Hello. Welcome to JFrog's inaugural Investor Relations Day. I'm JoAnn Horne from JFrog's Investor Relations team. We're so glad you are able to join us today for a deep dive into the company's vision, market opportunity, technology innovation, go-to market, and financials presented by JFrog's senior executive team. We will also hear from two JFrog customers, Fidelity and Broadcom, who will provide a first-hand view of how JFrog's platform allows them to fully embrace the power of DevOps. Before we get started, let me review the safe harbor statement.
During this presentation, we may make statements related to our business that are forward-looking under federal securities laws and are made pursuant to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995, including statements regarding matters such as our industry, business strategy, goals and expectations concerning our market position, future operations, margins, profitability, capital expenditures, liquidity and capital resources and other financial and operating information. The words anticipate, believe, continue, estimate, expect, intend, will, and similar expressions are intended to identify forward-looking statements or similar indications of future expectations. You are cautioned not to place undue reliance on these forward-looking statements, which reflect our views only as of today and not as of any subsequent date.
Please keep in mind that we are not obligating ourselves to revise or publicly release the results of any revision to these forward-looking statements in light of new information or future events. These statements are subject to a variety of risks and uncertainties that could cause actual results to differ materially from expectations. For a discussion of material risks and other important factors that could affect our actual results, please refer to our Form 10-K for the year ended December 31, 2021, filed with the SEC on February 11, 2022, and other filings and reports that we may file from time to time with the SEC, which are available on the Investor Relations section of our website. Additionally, non-GAAP financial measures will be discussed during this event.
These non-GAAP financial measures, which are used as measures of JFrog's performance, should be considered in addition to, not as a substitute for or in isolation from, GAAP measures. Please refer to the tables included in the appendix to the Investor Day materials available on our website for a reconciliation of those measures to their most directly comparable GAAP financial measures. Now just a few housekeeping items. At the end of each speaker's presentation, we'll have five minutes for questions, and after the customers speak, we'll have 10 minutes. At the end of the day, we've planned for Q&A with the whole team. The operator will share instructions for asking a question at the appropriate time. If you need the dial-in to ask a question, please email investors@jfrog.com. Now I'm excited to present a brief JFrog introductory video.
In a world that demands faster, secure, more innovative software at scale, the DevOps-driven software supply chain is more visible and mission-critical than ever before. Mobile devices and applications, cloud services, financial transactions, vehicles and more are all powered by software that needs to be updated rapidly and seamlessly. Binaries, the blood flow of the software supply chain, are the only asset in the world of software that you can manage, build, secure, update and ultimately deliver into production. The hybrid JFrog DevOps platform powers the software supply chain with a universal binary-centric approach, natively supporting over 30 technology types in all clouds or on-premises. The JFrog platform is the database of DevOps.
With JFrog Artifactory at its core, the JFrog platform detects and mitigates security risks across software development pipelines, helping to keep companies safe from known and unknown risks, distributing trusted software from any source to any destination. Over 6,600 customers globally trust JFrog to manage, secure, and distribute their binaries across mission-critical software supply chains. Millions of developers are building a digital world that offers fearless software delivery and seamless software updates on every device. A world where software turns liquid. JFrog, once you leap forward, you won't go back.
Now I'm proud to introduce Shlomi Ben Haim, JFrog's CEO, to kick off the day.
Hello, and thank you for joining our first Investor Day. We are insanely excited to be here at the center of the universe, the center of New York at the Nasdaq building. Although virtual this time, we are happy to share with you our story, hoping the next time it will be in person. We are grateful for having you with us, and we've built an amazing agenda to share with you today. Shortly after my opening, Yoav Landman, our CTO and Co-Founder, will share with you our product strategy, our differentiators, how the JFrog platform is taking the DevOps world and the DevSecOps world forward. Nati Davidi, former CEO of Vdoo and our head of JFrog security division, will speak with you about securing the software supply chain, how security became the center of the DevOps and the DevSecOps flow.
We are honored to have our customers with us. You will hear the story of Fidelity, the story of Broadcom. Each of them support more than 10,000 developers with the JFrog platform. The voice of the customer is the most authentic way to show you how JFrog support the digital transformation. The second half of the day will be focused on the go-to-market and the business side of the company. Micheline Nijmeh, our CMO, will share with you our plans about driving growth at scale, how we are planning to bring more new customers and expanding our business with the JFrog platform and the multiple technologies. Tali Notman, our CRO, will speak about the go-to-market strategy in a hybrid world, what it takes to grow a business to the next scale.
Jacob Shulman, our CFO, will wrap up the day with more financial details and outlook, some guidance for 2022 and beyond. After every session, we will have a short Q&A panel with the speaker, and at the end, we will all be able to take your questions and answer it as a group. We hope you will enjoy the day, and again, we thank you for joining us. Let's start from the beginning. Everyone wants a piece of DevOps. DevOps is everywhere. Everybody's speaking about DevOps. This market is booming. DevOps became the darling of the software supply chain, and a modern organization cannot enable a fast release, a secure release without DevOps at the core. What are the real key results the market is asking for? What is it that our customers expect to get at the end of the day? First, automation.
Everything we do today have to be faster, must be more secure. This flow must be powered not only by developers and working hands, but also machines and devices. Second, we want to trust our software. We want to have control over our software. If we cannot control and we cannot trust the software that we have in the organization, then every organization will fail to release and will become crippled. Third, we hear from our customers, from the industry, from the community, that they are looking for one platform to consolidate expertise about domain. While platform coexist one next to the other, and while complemented solutions are playing together in the DevOps playground, our customers are seeking for more and more consolidation to make this process more automated and simpler . Last, there's nothing new about software supply chain. 30 years ago, we saw software supply chain.
The modern software supply chain, in a very fast move, requires a different look, requires a different technology, requires something that amplify what DevOps is here to solve. A bit, over 18 months ago, prior to our IPO, I shared with you this slide. We spoke about software update. We spoke about what happen when you fail to update software at the edge. We spoke about recalls. We spoke about aircraft crashes, banks failures. We spoke about the reality when software update fails. In retrospect, what should have been emphasized is. What is this digital asset? What do we have in the center to enable software update?
While you are doing observability, or if you are a developer that moving to become more automated, if you do security in runtime or development environment, if you are an enterprise or a startup, if you runs automation, if you support devices or you just share your software with other developers, everything you do check in and check out from the binary repository. Artifactory became the database of DevOps because we host this information for all of these players. All of them will integrate with the binary repository. Binaries became the center of gravity, the center of gravity for the modern software supply chain. We will speak a bit more about it in Yoav's presentation, in Nati's presentation.
What is important for us to share here today is that the success of JFrog is not only because of the technology we provide, but also because of the fact that it became too integrated to fail. Due to the fact that every player in the DevOps landscape need to get an access to the binaries, to the metadata, to the dependencies, to everything that you have in the containers and microservice world. This is how we build the business. JFrog was built based on this philosophy. When we think about JFrog, and when people ask us who you are, our answer, we are the binaries people. We are the people that sit in the center. We are the people behind the scene that make this show goes on.
We are the people that liquefying software for you and making sure that this flow runs through the DevOps pipelines as water. We take it one leap at a time, and we are here after an amazing, impressive 2021. We delivered everything that we committed to. When we guide you through 2021 numbers, we said that we are going to invest more in R&D. 29% of our revenue were invested in our R&D to grow the team, to build the team, to have faster releases, to support the market demand, to take more and more of what we've created in the market. Our sales and marketing grew significantly this year, and we invested a lot in building the machine and lay the foundation for the future growth.
Despite the challenging labor market of 2021, we almost doubled the size of the team and hired over 400 new frogs. We reached out to the community although the pandemic reality was different for us. Whether it's in-person or virtual, we never dropped the ball on the community in order to stay focused and to stay connected with the future needs and what we hear from the market. In order to have a faster time to market and to boost our technology to bring more talents, we also grew inorganically and invested over $300 million in M&As. That's the result. This is how we open 2022. We open 2022 strong with over 1,000 employees worldwide. An annual revenue that grew beyond the $200 million. Over 6,600 customers that are now enjoying the JFrog platform, the JFrog technology.
We reported last week 39% growth, a very impressive net dollar retention, a phenomenal retention of our customers, and a very business-focused company with over 84% gross margin. How do we do that? With Artifactory at the core, JFrog built a full platform to serve your binary life cycle. Artifactory, or as our customers call it, the single source of truth, the single source of record, the database of DevOps. Yoav will speak about the platform, will speak about the differentiators. Artifactory became the center of every development organization that we serve. Xray was the next logical leap following Artifactory success. Xray natively sits on top of Artifactory and secures your repository so you can trust your software. Next step was JFrog Distribution, taking the binaries to the edge. Recently, JFrog Connect that takes them to devices.
This is all automated by JFrog Pipelines for CI/CD and monitored with JFrog Dashboard, Mission Control, and Insight. That was not enough. We needed a better technology. We needed security that comes from security engineers to developers and not from developers to developer. We needed to go faster on this opportunity of having the asset that the world is asking for, but also securing it all the way to the edge. We acquired Vdoo, announced earlier on July 2021. Shortly after, we acquired Upswift, planting the seeds of the JFrog platform future. Upswift build a platform of connecting the devices to the world of CI/CD. Together with the JFrog platform, gives us for the first time a full view of what Liquid Software look like.
Now, why this is growing fast, why the market ask for more and more, and how this innovation come into practice, we look at the market. When we went public, as some of you might remember, the addressable market that we looked at was $22 billion. Today's researchers and other companies' S-1 are looking at over $40 billion by the end of 2028. DevOps is a fast, big, growing addressable market that we're after. If you add to it the DevSecOps market, it's getting even bigger. We need to secure not only the developers, but the organizations. Binaries are moving from the developer's keyboard all the way to your runtime environment. DevSecOps is a big challenge and a big market that is addressed.
Last, when we look at our path, when we look at our future avenue of growth, we look at the world of devices. Devices are everywhere. They consume software without human intervention. Billions of devices are powered by software. Billions of devices are being updated daily or even hourly. I will leave you with a question of how many devices we have times how many updates you have to do per day, times how many releases you have to do. That's a very big market ahead of us, and we are very serious about providing an end-to-end solution that will take it down. How do we know that we are doing the right thing? This is how we know. Almost 7,000 customers are telling this to us day in, day out.
The top ten on every vertical on the Fortune 100 is already powered by JFrog. As you will hear today, the leading enterprise of the world is betting on JFrog to take the next leap forward. We are listening to the market and building our technology by developers for developers, focusing on binaries, making sure that Liquid Software become everyone's reality. Sometimes in order to fulfill your vision, you have to challenge the status quo. You have to challenge the way that everybody speaks about what need to be done. You've all heard the phrase that was born in the Silicon Valley by VCs telling you that software is eating the world, which is true. Actually, everybody spoke about the rainmakers, the developers. They have to be empowered. They have to be faster. They need to do more. They need to take more responsibility.
Why? Because we are digitalizing everything. We digitalize our organization. We want to have an electric car and a digital bank. We want our coffee maker to run by software. We do that because everything is connected. Even this Investor Day is broadcast through software and powered by software. When I take a step back and think about how JFrog build the vision, I actually think that we challenge this way of thinking. Instead of building the product for the developers, helping organizations to become digital and then serve the world, we started with the end in mind. We first planned the destination and only then start building. Allow me to suggest something else, to flip the order and think about the world that is eating software. We have more devices today than developers. These devices demand fast, secure update.
They are all connected to digital organizations that if they will not deliver what the market asks for, next generation will not use them. They will fall behind their competitors. Only then we think about who are the people, w ho are the persona, that we have to go after. Sometimes it will be the developers. Sometimes it will be the security engineer. Micheline Nijmeh, our CMO, will share with you more of what we see in the market. Tali Notman, our CRO, will share with you how we are going to fulfill our Liquid Software in terms of growth, in terms of revenues. The world is eating software. Software is eating the world was a very right phrase for the previous decade. When we look at the future, we will have more devices than human beings that will demand more software updates.
We are not the only one that look at this market and this opportunity. There are a lot of other players in this market, and though most of what we replace today is in-house homegrown solution, something that was built 10 years ago, even five years ago, is irrelevant in a cloud native world. Something that was built by an enterprise need to scale to the next generation of software update. While this is the big opportunity out there, consolidation of this process, making sure that we can take it to the next step, we also see other vendors that are focusing on another asset or another technology. From the moment we complement them, everything become binaries, whether it's security, whether it's build, whether it's deployed.
The clouds, which are great partners of us, a lot of co-sell and co-marketing was reported during 2020 to 2021. We build an amazing relationship with the major clouds in the world. They still provide solution to developers. Sometimes this solution might be an easy going start. When you go multi-cloud, and this is what we hear from our market, when you go hybrid, this is what we hear from our market, when you need a full end-to-end solution, this will not be enough. Obviously, other vendors that takes legacy software and update it, but not focusing on the end-to-end platform, pioneering, changing, innovating the market, providing you with the next technology, this will not be enough in order to answer the demand and the appetite of having an end-to-end software solution, software supply chain. DevOps is at the center.
Before you suspect that I'm becoming too religious about binarism, I would like to leave you with few questions. We all agree that speed is a must in today's world. Can speed be achieved without automation? Can automation be achieved without using binaries? Second question: Do you know what you have in the organization, what your developers are bringing in? Or do you need another reminder like Log4j? Log4j is a binary, and we are going to speak about it and cover the use case in Yoav's presentation, and Nati will double-click on the behind-the-scene of it. But do you really know what is being brought to your organization? Third question: Even if you know what is being brought to your organization, in the world of containers and software packages, it's all binaries. Do you know what you run in your production environment?
Once something happen, you start to analyze and ask for fast remediation without knowing what do you have in your runtime. Are we looking at a hybrid world or a single cloud world, a multi-cloud world? Can you dare to think about 10 years from now, the cloud will be an edge in your pocket. These all questions have one thing in common. If we are looking at the same future, this future will be powered by software packages, by binaries. This doesn't happen just because of a vision. 1,000 folks are working day in, day out to make this a reality. Our vision and system of values, what we call in JFrog, the JFrog Codex is what drives us and fuels us to give the community and the industry the next technology and the full solution. We are investing in ESG.
Our team is thinking about how JFrog can become a better company in terms of diversity, in terms of environmental responsibility, leading not only with technology. Technology is important, and the amount of innovation and pioneering that JFrog did and implemented in the past 12 years since we created this company is enormous. We disrupted the market with every piece of technology we released, whether it was the first binary repository or the first composition analysis that search for vulnerabilities within your binaries and software packages, or the first distribution for your software packages. Last but not least, building a sustainable business, and Jacob will share with you our plans for the future. Jacob will share with you how we are not just implementing technology but also build a solid business together with very loyal, great partners that we call customers.
I will now open the session for few questions from the crowd.
Thank you. Ladies and gentlemen, if you'd like to ask a question, please press star then one on your touchtone telephone. Again, if you would like to ask a question, please press star then one. To withdraw your question, please press the pound key. Our first question comes from Jason Ader of William Blair. Your line is open.
Yeah. Thank you, Shlomi. Thanks for that great overview. My question is just on competition. The Git players argue that the Git repo is the center of gravity in DevOps, not the binaries, because it's where most of the developer collaboration is happening. They also argue that it's harder to move upstream than downstream if you're thinking about consolidating the DevOps tool chain. I guess I just wanted to throw that out at you and see what your counterargument to this is.
That's a wonderful question, actually, and we hear it in the market, obviously, from customers, from investors, from community players. We all only have to look at a few things. A, if it's all about Git, if you can Git-icize, if I may say so, everything, then why the roadmap is looking about binary solution? Second, can you really implement software supply chain management with source code? The answer is clear, and you don't have to ask me, ask every developer. The answer is no. You have to use binaries. Third, Git is important for developers, not only in terms of development, but also in terms of security. What happen after Git? Everything that happen after Git, all the way from the moment it was compiled, and Yoav will touch it a bit more, to production, to deployment, is about binaries.
Now, my team, almost 500 engineers, are using Git as well. This is how we build source. Most of what you have in your organization is coming from outside and coming in the form of binaries, 90% of what you have in your organization is coming from outside to Artifactory as your single source of record, and it's not being built by your team. Developers are using source code. It's very important. It will be a complementary solution, maybe a complementary platform next to a binary lifecycle manager, a binary end-to-end platform.
Thank you.
We have time for one more question. Our question comes from Mike Cikos of Needham & Company. I apologize. Our question comes from Rob Owens of Piper Sandler. Your line is open.
Great. Thanks for taking my question. Shlomi, thank you for the overview, and I understand there's some debates around the center of gravity. Maybe you could help me understand the monetization opportunity because, you know, just looking at the relative players in the space, it does feel like the folks that are playing in the Git world are bigger, growing faster. Maybe help us understand, with binaries being the eventual center of gravity, is it more of a timing issue right now relative to the market opportunity? Or when should we see monetization really hit this area of the market? Thanks.
Thank you for the question. Monetization and putting aside the success and the growth that JFrog performed since it existed, and especially in 2021, is a very important question. First, monetization is not just about developers. It starts to be about the full life cycle, the end-to-end platform. When we went public, that was the only DevOps platform in the world, or as far as I remember. Suddenly, we start to see the market getting mature, more and more mature with adopting consolidations of technologies under one platform. When I'm looking at the opportunity, I know that the market has to take another step in matureness, but it will not just be your repository. It will also be your security, not just for the development environment, but through all the software supply chain.
It will also be the update to the edges, which is still not here. I think that monetization is a matter of maturity of the market, identifying the asset, the digital asset that you need to take care of, and last, providing a business model, a subscription model that meet the customer's expectations. What we see is that the seeds that we put in the ground 10 years ago, there was no binary management in the world before JFrog. So obviously, a lot of what we are replacing now is replacing something that someone built by himself. There was not security at the level of JFrog taking it.
The reminder we got last year from NPM, from Python, from Log4j, from SolarWinds reminds us all that what's not going to be in Artifactory and secured by Xray will fail you at the runtime environment. There is no, until today, an end-to-end distribution system for binaries. We are taking one leap at a time. We are monetizing the market. We are paving the way while building the business and monetizing it. I think that the opportunity ahead of us is very, very big.
Great. Thank you very much.
I think we will take more questions during the panel. Allow me to introduce the next speaker. A little over 12 years ago, he created Artifactory as an open- source project, but the solution that introduced the world with the first binary repository manager. With that, I'm happy to introduce Yoav Landman, JFrog CTO and Co-Founder, my friend and partner. Yoav?
Hi, everyone. Just before I dive into telling you all about the JFrog product and strategy, I'd like to clarify what binary is. Shlomi spoke a lot about binaries, and I want to set the stage and make sure that everyone sees the same thing. As a developer, you write source code, and this source code is merely a text file, okay? It's not something that you can run. This source code may be your own source code, or it can be source code that is coming from the internet, like open source libraries that you pull down from the internet. Then there's a phase called compilation, in which you take the source and you convert it to another file format, and this is actually a binary. This is the file that you can run. Most applications are not about just a single binary.
It's a collection of a multitude of binaries, sometimes thousands of binaries, your own, like inner source that is coming from other people in your org, and the things that are coming from public repositories. You create an application, and this is the binary of binary. This is what you deploy to the runtime. This is what is going to end up running on your iPhone, running in some sort of a production data center, your desktop, and so on. Now, one very important thing that sometimes people tend to bypass is the fact that this compilation phase, the fact that you convert a file into a binary and also the collection of binaries, the aggregation of them to an application, it's a very expensive step.
It takes a lot of compute power, it takes a lot of time, but worse, it's not reproducible. Not 100% of the time. Why? Because your set of dependencies coming down from the internet may change. There may be a newer version of a library that you're using, of another binary that you're using. Your profile on your own system, your compiler may change. There is a lot of dynamicity in this process, and as an organization, you need to know what you put into the runtime. You have to have a stable, immutable point of what you're actually deploying and what you give your customers. Taking the 10,000 feet of any software creation, so this pretty much covers almost 100% of software creation.
I know that there are more delicate steps, but the goal steps is really you write code, you almost immediately convert it into a binary, and then you run this binary. This actually is your software. You run it through a couple of security check and quality checks, and then you distribute it to where it can be consumed by your runtime. Finally, there's the last step. You take it from this place, and you put it in the runtime. This is the software update. This is, of course, a repetitive process. Really, when we speak about a software update flow, it's really a flow of binaries, and this is what the JFrog platform really supports. Okay. Artifactory, we'll speak about Artifactory a lot. It's the database of DevOps.
It's where you store everything that you're going to run. Xray is where binaries are being scanned for security and compliance issues. Compliance is licensing issues. We have JFrog Distribution, which is all about taking this software before it's ready to be deployed to the runtime and moving it closer to the runtime so that it can be deployed. JFrog Connect, which is about taking those binaries and putting them on real devices. We provide this platform in all three major clouds, so Amazon, Azure, and Google Cloud, and you can also run it self-hosted. We are fully hybrid. Let's go and uncover the bits one by one. Artifactory, it's basically the center of every software development process. The reason? It contains eventually the stuff that matters most.
This is what's going to run in the runtime. You have two types of binaries. On the left, you have binaries that are coming down from the internet, open- source libraries, and you have the libraries that you create in your organization and that people are going to integrate into an application which they are going to be installing. The way we developed Artifactory, and by the way, not just Artifactory, the whole JFrog platform, is always with the developer in focus but always have the enterprise in mind. This is the unique differentiation of the platform, and I'll go one by one about these differentiators. First of all, Artifactory is part of a unified end-to-end platform. It's not just a standalone product.
There are other products out there that may cover a Docker registry or some other type of registry, and they exist outside of a complete end-to-end platform. The other thing that differentiate us a lot is actually scale, and this is why most customers are eventually the big ones are coming to us. Writing a repository for managing binaries may sound very easy, but when you have to serve organizations with as much as 50,000 developers with different permissions and very busy deployment cycles, this is where scale comes in. This is where actually we displace most of our competitors and push them out. Universality. We support more than 30 different technologies today in Artifactory.
The reason we are capable of doing that is because we have the infrastructure and frameworks that took us years to develop that allow us to accelerate very fast and add support to new ecosystems very, very fast. Shlomi showed you this, how binaries are in the center and how many players they need to pull binaries and push them in production or pull them in order to facilitate the CI process. The "too integrated to fail" mantra of JFrog is about this integration with so many partners, so many tools, so many vendors that make Artifactory part of many, many software flows out there. Finally, we are not only hybrid, we are also multi-cloud, and we are also multi-region, so you can get our platform in many clouds in different regions.
I want to speak about trust for a second and about having a single source of truth for your binaries. So, if you think about a car, and let's say that you have some sort of an airbag, say, that has a defective component in it. You want to be able to to track all the cars that are out there on the road driving with this faulty airbag. Software is very much the same. The goal is to be able to know exactly what ends up in your software. This is what many people refer to as SBOM. It's Software Bill of Materials, and exactly like the car example, it's a bill of materials of everything that exists in your final product. This is what Artifactory provides.
We have several technologies and several bills of materials like that, like build info, release info, pipe info, that gives our customers this information and allow them to actually know what's in the runtime, and this is extremely important. It's not just JFrog Radar. It's actually. This is a MITRE image from a recent work they did, and it's all about creating this secure bill of material along the pipeline of creating software. You can see that pretty much after the beginning, after you start to build your software, this is a game of a flow of binaries. Git becomes irrelevant. Code becomes irrelevant pretty much at the very first step of the flow. I want to give you a real example, just something from the recent days.
I'm sure everyone heard about Log4j. Shlomi mentioned Log4j is a binary. It's a binary that is mostly installed in Java applications, meaning that it's very common in enterprises around the world. This version of Log4j, which was around two months ago, it was perfectly legit to run it. It became the nightmare of every software organization just a few weeks ago. It became such a nightmare that it reached the White House.
What one of the three top banks in the U.S. did, which is of course a JFrog customer, since they have a central place where they keep this bad version of Log4j, they will be able to take this bad version, replace it with a fixed version, so nobody can pull the bad version anymore, and rebuild and redeploy all their applications in just under 12 hours. If you think about the amount of applications running in such a big bank, it's pretty amazing. The fact that you can control it centrally, you don't have to ask for the collaboration of anyone, is a very, very big differentiator. This couldn't be achieved unless they had Artifactory. This was Artifactory, the database of DevOps.
Nati is going to cover Xray in depth in his presentation, but I just want to give you some points about Xray and its uniqueness. First of all, Xray is integrated natively with Artifactory. We have the ability to scan your binaries and break this asymmetry between CISOs and the number of developers. Again, you have a central control point. You don't have to ask for the collaboration of anyone. It also applies the technology of a unique database graph that keeps the impact path. If you remember the binary of binaries, we know how to extract the impact path of every binary that has a vulnerability to it. As part of the Vdoo acquisition, we're investing a lot in this domain. We're adding to this binary scanning.
We're adding misconfiguration security and zero-day vulnerability detection and very leading thought leadership around discovering issues with the ecosystem, with public software in the ecosystem. Nati will cover that in more details. This is Xray. Now distribution. I know that distribution is a very interesting question to many of you, and I want to explain what we're doing with distribution. There are three types of distribution. There is internal distribution, which is all about sharing binaries, sharing artifacts with global teams, with global remote workforce and global data centers. It's just a physical problem that you need to solve. There is another case which is external distribution. This is a very common use case today where companies share APIs, share packages with their own customers, with their own partners, and so on.
Finally, there is the distribution to the runtime, which is all about creating private distribution networks that can sustain network connectivity issues and sustain a huge load of clients trying to get a software update. We have specific technologies at JFrog to solve each and every case like that. I will not have time to go into details about each technology like that. I'd like to share with you a use case of a distribution of one of our customers. This is a large investment bank that is currently implementing this solution. If you think about this bank, they have many, many branches across the world, and they need a safe way to distribute software to it. They are on the JFrog platform.
They are building a solution where they sign thousands of applications. They have tens of different technologies that these applications are using, and they have tens of thousands of developers that are developing these applications, and then distributes to different tens of global locations, each with their own policies and regulations. This is the type of scale when I'm talking about the JFrog Platform. This is the scenarios that we have to support. This is JFrog Distribution. Finally, I'd like to talk about JFrog Connect and what JFrog Connect does. JFrog Connect is the new name of Upswift. This is the acquisition, our recent acquisition from September 2021. What they do is they really bridge the gap between DevOps and IoT operators. Because normally in the world today, there is a gap.
You have your nice DevOps loop, and then when you have to distribute your software and push it to devices, you lose the connectivity, you lose all the metadata that. You lose the flow. You just move to a different system that is disconnected from what DevOps are doing. What Upswift are doing is they are capable of updating any Linux-based device with the software, with the SBOM that depicts each such update. You can manage very large fleets. You can even remediate failures and go and inspect the developers of devices because they have a unique agent technology that is very lightweight and allows you to do that even if the device is not open to the internet. This is the JFrog Connect technology. They also have a very nice low-code update flows.
Many of those IT folks when they are building the update flows, they like to do it in a graphical way, so in a visual way, so you can really create this drag and drop update flow, deploy different type of binaries, execute scripts, and even do rollbacks in a pretty granular way. This is really important because many of these devices are not approachable. You cannot unless you send some technician, you cannot get to them and fix a bricked device. This is JFrog Connect. Now, I'd like to spend a minute with you just to share with you what we are up to, where JFrog is moving.
Because of our unique position in the center, because we are just in the center of every software flow with managing the real bytes that are going to run in your runtime, we are going to expand both to the left and to the right. On the left side, we are going to onboard developers right at their desktop, even before they start writing code. That means that we are going to integrate with their IDEs and more things that will come later. Another very important area of focus for us is the ability to curate all the source, all the binaries, open source or non-open source that gets into your organization. This is a very high demand from customers, especially because of everything that's happening with security nowadays.
Even further to the right, we're going to merge the connect technology and the Vdoo technologies to provide runtime tracking of what binaries are actually in my runtime and also apply behavioral protection in the runtime itself. This is not something that will happen in the most immediate future, but this is where JFrog is aiming. This is a good step towards a live demo just to show you what I'm talking about. My demo is about just imagine an organization that develops a small medical application, the type that you find in many pharmacies today that allow you to do a self- examination. They need to update hundreds of devices and let's say they have a cluster.
I have a cluster, one in New York and one in Dublin, Ireland, and I need to update those devices. The way I would do it with the JFrog platform, I can use the full power of the platform. We will not have time to show everything today, but I will just show you just the end result. We are building the software. We are pushing this application into Artifactory with this software bill of material that tells me exactly what's in it. We are scanning the software with JFrog Xray.
Because we want to be able to run updates in New York and in Dublin, even if the central hub of Artifactory is not available for some reason, or just to save on network bandwidth because I don't want to pull everything all the time from a remote location, we're going to use distribution and push it to edge nodes in New York and Dublin, where those updates are waiting for the devices to pull them from. It's also a matter in terms of security. Finally, we are going to use Upswift. We're going to use JFrog Connect to issue a connect an update request and have the new version of the software deployed to devices and then we will be able to actually see this version and see the new version running.
I actually have a real physical device near me. You can see it here. Just have to be careful. I'm not sure if you can see. Let me try and focus it. This is my small medical application, okay? I can check my vision and check my pulse. I'm going to check my pulse. Imagine that I put my finger into this small device that is attached. Boom, something bad happens. This is a faulty version of the application. Okay. I'm just going to leave it here for a second, and I'm going to switch to the laptop here. Okay. I'm going to log into the JFrog platform. I can see these two versions of the application. This is the medical app application. I have two versions of it.
By the way, these are all containers inside this H and M version. I can actually see that I have deployment tracking. I can see that this application, this version 1 of the application is actually deployed right now. I can also see that it has some critical vulnerabilities to it, okay. I know that those critical security vulnerabilities are the ones causing the application to misbehave. The reason I know it's because of this end-to-end integration. Xray scanned this version of the application. It scanned the release, the full release, this collection of binaries, and I know that it's faulty. Now I'm going to go ahead and push version 2, which has just a very few low severity vulnerabilities.
I'm going to do it through this very develop-ish UI because this is how most developers would do it through a rest call. Now I'm going to go to JFrog Connect from here because I want to track the update process. My application, I'm going to try and use both my hands and hold it in my hand, and you will see the screen flashing as the update is going through. Let me go to the updates page. This is already the integration of JFrog Connect. I can see I have an update here that I ran just 19 seconds ago. Here you see the screen flashing. It means that I have the new version of the application, and now I can try and test my pulse again and wait a few seconds. Testing my coordination.
Yeah, everything works because this new version is not vulnerable and even my pulse is in range, so it's all good. If I switch back to my presentation now. The purpose of that was not showing you that it works, right? We don't expect anything but the JFrog products to work. The purpose of this was to show you this end-to-end integration, this unique. It doesn't exist. This end-to-end integration of binary to device all the way through, this is what our customers are getting from us. It's managing the flow of binaries all the way to the runtime to achieve software updates. If I hadn't done it this way, I would have to stitch together a bunch of different tools and do the do-it-yourself approach in order to achieve that.
This is the JFrog way to achieve trusted software updates. This is what we call Liquid Software. Thank you. With that, I'll have some time, I guess, to take some questions.
Thank you. We'll only have time for one question now. Mike Cikos of Needham & Company, your line is open.
Hi. Thanks for taking the question here. I did just wanna ask you and appreciate the commentary on this expanding product roadmap that you guys are talking to, shifting both left and right. If I think about some of those comments, if we're looking to expand further left as an example and onboarding developers right at the desktop, can you help us get a better understanding of the timing for when some of these new products and features will be laid into the broader platform that you guys have?
Yeah. Of course, when we do this integration, so it means that we are going to integrate into the developer environment into the IDEs. This is what it means. In terms of timeline, this is something that is already in progress. We don't have a concrete ETA right now, but I can tell you that it's already a work in progress at JFrog. Yeah. Any other questions? Okay. In that case, let me introduce to you our next speaker. I would like to introduce Nati Davidi, former CEO of Vdoo and head of JFrog Security. Nati, an entrepreneur and three-time CEO of cybersecurity companies, all paved the way for automated modern software security solution.
Prior to Vdoo, Nati co-founded and led Cyvera, advanced end-to-end protection startup that was acquired by Palo Alto Networks.
Thank you very much, Yoav for the warm introduction, and hi, everyone. It's a great privilege to be here today. Thank you, Shlomi, for having me joining to the executive team in such a day, to share our security approach to product security and our security achievements so far since the acquisition and our security plans for the foreseeable future. A very quick recap about binaries because it will serve the discussion about the security of binaries. The binary starts with a developer coding a code. It's being compiled and becomes something that can be run on whatever, on machines, on devices, on servers, on web services.
This file is being pushed directly to the production environment or become part of binary of binaries and make all its way to your devices, to your mobile devices, to your IoT devices, to your servers, or any other endpoint. In this phase of code becoming binary, many things are happening, and we'll not cover all of them now, of course. I can tell you that binary is not a source code. Binary contains far more than just source code. Binary is what made its way to the production environment and not source code. When an attacker wants to attack a given organization, he'll reach out to the live environment, to the production environment, and not. What he will see is clearly binaries, executed binaries or binaries in rest.
He will want to find a way in, he will want to exploit the systems, so he needs to exploit the binaries. Which means he needs to reverse engineer them and find vulnerabilities in these binaries. Lucky he is, it's relatively easy for him to possess the software because he can simply buy it, or he can drop it from the medical device, or if it's a Microsoft Office, he can simply have it and then start to reverse engineer it o r if it's a SolarWinds package, he can just acquire it and start working on that. The binary is what the attacker sees. The attacker can gain access to the software, to the binaries in order to find faults in them and utilize them, and then he will exploit them. Again, binaries are what is being attacked.
Binaries are not source code. They contain more than just code. Therefore, it won't surprise you if I say that all of the highest profile vulnerabilities that were exploited by attackers in the last years, such as in Log4j, in SolarWinds, in Heartbleed, these were all pieces of software that were consumed, integrated, deployed, and distributed as binary, not as a source code. Therefore, binaries must be analyzed, they must be monitored, and they must be protected. Clearly, you have to protect the developer when he's coding his code. In order to also protect the organization that use the software and possess it, you have to embrace the binary approach. The binary approach is the common ground to protect both the developer and the organization that use it.
What is that that the attacker is looking for within the binary when he wants to exploit it? It starts by understanding what it contains. What is the software bill of materials of the binary? Because when the attacker knows it, he can go and find known vulnerabilities in the wild that are public, and he can just try to exploit them. This has of course become the biggest problem of our era. This is why the White House, starting May 21, even before Log4j, raised it as a big issue to deal with. The software supply chain security, the third parties that are being introduced into any modern software.
That's the easiest way for the attacker to get in, to find the third parties, to find the vulnerabilities, the known one within them, which are being called CVEs, common vulnerabilities and exposures, and use them. By the way, clearly it can be also the case with commercial off-the-shelf product, not only open source software. The second thing that he'll try to do if he is a more advanced attacker is to find new unknown vulnerabilities, which are also known as zero-day vulnerabilities, which are considered to be the holy grail of our field. Why the holy grail? Because they can be exploited for a long while without anyone even knowing about them. That, by the way, was the case with Log4j. That was the case with SolarWinds.
These were zero days, and until the point that someone found them for whatever reasons, we'll not get into this right now, only then they were turned into CVEs, into a public knowledge, and then everyone started to try to find ways to deal with that. Again, known vulnerabilities, CVEs, unknown vulnerabilities, zero days, that are being there unintentionally because the developers are not perfect. It's a given fact. No one is perfect. Bugs are there, so vulnerabilities are there, and they will be always there. The next thing, which is relatively new, is malicious code that is being pre-injected throughout the supply chain of the software. Meaning the attacker find a way to push malicious code or malicious packages into your product and then exploit it afterward. The last thing are the simple things, the non-code issues.
Configuration issues, how do you keep your credentials, how do you keep your keys, the interaction between binaries and processes. In many, many cases, these simple things are the easiest to exploit because no one is giving attention to them, and the attacker will definitely do. With that, I would like to move to the more exciting part of what is our approach, the JFrog security approach for these challenges that will be delivered through the next generation of Xray, and actually is already being delivered, and I'll share with you what is going to be announced, actually tomorrow. It all starts with these three decades of tension between the developer and the security persona. The security persona want to be able to apply policies, want everyone to comply with the policies.
He wants to have security in all layers across the entire life cycle of the software, which is a lot. His role is to come to his colleague, to the developer, and tell him, "You are doing a bad job." This is never a fun thing to do. The developer simply wants to deliver his software, to deliver it on time, to release his release in the most efficient manner. When you have this clash between security and development, it never ends with a perfect security, and it never ends with a perfect product, so you lose in all sides. We're first going to actually build the ground for a better collaboration between them, and you can achieve it only by focusing on the binary.
Comprehensiveness for the security persona and efficiency and focus and context for the developer, and this is exactly what we introduce with the next generation of Xray. It start with software composition analysis, which is contextual, and it's not an alleged contextual analysis. It's something that you can do by only using binaries. We have a proprietary capability we call applicability scanners, that for each and every CVE, will tell the developer whether it's exploitable or not, whether he should take care of it immediately or not. Now, think about the ratio, the difference. Today, the developer get a list of 1,000 CVEs, and he have someone asking him just to fix it. It will change his roadmap dramatically. We will say, "You do have this amount, but you need to fix only 18."
Not only that, here is the way to fix it step by step. It's not about necessarily updating or upgrading by doing these small changes in order to mitigate the risk. They love it. I can testify. They love it. They use it. This CVE applicability approach is something that can be achieved only through binaries. The second part is the contextual security-focused static analysis of binaries. Very quickly about the SAST and DAST spaces, these products were built to find bugs, not necessarily security bugs. Again, there is a huge difference between telling the developer, "You have new 6,000 bugs," than telling him, "You have four security-related bugs that are exploitable, and here is the proof why is it exploitable, and here is the way how to fix it." They love it. Again, we saw them using it.
Malicious code detection, again, is a newer thing, and we are pioneering it. It's not only about enhanced technology, we are pioneering it. We are the first to introduce the ability to find malicious packages that are introduced into your organization's software. We are doing it in a fully automated manner based on the research that our research team are doing, and of course, I'll share more details on that later on. The last part is about automating the painful manual penetration testing and analysis tasks that can be done through configuration security engine that we have in our offer. Now, take all of this. You have the comprehensiveness for the security persona. You have the focus and the context for the developer that can reduce dramatically the overhead that security puts on him.
Then he gets the evidence, he gets the explanation how to solve it. The more important thing is what happens when it becomes part of the platform. This is the real magic, because security is one thing, but security where everything happens is a different thing. That's actually when we take our security capabilities and stretch them across the entire software supply chain and across the entire software life cycle from the moment the developers start to code, as Yoav mentioned, all the way it is being pushed into the device. Because only by doing continuous examination and accreditation of these binaries, only by that way you can achieve true software supply chain security. Moran, personally, I know that's exactly the reason why we were so excited to do this connection between the companies.
You know, taking such a decision of selling a successful startup company in 2021 and choose the combined avenue rather than the independent avenue is not an easy decision. From the moment that we start speaking about this collaboration, we understood that combining DevOps and SecOps into one big platform is far, far more than just doing only security or doing only DevOps. This connection and same philosophy around binaries is the thing that enabled that. This comprehensiveness that we achieve through the many capabilities of security and the entire platform is the thing that is going to replace and obviates the many other point solutions in the market. Let's talk quickly about our approach versus the competitors, and clearly it's a lot about binaries, but not only.
I'll start by sharing what others are saying about binaries, not us. I think it's more than a decade now that there is this debate of source code analysis versus binary analysis in the space of software security. 10 years ago, the main argument was that it should be better doing binary analysis, but it's so hard to achieve that let's use source code analysis. Today it changes. When I say today, I mean today. Today, like a few days from now. Here you can see, for example, a project funded by DARPA, by EURECOM France and Arizona State University. When the output says they see clear convergence between source code and binary analysis, but in some cases, the binary is superior and find things that cannot be achieved with source code analysis because binary contains more than just code.
Even if you look around the world in different regulation and governmental entities, for example, this one, the Cyber Security Agency of Singapore, in their security scheme for devices, they say you need to evaluate the software of your device using automated binary analyzer, not source code analyzers, because that's the only way to do it. When you look at the recent National Telecommunications and Information Administration report on minimal software bill of material elements, you can see that they suggest that if you can obtain the build and not the source code for the sake of understanding the true, real software bill of material, do that.
I can tell you there are many other citations and great supports for what we choose as an approach, but I want to be a bit more concrete and explain how our approach shift the application security space into a full end-to-end software supply chain security. It starts with software composition analysis that became commodity. Today, you can just, you know, have open- source solution doing it for you. You will need to configure them, of course, and work a little bit around it, but it's a commodity, and you get a naive output telling you have this amount of CVEs, and you have these licenses. This is not helpful. It just creates more work. When you do it on a binary-based approach with the contextual applicability scanners, you focus only on the things that really need to be fixed.
You focus on the things that really impose risk on the production environment. In terms of the data that is being provided by solutions, allegedly like ours, you usually get just information about number of CVE and a short description. We will provide a very detailed information about the nature of the CVE, about how it could be exploited, about what needed to be done to mitigate it, and actually this is already there, and this is what I'm going to announce. We replaced manual penetration testing parts with the automated configuration security.
We replaced the common source code-based SAST and DAST that are a lot about bugs and not security with binary focus that is looking for truly exploitable zero-days, and we found more than 450 of them in the Vdoo days, and we find many others in the JFrog days, and I'll share that as well. Another important point here, doing it on a binary way will protect your intellectual property. Listen to that because it's not only about how careful you are, it's about regulation. For an example, in Japan, in many industries, you are not allowed to upload your source code into the cloud for whatever analysis, whether security or other. You cannot do it because it's risky. It's risky to expose your source code. We provide a binary-based approach to it.
Instead of telling you, "Just fix your version or upgrade it," which is the usual basic recommendation if you get from a competitive solution, we give you the detailed mitigation step-by-step instructions that will always look for alternatives of dramatic architectural changes or thing that require a lot of work. I mean, just change this configuration, change this permission if possible, and it will solve your issue. Clearly, we do not give you the solution to deal with only one kind of artifact, or only with a mobile application, or only with container, or only with firmwares. You'll have it all in one place. Whatever kind of artifacts, whatever kind of application, we'll deal with them all, and this will be part of the entire JFrog platform, meaning it's not yet another disconnected security solution.
When looking at all of it as a whole, this is where JFrog is going to shine. This is a true end-to-end solution that give, again, the security persona and the developers whatever they need comparing to the fragmented point solution that are being offered by competitors. Another way to look at it is that today's AppSec solutions are focusing very much on the shift left, which we are covering with the binary approach, and they are missing the entire end-to-end software supply chain security. They are missing, for example, what happens when you create your build, your interim build, your nightly build, where your release that goes to your devices. They cannot provide a gatekeeping mechanism that truly tell you, "Be aware, you have a risk. Your customers are going to be damaged because of that."
With our approach, you can do it in whatever gates you choose, all the way to the device. I would like to use now a recent case study that we are very proud of that started actually just before the acquisition were completed, just after the acquisition. It's about a very big one of the biggest network enterprise vendors in the globe that wanted to be able to create a gatekeeping mechanism for their software before it is being pushed to the field. More specifically, they wanted to find zero-days before the bad guys do. We started with a POC prior to the acquisition, where we were able to show how our capabilities produced 14 different zero-days that are exploitable. This is a huge number.
It's hard to stress in such a short discussion. This is a huge number for one product. It was the flagship product of the vendor. It's not surprising that very quickly, and just after the acquisition, we landed with a six-digit deal for three years when the buyer is the CTO of the organization, and that was just for three flagship products. Imagine where it can goes. More importantly, that was the door for expanding with the other part of the JFrog platform. Security becomes the entry point, another entry point for the security persona that pushes the other part of the platform into the organization. Now, I want to spend a minute to talk about the minds behind the solution, and maybe this is one of the most important parts. Our team is what enables that.
Our team spreading security knowledge and enable automation of their minds in order to automatically find zero-days and to push them into our product and to be able to teach our customers and help them with their challenges. That, of course, create brand awareness around security, and it create leads for new customers and leads with existing customers. Finding 450 zero-days in such period of time is a big deal, and contributing such information to the industry is even bigger. Very quickly about how it is being reflected through the Log4j use case. As Yoav shared, immediately when it happened, we conducted a very quick research and updated the entire platform with the detailed research data on Log4j. We released the community open source tool to look for Log4j in binary file, in the JAR form.
We also continued the research to find even more other packages that have the same phenomena, that have similar issues, and we were able to find another very common package called H2 and another very common package called Apache Cassandra that we are going to reveal today, that are in the same level of severity in terms of the commonness of how much they are being used. The team found it and were able to push it to the field immediately. In the case of Log4j, we opened immediately Log4j Research Center that has the entire information that help our customers and the community to solve the issue. With that, I would like also to share with you some numbers.
Since the acquisition just two quarters ago, we came with more original publications, not recycled ones, about high-severity zero-day vulnerabilities, about malicious packages, more than any of our competitors. This information immediately contributes to the community, to the society. Actually, I'll explain why. This information is immediately being pushed to our product and serve our customer to help them block any potential attack. This information is what serves us in our mission to become the provider of software supply chain security, and we will keep doing that. Today, we are going to reveal a high-severity vulnerability in Apache Cassandra that I mentioned. This is a very extremely common package in the level of Log4j used by many, many big organization out there, that unless we found it could have been exploited.
Unless we worked with the maintainers to fix it, the risk was there. In other words, I'm saying it boldly, we avoided, we prevented another Log4j from happening. We did it. We did it with H2 as well, and we will keep doing it, and we will keep doing it in a bigger magnitude as time goes by. In terms of where we are going, we started by delivering Q3 and Q4 milestones around high- profile CVEs and enhancement of the database, remediation, mitigation instruction, and applicability scanners. We are going to continue into the year with the zero- day capabilities, the configuration security, and the product persona experience. Of course, this won't be the end. It never ends. We're going to add more and more capabilities and enhance the existing ones.
I'll take this perfect opportunity to announce the completion of the first integration phase, meaning the thing that I'm sharing now will be pushed gradually to the customers and are available now. First, the data that is being enhanced with more than 700 articles that give you the details about CVEs, information about malicious packages when we are the pioneers in the market of being able to identify set packages. Of course, the most exciting part of contextual analysis that is highly focused on containers, and we start by serving it through the SaaS solution and extend gradually to the self-hosted solution. With that, I would like to thank you, and we'll spend a few minutes on getting questions.
Okay. We do have time for more questions.
Yeah. Hey, thanks for taking my questions. Just thinking about security, there's a lot of vendors in the space. You know, there's a lot of options from the other platform vendors too. You know, why is it important to have a security embedded within the binary supply chain versus using another security application as an overlay? And if you could maybe point to one or two key features within the Vdoo and Xray offering that is difficult to replicate, you know, as it becomes part of the larger JFrog platform, versus some of the other application vendors out there. Thank you.
Sure. I'll take the second part. The applicability scanners is something which is our proprietary capability. Some of it is patent protected. Our zero-day analysis, which is binary-based, is patent protected and is our asset. I can tell you it's very hard to get it. We have three PhDs and a group of 20 vulnerability researchers doing that, building that. Just to get this group in place is by itself a huge target. This is about the second one. For the first part, as I said, binaries are what is being attacked. When we talk about software supply chain and in the White House discussion, we talk about the integrity of software. You have the coding phase, and then many, many things are happening all the way to production. You want to make sure that you keep the integrity.
You want to make sure that no malicious code is being introduced to the software. You want to make sure that what you compiled is what is being introduced in the product. You cannot achieve it technically, scientifically with source code. I hope that answers your question.
Yeah. No, thank you. Thank you very much. Appreciate it.
Sure. Thank you very much, again for your time, and we'll now take a break of 10 minutes before the next session. Thank you.
Welcome back to JFrog Invest Day, and thank you Yoav Landman, Nati Davidi for the amazing presentation. Even I got excited. Now, enough us talking about us. Let's hear the voice of the customer. Let's hear from those who need to face thousands of developers every day and make sure that the business is working. I'm honored, I'm excited to join our partner, customer, and friend, Gerard McMahon from Fidelity, to take the stage. Ger, stage is yours.
Thank you very much, Shlomi. Hello everybody, and welcome. I'm not sure if we can see the slides, but my name is Gerard McMahon, and I'm VP of Architecture. I head up the ALM tools and platforms here at Fidelity Investments. Fidelity has a rich and, you know, powerful investment in technology. We've used it throughout our career in Fidelity, and we use technology to power our businesses and really power our experiences that we deliver all to the customers all over United States and globally. You know, we're going through a digital transformation where we're looking to create the next digital experience, the next digital set of products that we offer all our customers and all of the enterprises and businesses around United States.
In 2016, we began our cloud journey, where we had deployed our first application into the cloud. In 2019, we launched our hybrid cloud strategy, where we're looking at using the services of the cloud providers to best suit where our needs are and again, deliver the products and experiences to our customers. Today, we have about 4,600 applications on the public cloud, and we're not even halfway through that journey. We've a huge amount left in our digital transformation and a lot more to transform as we go through the process. The Fidelity cloud strategy is based around a couple of principles.
One, cloud computing, so enabling cloud services so we can leverage the innovation and the expertise and the services to deploy to cloud quickly and accelerate our business value we can deliver our customers. We wanted one unified plan across all of Fidelity and ecosystems, so we can offer our customers as they create their financial journeys with Fidelity Investments. We want to make sure we have financial accountability, you know, by having a rich and thorough FinOps practice around our cloud journey. We're trying to build our workforce so we can create the talent that's required, again, to deliver the value, deliver the products, and deliver the services. Core and central to our entire cloud strategy is security.
We really want to establish the standards and security best practices. To ensure while we as all our teams has to deliver the cloud, they can deliver knowing that they're safe, they know that the applications they're delivering are secure, and they know that behind the scenes, they're able to innovate and experiment and deliver very quickly the business value, while underneath the security, the guardrails, the compliance is all provided by the cloud platforms and the products and tools and services we leverage. One of the core and critical items among slide 6 is, as part of our digital transformation, securing the software supply chain. In traditional systems, when we were in data centers and doing waterfall development, an application was very simple.
It usually contained a single monolithic artifact or binary, and usually, the development team handed that binary to different teams across silos like testing, production services, operations, as it went through the software delivery life cycle. Very simple and very clean. In the agile world and in digital transformation and as part of cloud, that journey has the application itself, the construct of the application has changed dramatically. There is multiple application artifacts, there is binaries, there is software, there's infrastructure, all having to be developed by the applications. Today in a application, around 90% of an application is open source. That is 90% of our applications are built by people all over the world providing value that we're incorporating and leveraging within our software applications.
How do we trust the work of 90% of all those people for the 90% of what our applications contain? This is globally within any organization. Securing that supply chain becomes critical as we've seen through the events of December with Log4j. It's really critical to ensure that we're protecting our applications, protecting our customers, 'cause that is the most important thing that we hold dearest to us, is that our customers' safety and the financial services, the well-being of our customers that they entrust in us, and it's, you know, our responsibility and accountability to make sure that that trust is honored. Teams are rapidly innovating through continuous development. As they're developing, you know, every pull request, every change that they deliver is they're trying to get faster and faster and faster to get that value into the hands of their customers.
We got to go through all the testing cycles, and then we got to verify that, and then we got to deploy that into production. Now, if every application team had to manually verify the security of everything, all the teams would not be delivering business value. We've got to find solutions where we can package our code into binaries, and then we can entrust that binary into an artifact repository like JFrog Unified Platform. We can have the platform then continuously monitor and continuously scan those applications to ensure that they're compliant with not only what's happening in the external industry from a security perspective. We can also actually scan and monitor what happens and is it compliant to our internal security, our internal audit, and our internal risk policies and controls that we have to implement.
We can verify that the development teams have taken the steps, have done the necessary checking to ensure that it's what we deliver is not only secure, but also is compliant with our engineering policies, our operational policies, our, and our internal audit and governance and compliance policies. If every team again had to do that one-on-one artifact by artifact as they deliver thousands of them a day, we would not actually be delivering any value to our customers. Entrusting that into the platform is a core and critical capability that we require and teams require to ensure that we can maintain that acceleration, where 4,600 applications going to cloud, going through this process on a daily basis.
If we want to get to the tens of thousands of application artifacts that we're deploying on a weekly or monthly basis, we need to have a powerful system that we can entrust that safety to. Not only that, it's the reliability in production, right? Our systems need to be there for our customers. If we're unable to ensure security at the runtime, make sure we're able to deal with zero-day vulnerabilities, rehydrate or to make sure we're compliant with the operating system, we need that system available all the time. If our system, like JFrog, is not available, our systems are down and our customers may not be able to access the systems they require.
That's why we have this partnership, and that's why, you know, when you think about code versus binaries, you know, we have thousands of lines of code changing daily. How do you know in production how it those thousands of changes are spread across lines of code, across multiple developers, multiple teams? Having that source of truth at the binary level ensures we can always rely what's running in production, and we can trace that to the, you know, match that to the binary. Then into the binary, we can build the SBOM, right? The software bill of materials. That can show the lineage, and that can show exactly back to the lines of code to make sure what's running in production. Our source of truth becomes the binary.
That's why it allows us to accelerate our security scanning, accelerate all our software compliance products, and ensure that we have that reliability, we have that resiliency in production that we can always be there for our customers. Shlomi, I'll hand it back to you. Thank you.
Gerard, thank you so much for sharing the use case of Fidelity. What a journey of transformation and how Fidelity become even more digitalized with your effort. Thank you so much for sharing this use case with us, and thank you for your partnership. Our next speaker, Bill Morton of Broadcom, not only have to support thousands of developers, hundreds and thousands of application, but also to support consolidation of inorganic growth of the development organization. Bill, stage is yours. Take it.
Sorry about that. I think I was on double mute. Hi, I'm Bill Morton. I'm the Head of DevOps Platform Team in the Software Business Operations that's part of the Broadcom Software Group. Our team supports about 23 business units across Broadcom. As an example, Symantec is one business unit. CA Technologies comprises about three business units. We work with many different DevOps teams throughout Broadcom. We also work with the SaaS platform engineering team and the services team. We're in the middle of every acquisition, so I've been involved in 15 acquisitions and also divestitures. The most recent, AppNeta, and then a divestiture of BlazeMeter to Perforce. We also work very closely with InfoSec and legal and compliance and audit teams. We're in the middle of everything.
We work with about 16,000 product engineers and hundreds of DevOps teams, as I had mentioned. Because of this, we see a lot of patterns across Broadcom, whether they're developing software for SaaS systems. We deliver about 6,800 deployments a day. Also for on-prem software, for SDK, for embedded software. We see patterns across all those teams. Also we're responsible for the application integrations to a large extent, and plug-ins. With that, the next slide, please, just kind of gives you, slide three, indication for just how we work with the Symantec teams. Here's a number of the DevOps teams just for Symantec. We provide also a CI/CD pipeline, which many of these teams are using and are adopting.
We're able to track their adoption, how they use it, the metrics that come out of that. Also at the end, we'll get how this relates to R4J. Next slide, please. This slide, it kind of shows you how we come up with our standards. Our team helps to define standards across Broadcom. This is not an easy task. It requires a lot of working with the various business units and the development teams to kind of move to standards within the DevOps space. If you've ever looked at DevOps tools, it's kind of like a periodic table of hundreds and hundreds of applications that you could potentially use. There's all these integrations between the various applications, and then there's various plug-ins that are available.
Well, Broadcom, we acquire a number of companies, and when we acquire a company, let's say CA Technologies or Symantec, we find out that they have acquired a number of companies, but they're in different states of integration. There's all these hundreds of variations, and what we try to do is rationalize that down to a standard set that works for most of the teams. As part of that, we can do that because we help define the standards, and also we look for what's happening in the industry as a whole to get out ahead of future acquisitions. We bring new acquisitions into our standard set, enable them to use it, and then help them decommission any of their old systems that they had developed themselves but weren't able to maintain.
All that kind of helps us move to what our standard set of tools is. I won't go over that, but I would just say that Artifactory, JFrog, and Xray are and Vdoo and a number of the other JFrog pieces in their stack are part of our standard set. If you would slide the next slide five. I'm just gonna talk about Broadcom Software Group and their use of Artifactory. We also support the semiconductor side and 17 other business units that develop embedded and SDK software. One interesting thing about Broadcom is even before our acquisition of CA or Symantec, about 40% of our engineers were doing software development. This is part of our core. There's a lot of software development that's going on.
There's a lot of binaries that are being deployed in various methods. We use this for third-party component dependency support also for making sure that we only use approved OS images and any internal product dependencies that we have and various types of libraries and registry and other pieces of this. We also use it for security and vulnerability scanning, which the previous presentations, I believe touched on with Vdoo and Xray. We also use it within our own pipeline. Currently there's about 6,000 engineers within Broadcom using JFrog products, and on the semiconductor side, about 400. We're starting to have some of those teams that we support look at using Artifactory and moving off of their own homegrown systems.
With that, the next slide six. I realize not everybody is a techie here, so I was trying to create an analogy that I thought would work to explain how this works. Continuous integration, the developers who are doing continuous integration, they're like the cooks in the kitchen. They're pulling from all of the latest ingredients. They're trying to make sure that they're pulling the correct intellectual property, following the recipe, doing it correctly. At some point, they're gonna create something that needs to be packaged. They're gonna take something that is kind of code-based, and they're gonna move it to an artifact that can then be dealt with. Our team works throughout both on the CI side and the CD side.
On the CD side, we wanna make sure that whatever comes out is correctly packaged, correctly labeled, the metadata is correct, that it gets promoted to a certain level so that only certain versions or certain components that are meant to go into, let's say, moving from development to verify to production, that we're only pulling in those artifacts that are needed for the next stage. We need to package it up and serve it at the end, like this little quiche at the end. It does more than that. In this analogy, I was thinking, you know, there have been cases when a quiche has been recalled, even though it was perfect, but because it was mislabeled.
I think one of the cases was that it had been mislabeled, and they didn't put that pine nuts had been included in the quiche, or it had been processed within a factory that included nuts. They had to recall all those quiches. Where did they go to? Who were they sent to? You know, it had to be tracked back, and then they had to go and redo their process to make sure that it wasn't happening again. Just recently, there was an outbreak of Log4j, and in this particular case, we had already deployed a number of artifacts. We had to determine what was the impact, who was at risk, and had to track back. Artifactory helped us to do that. It helped us to understand where the impact was.
We also used Vdoo and Xray to understand, you know, how do we go through and make sure that we aren't impacted with any changes as we went to, you know, 2.15 and then 2.16 and 2.17 to try to address Log4j. We used Vdoo to generate reports by scanning the release repositories, and then we provided those reports to the product teams. In some cases, we provided individual reports to the teams. Vdoo was a part of that that helped us get ahead. Actually, we used some additional tools.
We look at, and this is a dynamic space, we look to any tool that can help us understand how to track, how to find, and how to mitigate any of these issues. That's kinda quickly shows you in a way, it's not just all about the source and how you handle it. That's important, trying not to have contamination, but downstream, you also have to be able to deal with all these packaged binaries and make those available to your customers and be able to track it. Just on the SaaS side, we deploy about 6,800 releases a day. That's just a small part of what our team is involved in.
Last slide would just show some of the additional platform tools we use from JFrog. We also are looking at using pipelines in the future, but that's still in a proof of concept evaluation stage right now. With that, sorry for speaking on mute at the beginning, and Shlomi, back to you. Thank you.
Bill, thank you so much. An amazing use case. 6,800 releases a day. Wow, that's impressive. Thanks for sharing with us the Broadcom story, and thanks again for your partnership and the time taken. We will now open the line for questions.
Again, ladies and gentlemen, if you'd like to ask a question, please press star then one on your touchtone telephone. Again, to ask a question, please press star then one
Our question comes from Sterling Auty of JPMorgan. Your line is open.
Yeah, thanks, guys. Thank you so much for doing this. Basically, I can give you kind of two questions. One is there's a lot of, you know, questions around whether people want complete portfolios of DevOps tools from a single vendor. So the complete suite end to end, or do you still want best of breed? I'm kind of curious about your experience in your environment. Then the second one is the on-prem versus the cloud. Where are you in that journey in terms of the deployment of the DevOps tools, you know, shifting to the cloud, and where do you see that headed?
I guess I'll go first, Gerard. Yeah, this is a good question. You know, the tightly integrated suite versus the best of breed. We go through that process all the time because with every acquisition, we rethink our set of tools and our integrations. What we tend to do is we look for both actually. In cases where we can, let's say on the pipeline side, if there are areas where we can bring in, let's say, pipelines from JFrog, we're looking at doing that. If that makes sense, we will disrupt our own pipeline architecture to do that.
However, we also know that we are very cost conscious culture, so we tend to be careful where we get too sticky. That tension for us is always going on. We tend to balance that by having more than one best of breed, you know, kind of strategy. We look with who we can partner most closely with. We're not only looking at what can they provide us right now, but how closely will they partner with us as we show what our own roadmap is. I would just say, "Hey, we haven't solved that." I think that's. I have been having that conversation for 15 years. I don't foresee that we'll ever solve that completely.
Where we can partner and where we see that our partner is going to address our future roadmap, then, we're happy to do that. On the other part, we're actually going through an on-prem to cloud transformation ourselves. You know, Broadcom as a whole is very data center centric. A lot of what goes into a data center anyway is built by Broadcom. You may not realize that, but so we have our own data centers. Even with that, we still see some benefit of moving to the cloud. Our Broadcom Software Group is largely moving to a cloud-hosted. That's a journey that we're making right now. For the semiconductor side, it's mostly on-prem and data center.
We'll have that mix going forward, and our team kind of balances that. Gerard, thanks for letting me speak first.
Yeah. Thanks, Bill. Yeah. I think for us here in Fidelity, it's an ecosystem of best of breed. We look to see who are the leading industry providers of a particular piece of technology or set of capabilities, and how do we use them end to end to, you know, take the ideas that people create, and how do we move them across, you know, the software delivery life cycle and deliver them into production and continue to operate them. For source code management, there, you know, you look at who are the industry leading providers from a CI/CD perspective, there's vendors out there, and then obviously from binary and artifact management.
For us, it's definitely a best of breed, but it's trying to get the best piece of technology, the best provider of that technology who, again, to Bill's point, we can partner with. You know, as we build deep relationships and deep partnerships because we can't do it by ourselves, just like Log4j, for example, with JFrog and the Xray product and the Vdoo acquisition, they're able to provide security expertise to Fidelity to complement our security personnel and our software delivery experts and our DevOps teams to ensure that we're remediating quickly, we're reacting very quickly, and we're keeping our environment safe and sound. It's definitely a best of breed for us, but using the leading technology and leading partners.
On the cloud side, we're definitely moving all of our DevOps tool chain to a mixture of SaaS plus cloud. You know, when you're shipping binaries, for example, if you look on the cloud, you've got a VM image, so an AMI for Amazon or a VM image i f you're in the Azure world, you're looking at container images, base images. These can be, you know, megabytes if developers are doing well, but on some of the larger things, they're getting into gigabytes. If you've got to move gigabytes of data across your network, you know, that's a huge amount of bandwidth, especially if you're talking about a large event where there might be massive amount of compute to scale up for that event.
The transfer of gigabytes of data over the network is going to impact your business. We wanna be in the cloud, and we wanna have all of our binaries and things like that at the Edge, so we can be in proximity to where our applications are, so we can have high performance, we can have low latency, and we're not flooding our network and our network bandwidth to the cloud. 'Cause that actually interferes with our other services that we might offer. Or all of our associates who use their laptops connected to our corporate services, to all our businesses that might run on premise going up to the cloud. We gotta make sure we're protecting all of that and maintaining it, and again, proactively making sure we can provide for our customers.
Makes sense. Thank you.
Thank you. Our next question comes from Steve Enders at KeyBanc. Your line is open.
Hey. Hey, great. Thanks for taking the questions. I guess I just wanna ask on how you kinda see the future usage of JFrog evolving for both of you. I think there's been a lot of discussion here on some of the expanded security capabilities and, you know, distribution and connecting some of those areas. But I guess, how do you kind of view some of those newer areas fitting into what you're trying to do? And then, as well, how you see your general usage of JFrog, you know, evolving from here?
Sure. Maybe I can start this time if you want. We actually see under two ends. We're very excited with two ends of it. One is under, so what I call the left side of development process, which is kind of Xraying what we're calling curation. How do I have Xray be my gateway to the external open source world? We have about 16,000 technologists here in Fidelity, you know, all of them coding away, you know, pretty much around the clock. 24/7 d epending on, you know, between our global locations and our U.S. location. As developers pull in dependencies, we gotta make sure that they're secure, right? That we're not pulling in anything that's containing a vulnerability.
We gotta make sure we're using the right software, right license types. We gotta make sure, you know, make sure we're not using old end of life pieces of technology, and things that might create technical debt in our environment. It's very important that we have a point for where developers go to pull in all of that external work. We wanna make sure we scan that in real time to ensure we're not creating friction on our developers and slowing them down, but we have the guardrails in place that they can develop at a safe, high speed, but safe and secure. That's one thing we're gonna be heavily investing in over the next number of years.
As that software then moves through the software delivery life cycle, we wanna make sure we're scanning it moment in time, depending on what we want to check for. If it's secure internal audit and then internal policies, we wanna make sure as we promote that artifact, that we're ensuring it goes through the necessary steps, we can certify and we can provide the evidence for that if, you know, based on any audit or security or anything like that. We also on the right side of it in production, we want to really distribute our binaries right to the edge. In some cases, we have trading platforms which are really, you know, you're talking about milliseconds, microseconds, latency that, you know, we, if there's a blip in the network, these applications have hiccups.
If there's a scaling event, if there's a rehydration event, we wanna make sure that those binaries are as close as humanly possible to the application binary. If need be and if we're using the Kubernetes world, we actually might deploy them, the binaries, right alongside in the same namespace, right alongside the application pods that are running. On a scaling event, those things can react very quickly and make sure they're providing the services within all the SLAs, the SLOs, the SLIs that those applications have to adhere to. That's kind of how we view it. Bill?
Thanks, Gerard. I'll just talk about a couple things. We are looking to address a number of. I wouldn't say gaps, but inefficiencies in our pipeline. One is, how do we deal with third party artifacts? In the past, we let every development team kinda deal with this themselves. As you can tell with Log4j and other issues, it takes a while to figure out, okay, which development team is using what, and what version are you on? Did you patch to 2.16 or are you on 2.17? What we decided was we needed to get ahead of this and try to solve it for the DevOps teams. We are looking at a number of third party artifact management systems.
As we went through this and as we started to partner with JFrog, they are working with us in this area. Being able to vet open-source and third-party components ahead of time and then, and then say we want to vet third party components and then say these, and then tag them and say, "These are the ones that have been vetted." If teams want to use ones that are unvetted, they can do that in development phase, but they won't be able to promote, they won't be able to package in the later stages, and then go into verify and production. This is one area where we see some benefits potentially from JFrog. The other area is on the pipeline side. Broadcom has. We have our own pipeline. In any particular area, we already are looking to disrupt ourselves.
If it's possible that JFrog Pipelines could come in and do more for us, we're trying to create a secure execution environment so that essentially whatever is needed to do the build and to package it is only temporary. It will go away. It will be deconstructed, and then that way it's a secure environment. We're looking for JFrog to help us in that area. We've made some enhancement requests recently in that area, and JFrog's been very responsive to that. Hopefully that answered your question.
Yeah, that was perfect. Very helpful. I appreciate both of you answering that.
Thank you, Gerard and Bill. Bill in San Diego, sunny San Diego, Gerard in Ireland. You guys together support 30,000 developers, and who knows how many applications and processes in the organization. You are the real champions of DevOps and leads the community. We are honored to have you as our customers. Thank you for taking the time to join us today. Thank you for sharing your experience and wisdom. Thank you very much.
Thank you.
I would like to move to the second part of the day. Hope you guys are ready to hear a bit more about our business. Although I would spend more days speaking about technologies and binaries and why it's important, we also have to cover the business side of the company. I'm honored, and I would like to introduce Micheline Nijmeh, JFrog's CMO. Micheline brings over 25 years of technology marketing experience, leading and implementing global enterprise marketing at high-growth software companies. Prior to JFrog, Micheline was the CMO of Zscaler, a global market leader in cloud security. Please welcome Micheline Nijmeh.
Thank you, Shlomi, and thank you Gerard and Bill for the amazing story that you just shared in your journey with us. We're excited to have heard this. I wanna bring back the kind of half the day we shared, we reviewed with you a few things, and I wanna kind of bring back kind of a summary of where we are today. As you've heard from Gerard and Bill, enterprises have the need to deploy software quickly, as quickly and possible for every day. They will need to deploy it to the edge, as Gerard and Bill just shared. With that comes complexity and efficiency if we don't have the right tool. With JFrog, as you can see, when the developers are using the technology, it can be.
They can bring from different organizations, millions and millions of software components. You heard from Gerard that 90% of his software components are from open source. This opens up the organization to security vulnerabilities to large-scale attacks. Without the right platform or without the right unified tool, this can also be at risk. When you think about also the complexity of organization in terms of where they are in the digital transformation, Gerard and Bill shared their view of their journey. For example, some might be under the journey of on-prem, some may be going to the cloud or hybrid. Without the right tool that's automated and secure, this can be a challenge. The JFrog platform is a unified platform that only provides the single source of truth.
They bridge developers to their production environment, and they bridge organizations to their customer. Today I'm going to be sharing with you a little bit about how we're addressing these challenges and how we're planning to grow the business to address these challenges with the persona and the go-to-market strategy. Tali will be sharing with you the sales motion to influence the go-to-market. There are three types of personas that we're going after. The first is the community. They are the developers. They are the heart of every organization who builds and secures and releases software. When you think about the amount of software that they're managing, you heard from Gerard and Bill, thousands, tens of thousands of developers that they are supporting. They expect a universal tool that works in their environment.
They expect a tool that works within their tool stack, and we are committed to universality. We were the first to go to market with a universal repo, and we continue to support that with over 30 software packages today, and that's only the beginning. We continue to invest and partner in open- source communities such as Conan, which we acquired for this growing community of C++, or partner with Apple for their Swift because we know iOS developers have this need. This is only the beginning. We wanna make sure that the massive adoption that we're trying to do with our platform is making it easy and simple for them to access our platform. You heard from Nati about security. Now, we used to address security from a developer standpoint.
With the recent JFrog and Vdoo acquisition together, the integrations of the capabilities, we're able to open up our platform to a new entry point for security. These security personas, they're the ones who are needing and worrying about tool, security tool consolidation or proliferation. They worry about security and compliance. This is just the beginning for us, because this is a new persona that we're going after. We have work to do in terms of building the brand and the engagement, but we have the team, and we've acquired from Vdoo over 160 security experts, so we know that we have the foundation to build the brand as well as to engage and drive the demand. The third persona are the product leaders. These are leaders are the ones who worry about standardization.
They worry about automation efficiency. When you think about as we go up into an organization, what's important is we start influencing the CTOs, the CIOs, and these are important when you think about a unified platform. We are looking at an end-to-end platform that we will actually offer them as a unified view and visibility that Yoav shared earlier. With that, you've heard from Yoav, from Shlomi earlier today, the available market to us. You heard from Nati and Yoav in terms of the unified end-to-end experience with the platform. There are a few growth opportunities that we're going after to address those challenges that enterprises have with our unified platform as a solution. The first is the platform adoption.
We have been a successful growing, high-growth company because of the bottoms-up product-led motion that we've had, and we're gonna continue to support that. That is an important engagement for us to building the community. With that, we have community events that we support, and the entry point to that is our free subscription to cloud as well as on-prem trial. When we think about the growth in terms of the enterprises, we've been seeing many enterprises join the unified platform through our enterprise subscription, and we wanna double down on that. We wanna go deep and wide, and we've implemented new motions to support our inbound bottoms-up funnel. Think about the outbound that we're implemented. We've hired field marketing managers to support the regions, to support Tali's sales team.
We've also implemented regional marketing to support the cloud adoption and co-marketing that we have. As you think about what we've done in Americas, we want to replicate that in the international regions. For example, Europe and APAC is a focus for us. We've started to build the brand there. We've started to build the marketing and sales motion, but we're going deeper and wider in there. For example, APAC, if you consider the number of developers that are in China, India, and Japan, we are the first to start thinking about that in the region. We wanna be the first to think about that in the region. We have built marketing leadership there to begin the brand awareness as well as the demand.
Shlomi talked about the various different industries that we cater to. One of them is the public sector. You heard the different standardizations from the government talk about the Log4j and the DevOps modernization initiative. Well, we wanna make sure that we're taking advantage of that. Our customers are reaching out to us from the on-prem side to ask for engagement and support around our initiative. What we've done as a strategic move is lead with the Iron Bank certification for our on-prem customers, as well as our cloud customers. We are looking to be certified for FedRAMP later this year.
With that, I want to kind of take a summary of the excellence that we've had and the growth that we've had from the company the last several years with a product-led approach. We are adding to that. If you think about all of the different motions that we're adding from a marketing organization, from our inbound moving up to our outbound as well. We are looking at the different growth revenues that we have with the developers, with accelerating the growth in the enterprise, and the expansion into the APAC and EMEA region. I feel confident that we've built a team and we've built a process this last year to scale for next year. With that, I'll take some questions.
Thank you. Our first question comes from Sanjit Singh of Morgan Stanley. Your line is open.
Hi, thank you for taking the question. I wanted to talk a little bit about the free product offering that the company announced, I think, towards the end of 2020. It might have been 2019, correct me if I'm wrong. Two questions there. One, how successful was that in terms of building a base of new users to attract to the JFrog platform, get them to sort of kick the tires on the expanded portfolio offerings that we've seen over the last year to two? And then secondly, what initiatives are you driving to drive that free to paid conversion? What did that look like last year, and what do you have sort of set up for 2022 and beyond to drive that free to paid conversion?
Thank you for the question. Yes, with the free cloud offering that we have, we're seeing more additions to the cloud with a free subscription. We are seeing more consistent conversions throughout. What we're actually seeing is that a developer may come in and sign up and start using the offer, the solution, but then he or she are also adding their other engineers to work together on the free tier, but then also come back and buy. We are starting to see that. We wanna continue to drive that adoption, 'cause we know this year is if we have massive adoption from the bottoms up from our developer community, eventually they will convert only because they're using it and they're active users.
To your second question, we will continue to engage with the community. We have a developer relations team dedicated for the support of the community. We will continue to support them with the software packages that we offer that are compatible with how they work. We will continue to evolve and make sure that we are engaging with them at the level of where their environment is. I believe Yoav talked about their CLI, and where we'll meet them where they actually are.
Thank you. Our next question comes from Mike Cikos of Needham & Company. Your line is open.
Hi. Thanks for taking the questions here. Just wanted to circle up. I appreciate what you guys are doing with the community and the developers. If I'm thinking about tapping into the C-suite, some of these CTOs, the CPOs for attracting at the, I guess, product level, higher end of the organization, typically that's a different sales process or a different orientation. Can you talk to specific initiatives that are underway at JFrog to help you in that process, just to ensure that this is a, I guess, a seamless endeavor as you are going to these higher end executives at the leadership levels of these customers?
Absolutely. We are seeing. We see different stages. Well, it depends on where you are in the organization in terms of the market segment. We do see still that developers are influencing the purchase decision. We see that. As we go up market, we are seeing more and more leaders, like I mentioned earlier, the product leaders. We're seeing VPs, as well as the C-suite. The C-suite are influencers to us. They're the ones that we are going to be making sure that we are driving awareness and engagement. Then when you, Tali Notman, our CRO, will talk a little bit more about the strategic team, but we've put in place a strategic team and a field marketing team to support in terms of how we're going to go top-down. This last year, we've just implemented a new marketing motion.
We have outbound, we've tripled our SDR team to go outbound and look and engage with the top-down approach. It's a balance. It's a bottoms-up approach with our community, but it's also going top-down with the VP, director, and the decision-makers.
Thank you for that. One more if I could just squeeze it in real quick. I know you were talking about the developers influencing that purchasing decision, and I have to imagine it's a delicate balance at your customers and prospective leads as far as the power that the developers are taking on versus the power that the C-suite holds. Maybe taking a step back, can you just help us think through what that dynamic is at your customers? 'Cause it makes sense that you would be feeding into both the top and the bottom end of the funnel. I'm just curious how those organizations are handling that struggle or challenge, if you will, on their side.
Well, actually, Tali's gonna be sharing with you the journey of how an enterprise, they've evolved with us, and she can touch that a little bit. If we didn't answer the question then, I'm happy to answer it at the Q&A panel. What we're seeing is definitely, as you said, at a balance between driving influence and then making the decision. I think you'll enjoy hearing Tali's presentation around the journey of an enterprise, and we can touch on that a little bit.
Terrific. Looking forward to that part of the presentation. Thank you.
Thank you. All right, thank you for the questions. I would like to now introduce Tali Notman, JFrog's CRO. Tali proudly leads over 6,600 customers portfolio that she built from the ground up, from almost day one at JFrog. She built JFrog's go-to-market strategy. She has grown the organization, the global revenue team, and it has consistent growth year over year for over 10 years. I'd like to introduce Tali, my partner in crime, and our CRO.
Thank you, Micheline, and thank you everyone for joining us today. I'm excited to be here. I'm Tali Notman, JFrog's CRO, and I'm happy to share with you today the JFrog go-to-market strategy, and mainly how we're taking it from here, stronger and faster. Let's start. Before I will share with you the new growth areas that we are after this year and then in the next year, I would like to take a moment and share with you the foundation of the future growth, because the foundation is definitely important, and you need to trust that you have the strong foundation in order to build the next layers in your go-to-market.
There is no better way than developing your go-to-market based on the alignment between these, four pillars that you see here, the evolving domain, the changing adapters, the JFrog solution that keeps expanding over time, and the sales motion that continues to change. What started with agile software development with an individual adapter, the engineers, and was served by the single product of JFrog, was really enough to serve with a bottom-up, self-serve, low touch. As we continue to evolve and where we are today in a world of digital transformation, we see the level of interest at the level of the organization with different types of adapters and different types of personas.
This is where JFrog is taking another leap and providing end-to-end platform to address these needs of our customers, and we are in alignment adding additional motions of sales such as the top-down strategic sales and indirect sales. You of course heard the stories of Bill and Gerard, and I would like to take a moment to share with you one more story. This story is a story of one of the largest wireless network operators in the U.S. This customer started with JFrog in 2014, adopting basic binaries management capabilities and using our Pro subscription with less than $30,000 initial land. As they continue to grow with the automation in the organization, this customer is now moving to serve more teams and adopting highly available solution by JFrog, now upgrading to the Enterprise subscription.
In 2019, this customer is now adapting Xray to secure their binaries and upgrading their subscription to Enterprise X subscription. In 2020, we are looking at a company that is now standardizing all DevOps processes on the JFrog platform and of course upgrading to the Enterprise+ platform. Now here is the interesting thing. This still is a project of a customer that is serving internally, the internal use case of what Yoav called before the internal distribution, Global Technology Services, with thousands of users in the organization. This story is actually becoming even more interesting when in 2021, this customer is taking us towards a new adventure and looking to distribute their software to the 5G cellular towers.
Of course, the default player for them is JFrog, and this is where we see them taking the Enterprise+ all the way to the runtime with distribution to multiple edge points. We are looking here at $2 million in ARR. This is the last year in 2021, and this was managed by the strategic team of JFrog in the past year. What we really see here is the potential of this customer to continue and grow to multi-million dollar ARR in the future. Now the question is, how do we do it? The first thing that we believe in is high focus.
We focused on our team in order to make sure that we maximize the potential that we have with each and every tier in the market, from the SMB all the way to mid-market and the enterprise, and applying, of course, the different sales motions as I shared before. Our inside sales with low to mid touch now to take everything from SMB all the way to the enterprise, and yes, you know right, we added strategic sales as well. Before I will get there, I wanna share with you that we are not transitioning into strategic sales. We are adding additional capabilities. We are adding additional motion, but we are actually also doubling down on the base, on the foundation we built in the first decade of JFrog with outbound sales, with security focus and hybrid, and hybrid sales team. High touch strategic sales.
I was sharing with you prior to our IPO that JFrog is going to develop the strategic sales practice for the first time at JFrog, and so we did. In 2020, we established our strategic high touch sales team and continued to build this team over the past year, and in 2021, we already had a global team structure of account executive, solution architect, and high touch support led with an experienced leadership. This is again just the very beginning. We are looking to continue and develop this practice with indirect sales, going after top GSIs, going together with our cloud partners, and of course provide more white glove services and premium support. One of the things that was mentioned by Micheline before is definitely having additional focus on industries such as government. This was shared with you last week.
This is from our last earnings. We are looking at 2021 ending with 537 customers with over $100,000 of ARR. This is impressive and definitely I'm excited for this number. I'm excited for this number not only because of the fact that we see more growth with our existing customers, but also because we do see more customers landing on the platform of JFrog from the get-go. There's another reason why I'm excited with this number. It's actually because of the fact that we see here the additional 6,000 customers that are not yet on the JFrog platform, and if you connect the dots of my previous slides and everything we heard today, then you will see where I'm taking it to.
I'm taking it to new routes of revenues and additional growth of the business. First and foremost, cloud. Our cloud sales strategy is definitely aligned with the company's strategy as we are taking our customers and the company towards a future of hybrid this year. We are merging the two teams, the cloud and self-hosted, into one team, removing friction from the internal resources that we have and enabling more customers to grow towards a hybrid future. This team is definitely even incentivized with cloud first in mind. We are taking our cloud partnership to the next level of co-sales to ensure that we continue to grow our business together. If I'm touching on the cloud partners, this is another area for growth for us moving forward.
Just as I was standing here in 2019, end of 2019, and shared with you the development of the new strategic team, I'm sharing with you today that JFrog will start this year to establish the indirect sales with partner programs targeting the top GSIs. Not only that, this year, we actually transitioned the cloud alliance team from the business side into my organization with one goal in mind, to align the vehicle, the driver of this growth, with the revenue growth moving forward. Another area for growth for us is geo expansion. Just as Micheline mentioned, we are going to gear up with APAC. You heard us sharing with you that in 2021 we made some investment. This is the time for us to continue and gear up in APAC.
I want the developers of APAC to have JFrog and the JFrog solution as the default opportunity option for them to use when they are exploring the new path into DevOps. Of course, we will do it with expanding our direct teams, we will do it with additional channel partners, and we will also develop and establish our multi-cloud strategy there as well with top cloud providers in the geo. Last but not least, you heard a lot today about tech innovation, and you know what we know to do with it already. As you saw in the previous slides, when I'm getting technology from my product team, this is the time to embed it in our go-to-market as well. All the innovation in software supply chain will be, will continue to be the driver for enterprise scale.
Not only that, we were talking about security quite a lot today, and this is an exciting new entry point into our platform. Last is the IoT. This is a complete greenfield that we will go after in order to generate additional new business for JFrog. With that, I'm positive that myself and my teams are ready to conquer our next business goals. Thank you. I'm ready to take some questions from the audience.
Thank you. Our next question comes from Sanjit Singh of Morgan Stanley. Your line is open.
Thank you for taking the questions and thank you for the very thoughtful presentation. What we've seen over the last 12-18 months from JFrog is really expanding the portfolio quite significantly into security. I wanted to get your perspective on how you plan to sort of monetize this security innovation in two senses. One, sort of getting the core users of JFrog, these DevOps teams, these developers and engineers, to take on the security products like Xray. Then on the other hand, the whole security operations team, which are pretty influential in terms of vendor selection. What resources have you built, and how are you going to better address this almost new buyer in the organization where you guys may not have previously had as much experience dealing with, s ort of address both sides of the security sales motion?
Thank you for the question. Well, the first thing that we need to take into account, and just as you mentioned, when we're thinking about going towards security, we first have to keep in mind that just as I mentioned before, this is an entry point into our platform. The goal eventually is to be able to bridge the gap between the security people and the developers, and you can come from either the door of security or the door of DevOps processes and eventually have one joint ground for the two. Now, when you're looking at the existing business of JFrog still, half of my customers are not using Xray. This is where we will have to continue and grow, of course, adoption with the new solution.
Not only that, we will have to go after the new adopters, as you mentioned. Now, we acquired the Vdoo company, and we didn't just acquire the solution, but also we joined great talents to our teams. We will continue to work on developing these practices within our teams in order to ensure that we know how to go after the security persona and take them all the way towards the adoption of the platform.
Thank you. Our next question from Benjamin of Piper Sandler. Your line is open.
Hi, thanks for taking my question. Looking at these new routes to revenues, just with these four categories, wondering if you can sort of rank order them. I guess thinking about them in the context of path of least resistance, where you think the greatest short-term opportunity is. Specifically looking at the partner and alliance group, exciting to see that you're gonna move more heavily into targeting GSIs. Can you just talk about the monetization opportunity there and the growth opportunity there and what the strategy is?
Yes, definitely. Of course there are some growth areas that we are already well invested in, and some of them, as you mentioned, are newer to us. The cloud strategy is something that, of course, as part of our targets few years back in the past, I would say mainly two years, we started to shift over this direction. We will continue to invest in this direction, mainly by the way, because of the fact that we are looking at customers that are looking to continue and take the journey, you heard it from our customers today, moving into the cloud. As for specifically the indirect sales, there is one area of indirect sales that we are developing and establishing, but there is a different area of indirect sales, the cloud indirect sales or the cloud alliance.
This is an area that was already, as I mentioned before, developed in the past few years, and we have there the growth engine. Now we have to make sure that we will take it toward the process of building the revenues even higher, stronger revenues coming from our cloud providers. Of course, the establishment of indirect sales will be a process of just like in any other company, will be a process of putting the right foundation. Just like we did with each one of our growth areas that we had in the past years, we will have to first build a strong foundation and only then accelerate. This is where we are taking it moving forward. Do we have more time for
Thank you.
Questions? Oh. Thank you so much for your time today, and please let me introduce, although I'm sure most of you don't need an introduction to our next speaker. I'd like to welcome Jacob Shulman to the stage. Jacob joined JFrog in 2018, bringing over 25 years of experience in building the financial infrastructure and driving growth. Prior to JFrog, Jacob served as CFO of Mellanox Technologies. Jacob.
Thank you, Tali, for the introduction, and good afternoon, everyone. I hope you're enjoying the day so far and have learned a ton from Shlomi, who presented our vision and explained why binaries are the most important asset of the DevOps. From Yoav, who presented capabilities of the platform and explained the value that our products provide to our customers. From Nati, who dove deep into our new security capabilities and explained how different is our approach versus other companies in DevSecOps space. I'm sure that the presentations by Tali and Micheline explained how material is an opportunity in front of us, laid out our go-to-market strategy, and the plans to capture those new markets and geographies.
Lastly, I'm sure that the use cases presented by our customers explained how material and how mission-critical JFrog is to them, and how important partner we are to them as they continue to navigate their DevOps journey. I'm sure, guys, that you're here for the numbers, so here I am. I will focus on three main areas in my presentation. First, I will speak on deliveries on our goals in 2021. Then I'll touch a few aspects on how we build sustainable and diversified business. I will finalize my presentation with the considerations for the long-term model. Let's start. 2021 was a solid year for JFrog. We finished the year on a very strong note. Overall revenues grew 37% year-over-year to $207 million.
Back early in the year, back in Q1, we said that we expect acceleration in the business, and that indeed we delivered successfully on this commitment. Our revenue in Q4 grew 39% year-over-year to $59.2 million. This great visibility in our business is driven by the fact that we're very well entrenched in our customers. That's, by the way, highlighted by very high net retention, gross retention, sorry, of high 90s, and we understand very well the demand levels. On top of that, moreover, the only variable portion of our business is that subject to usage-based SaaS revenues. SaaS revenue is still today a very small portion of the revenue, and therefore this, therefore, we build a very predictable and visible business with high visibility.
SaaS revenue represented 25% of total revenue as of end of Q4, and revenue coming from outside of the U.S. was 37%. We continue to expand our capabilities outside of the U.S., specifically in EMEA and APAC. Our strategy of hybrid and multi-cloud growth bore fruit, and our revenue on SaaS environment grew 52% year-over-year to $50 million in revenue. We're very proud to grow our number of our largest customers very significantly in 2021. This growth is a great testament of the value that our platform provides to our customers. Specifically, the number of customers of over 100K in ARR grew 53% year-over-year, and we exited the year with 537 customers over 100,000.
Of them, 15 customers were over a million- dollar in ARR growth of 50% year-over-year. We continue to see great expansion of our entire customer base. We accelerated our net dollar retention in Q4 back to 130%, the commitment that we made to the market early in the year. To remind you that the expansion of our customers was impacted by the pandemic, back in 2020 we did see contraction in our net dollar retention rates. We're very proud to stabilize and actually reverse the trend and grow again in 2021. We continued also to build strong foundations for the sustainable growth. Our non-GAAP gross margins improved from 82% to 84%, driven by significant enhancements in our gross margin on SaaS business.
We continue to invest into R&D, specifically in areas of security and distribution, and our R&D expenses represented 29% of revenue in 2021. We continue to build our top-down, and Tali talked about the action items that we took during the year in building the strategic team and go-to-market, top-down go-to-market approach. Our S&M expenses were 38% of revenue in 2021. As a result of us becoming a public company, our G&A expenses increased to 16% of the revenue. As a result, our non-GAAP operating income declined from $13 million to $4 million, or from 9% to 2%. However, our unit economics remained very efficient. We continue to generate free cash flow.
Actually, the free cash flow generation improved in 2021 from 17% to 21% and achieved $43 million. This takes into account one-time payment associated with holdback agreements related to Vdoo and Upswift acquisition. Our sales efficiency remained on top of the class at one. In CAC payback, again, top of the class, increasing slightly from 16 months to 17 months. Overall, we're very proud with our achievement in 2021 and believe that Q4 serves as a basis for the strong performance in 2022. Now I'd like to speak about building a diversified business. Shlomi and Tali discussed with you how strong our customer base is and how we were able to attract top ten pretty much in every industry.
In fact, as of end of the year, 85% of Fortune 100, 45% of Fortune 500, and over 30% in Global 2000 customer companies were our customers. This is tremendous customer base that continues to expand with us. I'll provide you a few stats just for you to better understand what's the potential to grow this customer base. Fortune 100 customers today represent approximately 15% of our business. Fortune 500 customers today represent approximately 20% of our business. Average revenue from a Fortune 100 companies is about $400,000. Average revenue from a Fortune 500 company is approximately $200,000. Tali provided you an example of a Fortune 100 company that could be multimillion-dollar account.
That just highlights how material is an opportunity for us to expand within this customer base, maintain the sustainable expansion rates, and we continue to believe that we have not penetrated more than 20% even into our largest customers. We made investments to accelerate that penetration and expansion. On the right side of the slide, you could see that the revenue coming from our Fortune 500 customers actually accelerated in 2021. Back in 2020, our revenue from Fortune 500 customers grew 26% year over year. With investments that we made in 2021 with building strategic team, our top-down approach, we were able to accelerate this growth to 38%.
To further highlight how increasing adoption of our platform becomes a significant driver for our revenue growth, I'm showing you two analysis of revenue by subscription. You could see on the left side of the chart that our revenue from Enterprise+ subscription or our full platform represented approximately 35% as of end of Q4, growing from high teens just for eight quarters ago. However, the portion of customers who adopted the platform is still very small. Approximately 5% of customers adopted the platform. Another about 35% customers on Enterprise subscription, and the majority of our customers on the Pro and Pro X subscription. That would present a significant opportunity for us with our new capabilities to drive accelerated growth and expansion of these customers. We also believe that we can also grow ASP for the platform.
Entry level into the platform is $115,000, but our average revenue coming from the platform user is approximately $200,000. We definitely believe that with the new capabilities that we launched in 2021 and will continue to launch going forward based on our very rich roadmap, we will be able to grow ASP for the platform even further. Therefore, the platform will become one of the significant drivers of our revenues, and we believe that majority of our customer base will transition to the platform over time, therefore driving significant revenue in the future. This cohort chart actually highlights very well the opportunity that we see in front of us.
We continue to see that each and every cohort continues to more than double every three years and that what gives us confidence in sustainable net dollar retention rates that we see around 130% going forward. I would also like to speak about the new customer trends and the investments that we made in the free tier and the cloud strategy bore fruit in 2021. Back in 2020, majority of our customers joined on as self-hosted customers, 60% was self-hosted, 40% as SaaS customers. The free tier introduction and the hybrid approach actually reversed that trend in 2021, and we see approximately 60% of customers coming on SaaS environment and 40% self-hosted.
Our cloud environment gives an opportunity for customers to land at smaller lands, and therefore we see many more smaller companies adopting solution like ours, but they expand much faster. It also provides an opportunity for prospects to try different components of our platform, and therefore we see more and more customers when they convert, they actually land on the full platform, Enterprise+ subscription. We started seeing every quarter several new customers joining us on the full platform. Despite that, the majority of customers continue to land on the Pro and Pro X subscription, and therefore we see just slight uptick in our average ARR per new customer. It increased from approximately $10,000 in 2020 to approximately $11,000 in 2021. Now I would like to talk about long-term model.
Before that, I would like to reiterate the guidance that we provided last week. For Q1, we expect our revenues to grow $60.8 million-$61.8 million at the midpoint, representing 36% growth year-over-year. We expect to be around breakeven levels for Q1. For the full year, our revenue is expected to be in the range between $273 million-$275 million, 33% growth at midpoint. For the full year, we expect to be around breakeven levels. Our Q2 expenses, operating expenses will grow as a result of merit increases that will become effective in on April 1. Therefore, Q2 profitability will be the lowest point in profitability.
Then from those levels, we'll continue to improve profitability and grow to the guided levels around breakeven points for the full year. Before I dive into the long-term model, I just kind of wanted to reiterate and explain the areas of focus for us for investments in the short term. First of all, on the R&D side, we significantly increased our investments, more than doubling quarterly investments from $8 million back in Q1 2020 to $18 million in Q4 2021. Growing our R&D expenses from mid-20s to roughly 30% of revenue. Our investments focus in four major areas, innovation, and during 2021, we ingest a lot of new technologies into our portfolio, from PDN to project to additional capabilities in distribution.
A lot of innovation that was invested into, and based on the roadmap presented by Yoav and Nati, we'll continue to improve and introduce new technologies to the market. Products, we spend a lot on the products, specifically in security and distribution areas. Nati and Yoav showed you capabilities of our new security Xray product as well as Connect. On the infrastructure side, we spent on improving our infrastructure on the SaaS level, and that was one of the reasons why we saw improved gross margin on SaaS. We also adjust our products to the global scale, introducing some self-service features as well as adopting our products more and more for the usage-based models.
In the short term, we expect our R&D to remain around 30% of revenue, and then, after 2022, to start gradually converging toward 21% of revenue for our long-term model. On S&M, again, we significantly increased investments from approximately $13 million back in Q1 2020 to roughly $23 million back in Q4 2021, 75% increase in quarterly spend, which focuses on community. Micheline talked about new personas that we are after with introduction of security capabilities as well as distribution capabilities. We continue to expand globally with emphasis on APAC and additional building capabilities in EMEA. We will continue to scale our strategic team as the number of larger customers adopting the platform continues to grow. There are new areas of investment such as channels and partnerships.
For the short term, we expect our S&M expenses to be around high 30s%, and then we'll gradually start conversion toward our long-term model of 27%. Just to summarize our long-term model. On the gross margin, we expect our gross margins to be 80% in the long term. That is driven by the fact that structurally our SaaS margins are lower than self-hosted margins. While we continue to expand our margins on SaaS, they will structurally be lower because of the hosting costs. Therefore, as cloud continues to represent bigger and bigger portion of our revenue, we will start seeing a gradual convergence of our margins toward 80%. In 2022, we still expect our gross margins to be in the range between 83%-84%.
Our research and development targeted portion is 21%. Sales and marketing, 27%. On G&A, we expect that as we continue to grow, we'll continue to see more scalability, and therefore we'll see gradual conversion toward 9% for the long term target. On the operating income for 2022, we expect to be around breakeven levels, and then beginning 2023, improving our profitability toward our low 20s as targeted operating margin. We will continue to be free cash flow attractive, growing our free cash flow margins gradually. Before I finalize my presentation, I'm sure that we were able to demonstrate how significant opportunity in front of us. We're proud to have more than 6,600 customers that are top-notch customers in every industry.
We were able to build sustainable and solid business. Therefore, we believe that we will continue to grow at the rate of over 30% for the foreseeable future. With that, I'm happy to take your questions.
Thank you. Our next question comes from Sterling Auty of JPMorgan. Your line is open.
Yeah, thanks. Jacob, thank you for the presentation. Wanna drill in on sales and marketing spend in particular. If you look at kind of the current, you know, resources that you have, can you help investors understand how much capacity is still left to grow within those resources? How much are you needing current hiring within the spend that you outlined to hit this year's numbers versus that hiring being more for 2023?
Yes. Thank you for that question, Sterling. First of all, we continue to expand our sales and quota carrying headcount during 2021. Not everyone is still fully ramped. Typically, it takes about half a quarter to full quarter to onboard inbound sales reps, about two quarters to onboard strategic sales. Overall, we see that we in a high seventies in terms of quota attainment. We still have improvements from the existing headcount. We obviously have plans how to increase that to maintain our targeted revenue commitments.
Got it. Thank you.
Thank you. Our next question comes from Jason Ader, William Blair. Your line is open. Our next question comes from Rob Owens of Piper Sandler. Your line is open.
Great. Thanks for taking my question. Jacob, as you look at the success you've seen in retention rates, and you know, you predicted they'd bottom kind of on the tougher comps coming out of COVID, but now back up over 130, where could those potentially go to longer term in your mind?
Yes, we definitely see improvements from the pandemic lows, but the pandemic is not out of the woods yet. Prior to pandemic, our expansion rates were slightly above 140%. Today, we're at 130%, so we definitely expect that we will improve. Again, we're not out of the woods yet, and therefore, currently we're projecting and taking into our guidance that we will remain around 130%.
Is there any dynamic either from the customer base in aggregates or as you're moving up markets, you know, that could put some type of governor on that as you look aspirationally to get back to 140% longer term?
Yes, absolutely. First of all, Tali spoke about the great potential in conversion of our Pro customers to add additional security capabilities. Today, on average, entry point into the Pro customer is about $3,000. On average, they pay about $4,000 annually. Just adding security capabilities takes that 5x opportunity. Definitely, we believe that new security capabilities that we introduce will help us to drive that expansion. On top of that, the strategic team, and Tali again showed an example of a large customer who doubled, almost doubled in a year. As more and more customers become strategic and portion of larger customers become bigger portion of overall business. How fast we expand them, that what will define our overall net dollar retention.
That's why we put emphasis on expanding these large customers to be able to continue and expand our net dollar retention further.
All right. Thank you very much.
With that, I would like to invite the entire executive team up to the podium to take further questions.
Can you guys hear me okay?
Yes, we can hear you.
Oh, great. Yeah, first one for you, Jacob. When you look at some of your software peers, a lot of times you'll see sales and marketing as percentage of revenue in kinda 60%+, in some cases even 70%+ of revenue. Is there an argument that you guys could be spending more on sales and marketing, really kind of stepping on the gas? I know that you probably would argue you already are stepping on the gas, but you know, you're still, like I said, well below some of your high growth peers, especially with this kinda new push on security as an entry point avenue that Tali spoke about. Just maybe just talk through what are some of the puts and takes there.
Yes. Absolutely. First of all, I'd like to remind everyone that in early days, we took inbound approach. When you sell to developers developer tools, they really don't wanna see any salespeople. They want to try the tool, and if the tool works, they want to adopt it. That's what drove efficiency of sales go-to-market strategy for JFrog. This is what we continue to do successfully with the developers. Yes, introduction of the new security persona and as well as new product persona changes slightly the go-to-market approach, and Micheline and Tali spoke about it. That's why we also introducing additional capabilities such as top-down for larger customers who are adopting the platform, expanding into different geographies where it's not always bottom-up.
We definitely see that, as we address more and more personas, the go-to-market approach may change, and that's how we started building capabilities. Again, to remind you, our audience is developers and we don't believe that this is the best way to send salespeople, very expensive salespeople to sell Artifactory. We definitely want to send them to sell the full platform, and this is what we've been doing successfully.
Okay. Thank you. Just a quick tech follow-up for whoever wants to take it. On the security side, you talked about some of your unique capabilities. I guess I would think other DevSecOps vendors offer binary scanning and analysis. First of all, is that not the case? Am I wrong about that? If it is the case that some of your competitors offer binary scanning analysis, what is it that you guys are doing that is special? Like, you know, what's the secret sauce?
Yeah. Thanks for the question. I'll start, and Nati can share more details on the advanced Vdoo capabilities. One of the major differences that JFrog has is that our technology analyzes the binaries recursively. We keep this graph, which allows us to immediately give you the impact of any vulnerability, which would otherwise require, in other vendors, you'd have to speak with the developers, you have to run through the CI/CD process all over again in order to do this impact analysis, while we can provide it to you in a matter of less than a few seconds. Also, some very advanced capabilities that Nati, I think you're the best one to speak about in what we are acquiring now, bringing into the platform now with Vdoo.
Yeah. To continue, the answer from a more technical point of view. The answer is first, yes, there are other players that suggest or offer binary analysis from a different angle. They are doing it as a very point solution, focused solution to provide specific type of output, mostly around bugs. When first and foremost, what we are doing is doing it as part of the platform and combining our capability with the fact that you can run on so many binaries that are already managed by Artifactory. This is the first step.
More tactically, the way we are doing SaaS on binary is a unique proprietary way that is highly focused on things that are really exploitable, and the way we do the applicability scanners that focus you on CVEs that are exploitable is unique to us. This is something that was not offered ever by any of the binary analysis tools.
I would like to add to it. Maybe combine answers for what Jacob was asked and this question about security. JFrog is a product-led company, and when we think about what is the next product and what is the next solution, we look at the market, we do the analysis, we listen to the pain, and then we act. Yes, there are other competitors that provide binary analysis, but you have just heard the vision from Yoav and then the practice from the market. How long do you think that enterprise would consolidate the repository, the distribution, and the security around one solution? Why should I take
A single point solution. If I need a single source of truth coming from JFrog, if I need to remediate with distribution. Our security solution holistically look at the full pipeline, and therefore, I think that we are coming with a great advantage to the market. Going back to the question that was asked about adding more salespeople and maybe go aggressively after the market, this is what you do when you have one product to sell. You bring an army of salespeople. There is no value, there is no innovation. You bring an army of salespeople and utilize what the market have to offer. What we are doing is that we are introducing the world every leap with a new technology that solves an authentic pain.
Therefore, part of what JFrog is seeing is this hybrid growth from the bottom up, embraced by the community and from the top down, expanded within our customers.
Thank you. Our next question comes from Brad Reback of Stifel. Your line is open.
Great. Thanks very much. Two quick ones. First for Shlomi, you obviously have done a couple acquisitions in the back half of 2021. Just your thoughts on additional acquisition activity in 2022. And then for Tali, if I look back to 2019, you added almost 1,000 customers. Obviously, 2020 was impacted by COVID. 2021, you sort of got back to 600. What needs to happen for you to go well north of 1,000 heading forward, especially with a, you know, $11,000 ASP on average? Thanks.
I'll start with the question regarding acquisition. JFrog acquired so far eight companies successfully. The reason I'm saying successfully is not only because of the technology integration. It's a great honor to have all founders still working with us. It's crazy. If you think about it, five years ago, we acquired Conan, we acquired CloudMunch. The founders are still with us, building this company with us. It's not just about the culture integration, the technology integration, it's also about the leadership that comes with it. We are taking very seriously the strategy around M&A, and it will come in two direction. A, we need to get closer to the edge and make sure that what we can deploy as a binary goes all the way there efficiently, automated and secured.
It will come either in expanding our security solution with JFrog Security, bringing more technology that support this flow, or it will come with more capabilities that pushes deployment faster and automated to the edge. The second area that we are looking at is obviously the programmers. You know, we call them developers today because they are developers that runs a business of 10,000 developers. They used to be called programmers because they were focusing on the code. We are talking about a community of millions and millions of developers that every day come with a new technology that disrupt the market. We did it with Conan, and as we get closer to the developers, you have mentioned it, we will stay there. If it takes more talents that are coming from the community, that might be our next target.
Obviously, on the business side, we will consider any expansion that will make sense for us in terms of the business growth. Tali?
Yes. Thank you for the question. As for growing additional customers towards this journey, as I presented earlier today, first and foremost when you're asking how we are going to get there, what you could see in this demonstration of these customers that we spoke about today is how we are embedding the value, the technology value and capabilities, additional capabilities in order to drive continuous expansion with our customers. Our land and expand motion is basically taking us there. Of course, Jacob mentioned in his slides that with the additional capabilities and what we are injecting into the product, we should expect to see also the ASP growth of these enterprise customers.
Thank you. Our next question comes from Aaron Husock of Ashler. Your line is open.
Great. Thanks for taking my-
I think we lost the speaker.
Thank you. Our next question comes from Steve Enders. Your line is open for KeyBanc.
Hi. Great. Thanks for taking the question. I just want to ask about some of the cloud ARPU trends that you're seeing. You know, it's below kind of corporate average ARPU at this point, but how should we kind of think about that trending longer term? What are the key levers in your view that will help drive that? If it's you know kind of increased usage or is it upselling on the plans? What are kind of the big lever points to drive that higher? Thanks.
Yes, we see a continued trend of increased ARPU on the cloud. It comes from two aspects. One is the increased usage by our customers. Our monetization on cloud is based on usage, and we see more and more customers using different capabilities of the platform, driving higher data transfer. That's what drives the monetization. We also see more and more customers landing on higher end subscriptions. To remind you all that the Enterprise+ subscription on the cloud became available only in the second quarter of 2020, so it's relatively new offering. Therefore, we see many more customers who prefer to land on the Enterprise+ subscription on the cloud, and that's what driving our ARPU from cloud higher.
Is there any way to kind of think about kind of the, you know, the percent of enterprise customers or Fortune 100, Fortune 500, which, you know, I appreciate the updated numbers there, but the percent of them that have kind of began adopting the cloud solution at this point and, you know, be getting that bigger push there?
I don't have the exact stats for the Fortune 100 to Fortune 500. What I can tell you is that a significant portion of over $1 million customers do have hybrid installations. Many of them use both self-hosted and cloud, and actually, some of them use cloud only.
I can add to that.
Yeah, sure.
We're seeing customer that are choosing multi-cloud now, and also a new pattern of distributed cloud. You heard Fidelity speaking about it. Basically, it means running application all over the world closer to where they need to run, so that also impacts the growth.
Okay, perfect.
Thank you. Our next question comes from Sanjit Singh of Morgan Stanley. Your line is open.
Hi, thank you for taking the questions. Shlomi, a great first Analyst Day. Great content. I wanted to talk about cloud, and I think, you know, the tone of the company coming out of Q4 earnings and today on cloud has definitely changed in terms of tone. You guys had a pretty neutral posture beforehand. What's sort of driving the change in terms of leaning in more aggressively to cloud? Do you think with your efforts, if you're successful in cloud, is that going to be accretive to JFrog's growth? Or is it gonna be more of a model shift from on-prem, from your on-premise customers to cloud to address that? That's the first question.
Thank you, Sanjit. You know, if 10 years ago this question would be asked, I bet that the majority of the vendors in the market would say cloud will not happen, on-prem will stay forever. We watch the market very closely, and we see the transition to the cloud, but we see a very unique transition to the cloud. First, what we see is that all enterprises are choosing multi-cloud solution, not only one cloud. Second, what we see is that most of them, as Bill from Broadcom well emphasized, are looking at a hybrid environment, even in the far future. What we see is vendors that are closing the doors on self-hosted and on-prem solution. We also see vendors, new vendors in the market that started in the cloud and have only cloud.
We serve the enterprise. We serve the developer in the enterprise, the DevOps engineer, the security engineer in the enterprise. They have other needs. What I mean by that is that the balance that Yoav spoke about in our philosophy is forever stay our mantra. A, we need to make sure that we can support the enterprise need as our destination. B, we want to give the developer the freedom to choose the deployment environment, the production environment, the development environment. In short, I will say that in the next few years, we will have more and more capabilities in the cloud. We will add more and more clouds and not just the major three. We will have more and more releases to the cloud, but we're not going to push customers to the cloud. With that, I want to add one last thing.
JFrog is a super technical company. This is our DNA. This is how we think. This is how we develop. The best experience that we can offer to our audience, whether it's the community, our customers, or our partners, would be to use the best, latest, and greatest version coming from our store. There is nothing better for a company like JFrog to get an immediate feedback on the technology that was released. In the on-prem, it really depend on when the enterprise decided to upgrade. We see it as an advantage that we see more and more customers are moving to the cloud. The free tier that you asked Micheline about earlier, this is not just a deployment environment for us and a route to grow, it's also a mirror that shows us if we're on the right direction.
Yes, we want more and more customers to move to the cloud. It's part of our strategic decisions, as Jacob and Tali mentioned. No, we are not going to push them to do it. If the question was, are we going to do a sunset on all the on-prem solution? Not in the next few years.
Thank you. Our next question comes from Koji Ikeda of Bank of America. Your line is open.
Oh, hey guys. Thanks for taking my questions. I wanted to build upon that question about the hybrid and the multi-cloud. Shlomi, this question is for you. You know, going back to your presentation, I remember a slide talking about the hybrid and the multi, and then also the edge cloud. I wanted to focus on that edge cloud, you know, thinking about binaries and DevOps at the edge cloud. When does that become a reality in your view? How much different or maybe more complex of an environment is that versus what we see today?
Yes. Thank you, Koji. The edge is really what you define an edge, okay? If we are speaking about getting software deployment on an edge, which is a server that sits next to your developers in Europe or in APAC or in the Middle East or in North America, then it already exist. As we reported in the past, this is the key driver for our customers to upgrade to the end-to-end platform, to the Enterprise+ subscription. This already exist. There are other customers that will refer the edge as a device, and this is what Yoav shared, not only on his slide, but also with a live demo. We are working on something that can be scalable.
The difference between an edge that looks like a server and an edge that looks like a device is the scalability. Everything that comes from JFrog scales to infinity. We take pride in the scalability level that we got to, and we know that millions of devices, billions of devices require some seriousness and responsibility on the vendor side. The next thing will be also to secure it. Obviously, edge as device will take more time. Edge as a server on your data center or cloud already exist, and we have hundreds of customers that upgraded to the Enterprise+ because of it.
Got it.
Thank you. Our next question comes from Aaron Husock of Ashbury. Your line is open.
Great. Thanks for taking my question, and sorry I cut out earlier. I wanted to ask about Log4j. I think you did a great job kind of articulating how Artifactory and your security offerings can really help your customers with Log4j. Unfortunately, it seems like, you know, the first half of 2022 is gonna be a period of kind of heavy Log4j response from large enterprises. Can you just kind of frame what you're seeing in terms of pipeline development and bookings, if you've already had some that seem to be driven by Log4j? Thank you.
Yes. As indicated by our technical executives here, by Yoav and Nati, Log4j episode just highlighted how important our platform is. Therefore, we did see increased level of interest in the capabilities. We helped multiple customers and prospects during Log4j episode, and we are seeing that they are looking very closely into our products. We believe that this event, Log4j, will drive increased pipeline going forward as just due to the fact that it highlighted again the importance and the value of the entire platform to our customers and prospects.
I'll add to that, the work that we did around the Log4j resource center created thousands of opportunities. We had tens of thousands of visitors coming in to read and learn, and we got many calls, many different calls.
Some calls saying, "We want to enjoy early bird knowledge about zero days that you are bringing from your team." We got some others saying, "How can I utilize Xray with Artifactory to block things, whether before they come into the organization, or if it's already there, how can I identify it and blocking afterwards?" There were some others that was simply excited by the fact that we learned so much and conveyed so much messages and knowledge about Log4j, that they wanted to come closer to the security team and get to be more familiar with our roadmap and agreeing to start POCs to learn about our capabilities. I don't have one answer for that.
I can share that it takes tons of attention, especially because it comes now from the regulators around the world. We will, as Shlomi said, keep listening to the market and provide the right answers and the right answer as part of the platform, not in Xray only.
Yeah. Fully agree about that. The fact that we have Log4j is merely an awareness factor. What it did, it created a huge impact in the market, bringing the awareness for security even for the single developer. I think this calls out for solutions that JFrog platform actually solves today to prevent other Log4j incidents because there will be other Log4j incidents. It's not a question of if, it's a question of when.
Thank you. Our next question comes from Rob Owens of Piper Sandler. Your line is open.
Thank you guys for taking my question. I'm wondering if you could touch a little more on the international opportunity as it represents one of your growth vectors moving forward. Just in terms of where it is with regard to DevOps maturity, any incremental competition outside of the U.S. that we don't consider that might be regional? Thanks.
Thanks for the question. As mentioned earlier, EMEA and APAC is obviously a focus for us this coming year or to as of now, and continue to expand in there. What we're seeing from the APAC specifically, they're still early in the DevOps journey. We wanna make sure that we are able to build the brand, the awareness, the education, and we're starting with the dev community first. As Shlomi said, our developers is kind of the hearts and minds, and we wanna make sure that we continue to expand there, as well as build with our partnerships in the APAC region, as well as continue to evolve with EMEA.
Thank you. Our next question comes from Mike Cikos of Needham & Company. Your line is open.
Thanks for getting me on again, guys. I just wanted to ask, if I'm thinking about the number of products that you have and you're building out of this platform, the acquisitions, combine that with the go-to-market initiatives, the bottoms-up approach you're maintaining and this top-down approach you're layering in, and then the indirect channel potential to improve the net dollar retention, why shouldn't we expect revenues to accelerate from where they are today, just based on the number of positive momentum drivers that we're talking about?
That's a great question. I'll start and, Tali, Jacob, if you want to chime in. First of all, like every other SaaS company, you lend, you expand. The potential that we see within our portfolio, based on the innovation and technology we added in 2021 is huge. Jacob shared it, Tali shared it. We have over 3,000 customers that are still using just Artifactory on the basic subscription. This is on-prem. Second, what we see in the cloud is the moment that you introduce yourself to the JFrog platform in the cloud, you get all the product in front of you, unlike the on-prem, different subscription. We think that we will see growth there, in terms of consumption and usage.
The third thing that we see is that there are new persona, as Micheline mentioned, that we never met before, and they start to reach out to us, not only in terms of what Artifactory can do for me, but also how can you support me with my security pains, and how can you support my distribution and multi-site topology, and how can we distribute something to China when this is prevented from them on the regular CDN solution and so on. I think that we see a lot of areas that we can grow, but what get us very excited is that it comes with additional technology that at least half of our customers are still not using. We are very optimistic about that.
Yeah, I would like to add to that. First of all, new security capability is fairly new, and frankly, we're in the midst of the integration and by mid-year in our user conference, we will present the results of the integration. So, i t's fairly new. It opens up additional opportunities, and we invest for the future. So definitely all of these capabilities and opportunities that we present today, it's not just what we see right away. Some of that will be expanding beyond 2022. Obviously, in terms of the monetization, security is probably the shorter term monetization starting point, going all the way to devices more 2023 and beyond.
Thank you. We have time for one last question. Our last question belongs to Steve Enders of KeyBanc. Your line is open.
Great. Thanks for taking another question here. I just wanna ask about, you know, you gave that customer example in the Log4j section. I think you said was able to resolve it and deploy in 12 hours. I guess, you know, how sophisticated and mature was that customer and their DevOps practice, and how do you kinda generalize that use case across the chasm and take that across both your existing customer base and, you know, potentially leverage that into the new opportunities?
Yeah. Thank you. It's a great question. JFrog was doing software supply chain from day zero. If you think about it, Artifactory, the reason it existed from the first place is about controlling what gets into the organization. The Log4j use case is a great example of that because once you have a single place in the organization where you can not only just scan binaries, but you can also apply rules to avoid the consumption of misbehaving binaries, let's call it like that, then you break this asymmetry that CISOs and security organizations, which are frankly, even in a very big organizations, they are very small compared to the amount of developers.
This brings out a new, really a new pattern for how you can apply security in a way that is not interfering with the regular development, work, because you don't want to break the productivity of developers. For that you have to have the right tools. You have to be in the right control points, and JFrog obviously with Artifactory, and now especially with the Vdoo acquisition, is in a great control point, to apply such patterns. I hope that answers your questions.
Thank you all.
Yeah, no, definitely that's helpful.
Thank you all for your questions. I would like to invite Shlomi to the podium for the closing remarks. Shlomi, please.
Thank you very much for joining us today. You know, I'm listening from the sideline when the team spoke about what we have built, what we've created almost sounds easy. There were hours, days, nights of investment in everything we've done this year. There is no battle that I wouldn't take with a thousand frogs that are working day in and day out to support the community, the customers, and the community growth, and the company growth. I also want to thank our shareholders and analysts that joined us today. Your time is not taken for granted, and I hope that we provided content that help you understand better the Liquid Software and the JFrog story. Last, if I may, it's really come to one question.
Every company you see in the industry, and you guys see all companies, it really comes to one question: Is it a trustable vendor, predictable, deliver what was committed, and are they betting on the right future and the right technology? I'm sure that there were questions 10 years ago about electric vehicles, and 12 years ago about cloud. I'm telling you right here, right now, binaries are the future, and JFrog introduced the world with this innovation, and while doing so, educate the world, building a business and grow. We are positive that our roadmap will lead to a different way of managing software, of managing the software supply chain and security, and making the world not just green, but also liquid. Thank you very much for your time. Thank you to my team. Thank you.