processes and security, and it's plays very well at scale. That's why we tend to work with larger enterprises. Pretty much top 10 in every industry are our customers. Vast majority, 90% of Fortune 100, majority of Fortune 500, very significant portion of Global 2000, all of those marquee enterprises, use us for their software releases and overall digital transformation.
Great. Great, and I know we're gonna touch on a couple of those different pieces, later in the fireside, but just wanted to ask, we've been going over this with each of the companies we speak with today, but, GenAI, right? And so I think the market's taken a breather as far as maybe some of the hype cycle we were in earlier this year, but still people trying to figure out, how it changes the market opportunity. So would be interested in your perspective, but GenAI, does it help you better address a market you were already addressing? Does it actually increase the size of your market? How does it change maybe the value proposition JFrog can have on behalf of its customers?
Yes. So GenAI obviously is the significant trend in our industry. Although we hear that, this GenAI adoption and success story is more at individual developer level, we still see our customers, very cautious in wide adoption of GenAI in enterprises because of the some legal, security, IP infringement matters. So definitely it will come and will be significant, trend. It just, large enterprises are still very early in adoption of these GenAI capabilities. In general, we believe that GenAI is a tailwind for us. Again, kind of maybe providing a bit of landscape of the ecosystem, so DevOps ecosystem is very, very complicated, but we believe that, there are three areas of expertise in this DevOps ecosystem. Obviously, people familiar with monitoring tools is one area of expertise.
Second area of expertise is, developer tools, where GenAI is more pronounced the player, and then in the middle, it's software supply chain, is where we play. Now, GenAI comes to make developers more efficient, which means that more software will be created or more code written. That will increase velocity of software creation and obviously velocity of software releases. So we believe that, GenAI will be a tailwind for us because people will need more tools like ours to take software to the market, right? Making your software R&D organization is only half efficient, is only half job done. What you really want is to take your software to the market fast and secure, and therefore, adoption of GenAI tools at the code creation will drive adoption, adoption of our platform for software releases. And that's why we believe it's tailwind. Today-
Great
... we started seeing that companies started using and hosting their AI models in our products, in Artifactory, which is our flagship product, and we are already start making first steps to support these MLOps capabilities of our customers. But again, it's just the beginning, and we definitely believe that over years it's gonna be big tailwind for our business.
Awesome. Awesome, and I know I'm, I'm hoping that this is in some way abated as far as conversation because of the differences in the DevOps ecosystem, but we had frequently heard about as recently as a couple of months ago, or at least a year ago now, but increased competition, let's say, versus GitLab or GitHub, and help us think about the differentiation there. With GenAI, where in spite of GenAI, does that DevOps fragmentation still hold, where you still have maybe GitHub and GitLab assisting the developer, JFrog, really that man in the middle that's helping streamline from keystroke to edge, as you were saying earlier?
That's correct. And GenAI, as we see it right now, is more kind of relevant to the developer tool, where GitHub and GitLab play, and that's why this company is launching products in that area. For us, it's more enablement of companies to be able to incorporate GenAI in their processes. So MLOps processes, training of their models, capabilities of securing and providing secure framework for companies to use AI. For example, we recently released a product called curation, which is basically a firewall between open source hubs and organization. So when your GenAI product will pull software, open source component into the code, you'll be able to enforce company security policies before GenAI incorporates those into the application.
We're more of an enabler of this trend, and obviously, we should be a beneficiary as this trend continues to grow.
Okay. And, last piece here before moving on from the GenAI topic, but I think you were kind of teasing at this earlier as far as maybe some more of those initial successes have been at the developer level. But curious to hear on your side, given your customer base and what you're seeing out there, are customers increasingly moving GenAI GenAI-based projects into production, or are we still largely in more of an exploratory phase today?
Yes, we do see that customers moving, those projects in production, but doing it very cautiously. And that's why, as I mentioned earlier, we started seeing customers hosting their AI models in Artifactory, our flagship product, kind of creating these workflow processes. But again, it's just the beginning because still we're seeing that enterprise is very cautious given the potential IP infringement or potential security areas. So a lot of that, a lot of this enablement still has to happen. We, for example, released, also, capabilities in scanning the AI models when you ingest them and bring them into your organization, so our product, Xray, would scan that, to identify vulnerabilities. Our product, Curation, helps with, open-source ingestion and to enforce policies.
So that's this ecosystem around AI use is being built, and we believe that this trend will just continue to grow going forward.
Got it. Got it. If I shift over for a second to optimization, right? And so what was really interesting to me is I know that a number of companies today are talking on their Q3 earnings call as far as how cloud optimization is stabilizing to a certain degree. JFrog, as far as our coverage goes, was really the only company in our coverage on the Q2 earnings call discussing how optimization headwinds were really starting to recede.
Right.
And so just breaking that out, why do you think this was the case, that you may have been a quarter ahead of other folks? And what is it that gave management the confidence, or how were customer conversations tracking that gave you that visibility to say, "Hey, things are stabilizing for us a little bit," before maybe other consumption-based players out there?
Yes, it's hard for me to compare it to other players in the ecosystem or large clouds because typically, that would be different workloads. For example, large clouds, they run thousands of different workloads, and maybe our work was just a very small portion of what they offer to their customers. So it's hard, difficult for us to really comment on others. Specifically to us, as you know, we monetize our SaaS by usage of data transfer and storage, while data transfer is by order of magnitude bigger than storage component. And we started seeing first kind of steps where customers were going through their processes and trying to optimize their usage of our SaaS products over a year ago, in Q3 of last year.
With those optimization efforts were more pronounced in Q4, and even going into Q1, we continue to see this trend. And then we publicly commented that at the end of Q1, in the month of March, we started to see the reverse trend, growth in usage, et cetera. So what really happens behind the scenes is that these robots create thousands of binaries or thousands of artifacts. And in a real software release, you might use a very small portion of that going forward as you promote them to next steps, et cetera. So companies were increasingly focused on optimizing storage capabilities because, again, it's an easier step to take, kind of low-hanging fruit on optimization.
You really need to be focused on how much of that history you want to hold and that binaries that you're not gonna be using going forward, you want, you want to keep. And that's where we saw customers focusing. And because it's relatively low-hanging fruit, anyone who was serious about optimization of that already had an opportunity to do that, right? It's been over a year. Data transfer optimization is a bit longer process, where you have to go through all of your automation that you built, and to evaluate that to see whether it still makes sense and whether you could find some optimization opportunities there. Many times it requires engineering effort, and many times ROI is not there.
So what we believe is that going forward, people will be just more mindful how they grow in more optimized manner, a more efficient manner. But we're happy to see that our cloud usage growth trend reversed, as I said, back in March, and in Q2 it was more pronounced, and then Q3, even we did report our cloud even accelerated year-over-year growth to 46% year-over-year, and we're happy to see that usage continues to grow as one of the component of this cloud growth. And we believe that optimization effort by our customers behind us.
Got it. Got it. And just zooming out for a second and looking maybe at a more macro level, right? Obviously, thoughts from everyone are with those over in Israel right now. Just wanted to call out some of the more positive comments that came from the management team on the most recent earnings call, right? And so can you help us think about pillars of your continuity plan, how you guys have been able to ensure obviously the safety and importance of your employees while still executing at a high level here?
Yes. Mike, first of all, thank you for your support. Definitely, Israel and our team in Israel are going through very difficult times, and we appreciate the support that we receive from, from the investor community. So a few hours into the conflict, we activated our business continuity plan, which comprised of three pillars. One is internal communication and internal continuity, where we identified all employees to ensure their safety, and internal communication with them. Second pillar is related to our technology stack, how we make sure that our production continues and our customers not impacted, how our R&D processes continue, and how we continue to be very protected from the cyberattacks, which may happen during this uncertain times.
Lastly, an external pillar, where we kind of have a plan to continue our commitments, continue to be in contact with our customers, continue to support our customers, and continue to meet those commitments. We're happy to see that these pillars operate smoothly, and we did not have any interruption to our activities. Some of our employees have been called to reserve duty, and we obviously built some redundancy capabilities. Majority of our go-to-market is outside of Israel. Majority of our support, customer support is outside of Israel, so those areas not impacted. Israel, our Israeli employees primarily engaged in R&D activities and operations activities, and we have redundancy plans. We also have R&D center in India as well, and prioritization is the key here.
So how we prioritize our work to meet customer commitments. We launched a lot of innovation in Q3. Now the goal is to take that to the market. And we also have contingency plans as well. What happens if things escalate in the war? What happens if infrastructure in Israel goes down, et cetera? So we have those plans as well. We're continuing to monitor the situation. Hopefully, we will not have to act upon those scenarios. And so far, as I said, we continue to see that our operations in Israel, not impacted.
Great. Great. And I know, again, to revisit some of the earlier comments, but we were touching on security earlier, right? There's been a ton of innovation, to your point, more recently on R&D, but could you give us an indication? People look at Advanced Security, the Curation announcement as well. What has been initial customer feedback or early traction for those two pieces between the Advanced Security and Curation?
Yeah. So these two components, or two products belong to our security core, and, the value proposition and the market dynamic is slightly different, for each of these products. So I will start with the JFrog Advanced Security. JFrog Advanced Security was launched on SaaS, about a year ago and was, made available for on-prem customers in March of, this year. We already have tens of customers, who made purchasing decisions and adopting the product. So the value proposition of JFrog Advanced Security is end-to-end- is to secure end-to-end, software release process, software supply chain. What we started seeing is that,
So DevSecOps is a very wide umbrella with multiple areas of focus: static code analysis, dynamic analysis, software composition analysis, container security, runtime security, secret detection, infrastructure as a code security, et cetera. So multiple point solutions came to this world to solve this specific area problems within those specific areas. What it ended up with is that our customers, large enterprises, deploy five, 10 different point solutions to protect all steps within the software release process. These point solutions have limited visibility. They typically have they scan different databases. They have a lot of false positives and a lot of inactionable alerts. So people have those tools, but they don't feel secure because they cannot identify real vulnerabilities, and that's why we see the trend of doing more with less.
People interested in transitioning to more kind of platform approach, where the tool will provide capabilities end-to-end with single data layer, and will be able to identify those vulnerabilities across multiple steps within the software release process. So that's where JFrog Advanced Security comes into play. It has seven different capabilities, basically could replace seven different point solutions, starting from source code scanning, static code analysis, which was, this capability was launched in September, and going to secret detection and contextual analysis, and a few other capabilities. So definitely, we've had very positive feedback from customers. As I said, we, we see customers increasingly deploying these solutions. No, no CISO in the world will replace their existing tech stack with a new tool right away.
So that's why we see that our customers who make those purchasing decisions typically buy JFrog Advanced Security at the base level, at the base package. Deploy that either in small division or small group, and then compare the results with existing tool stack, and then we'll be making decisions on expansion toward, kind of, other areas within the enterprise when the time for annual comes. So that's why we think that contribution from JFrog Advanced Security and overall security core will not be material in 2023, but we'll see meaningful contribution in 2024. Now, going to Curation. Curation is a different value proposition. As you know, Mike, today, 80%-90% of the application comprised of components that written by third parties, primarily coming from open source.
Historically, the market or those companies who consumed open source either allowed open source into the organization and then did their vulnerability checks while the open source component already within the organization, or wouldn't allow anything inside the organization and would require certain approval steps to be taken before developers can use the open source component with the organization. That's specifically related to large banks, that they're very strict in terms of security. Curation basically is a firewall for open source components that could automatically enforce security policies when a developer wants to bring open source component into the organization. So that streamlines, significantly streamlines this approval process, and the company has ability either to block vulnerable component or to highlight it and transfer it for manual review, or allow automatically, based on security policies.
It's a significant pain that we're solving for our customers. This product was launched in July, and already they have customers who made purchasing decisions, and we're happy to see how the pipeline is building for this product. So, again, we have very high hopes for curation and JFrog Advanced Security as one of the core drivers for us in the long term.
Great. And a bit of a two-parter here, just in the vein of some of these newer products that you've announced, but I think a lot of people may take for granted like that whole strategy around pricing discovery, right? So how is it JFrog thinks about the consideration for pricing these products, and then secondly, the monetization plans for maybe newer capabilities? Should we think of it skewing maybe more heavily towards consumption, where we were talking about data transfer and storage, or are there other elements and levers that JFrog is leaving the door open to that may be more entertaining?
Yes. So this product's kind of part of our security core, and obviously, for us to be successful in this market, we carefully analyzed the prevailing market practice, how people, how our customers think about security and what persona we targeting. And definitely, it's different, sometimes a different persona. CISOs they think differently about security products versus maybe DevOps guys. So our monetization of security core is different from our monetization of our DevOps core. We decided to monetize our security core by a number of seats that for contributing developers. This is how today our security product, those point solutions, are priced today. And we, as a new entrant into this market, wanted to make it simple for our customers to compare apples to apples....
and also enable that same metric across SaaS and self-hosted environments. So, to kind of simplify the transition of customers and be able to secure holistically enterprise, whether they're running SaaS, a self-managed or hybrid environment. So that's why we decided to price it by number of seats. And the price discovery, obviously, dependent on pricing for similar capabilities in the market, and we try to be competitive in that regard because we're new entrant, but also we provide much more than just point solutions, given our native integration with Artifactory, the DevOps core flagship product, which became the single source of record for all the software. And that what resonates very well with our customers.
Got it. And I guess building on that, similarly important to the pricing discovery would be like the messaging, the marketing, the awareness from a market and customer standpoint, right? So-
Absolutely.
... where are we in communicating these newer launches to customers? Is it still a little bit of, "Hey, we're here. This is a new product we introed," or most people understand now, and it's a matter of getting a seat with them for a POC or to kinda get them in the pipeline?
Well, first of all, these products were born from solving real pain, so it very, very well resonates with the customers, when they're aware of these capabilities. But if you think at the high level, about JFrog, if you think of DevSecOps space, JFrog is not yet known as a security company. We started seeing that. We invest in a lot into market education. We're working with, Gartners and Forresters of the world, to get on the, Magic Quadrants and, their reports, which read by CISOs. We also participate in different, thought leadership forums, security events, et cetera, to educate the market about our capabilities. So we decided to go to market with our products to our existing customer base. They already know our significant leadership position in DevOps core.
We already have champions in all of these very large enterprises that we work with, and they are champions able to introduce us to relevant CISO security engineers within those organizations. Because at the end, they work together with security teams to enable this security portion of the entire software supply chain. So that effort has been ongoing. We also invest into a security overlay team. We want our existing sales personnel and quota holders to be able to sell both DevOps core and security core to customers. And that's why we have to enable the existing sales force to sell security and to give them opportunity to pull in experts, security experts, into some of the deals when it's relevant. So that's another avenue that we invest and go to market into our security overlay team.
Great. And just as a reminder for folks, too, so that build-out of the, the security overlay, is that largely behind you now, or are we still in the process of building out that, that muscle memory?
It's still in the process, and obviously, as security practice continue to grow, we'll be scaling that team, but the initial efforts of building this team is still in the process.
Okay. Okay. I think probably two more things we can really hit on between now and the end of our allotted time here, but the first, obviously, the CFO transition, right? So, unfortunately, you will be going elsewhere, and we will miss you sorely.
Thank you.
I know that the company obviously announced that they do have a new CFO who's gonna be stepping in.
Yes.
So could you help us think through the CFO qualifications, why JFrog decided to go with their new, I guess, appointment with Ed?
Mm-hmm.
Is there any expected change in strategy as a result of the potential leadership change?
Right. So Mike, you're absolutely right. I joined JFrog about 5.5 years ago with a goal to build the organization, take it public, and since then, you know, we've been executing very well. We went public more than three years ago. The company has built a full platform for DevOps. We just launched security products, Security Core. We launched our long-term model. And that's why, kind of, I'm sure that I'm leaving the company in great hands with Ed Grabscheid stepping in. Why Ed? So first of all, Ed has been with JFrog, working with me for over four years.
He led FP&A department and played instrumental role with taking the company public, building this execution practices, and the kind of the company has been executing flawlessly since we went public. Played a very instrumental role in building the long-term model, working very closely with our go-to-market leaders and R&D leaders. Again, very instrumental in the finance department, and I don't see any change in the methodology, how we guide or in the strategy, because Ed and I, we did it together, and therefore I believe that I leave company in very capable and good hands.
Got it. Got it. Maybe a quick one we'll throw in from someone in the audience here, but asking about the cross-selling of products and, and selling multiple products to existing customers. I guess looking for more of a, a progress update as far as how we are building traction in that cross-sell effort.
Yes, on the DevOps core, obviously, our subscription structure is built to meet our customer journey, and, as customer adopt more and more capabilities, to add more and more products and charge more. So adoption of Xray or adoption of Enterprise Plus subscription means that you adopt more capabilities on distribution side, and that's where you kind of have this cross-selling. On the security core, again, JFrog Advanced Security and Curation, they add-ons on top of Enterprise X or Enterprise Plus subscriptions for DevOps core. So you have to pay separately for adoption of these capabilities, and we discussed the market need and the dynamics. So definitely, adopting these capabilities will be addition to the revenue that we're already charging for DevOps core.
Got it. And maybe one final question here, but just looking again, from maybe a more macro lens, a lot of folks are trying to think through, if we're in mid-November here, how are budgets coming together for calendar 2024? And so given customer conversations and what you guys are hearing, just curious to hear, are we seeing potential for improved or accelerated growth next year when thinking about those budgets? Is it more of the same? How would you describe the environment we're in?
Yeah. So majority of our customers are going through this exercise, planning exercise right now, and obviously, it's too soon for us to conclude how the budgets for 2024 would look like. Based on the surveys that we're reading and our discussions with the customers, the DevOps adoption, the SaaS adoption, security continues to be a top priority for enterprises, but at the end, their budgets will be driven also by other factors, and therefore, it's too soon for us to tell. We believe that our kind of growth drivers, long-term growth drivers, such as platform adoption, SaaS adoption, and security, will continue to resonate and be mission-critical priorities for long term. And therefore, we believe that our long-term model will continue to be intact in 2024.
Got it. Okay. Okay, and with that, I know we're, we're just at time, but Jacob, thank you very much, and thank you to the audience for tuning in. Really appreciate the time today.
Thank you very much, Mike.