Great. Thank you to everyone for joining us today as part of Needham's Annual Growth Conference. My name is Mike Cikos. I'm the lead analyst here covering infrastructure software. I'm pleased to say that we have with us the CEO of JFrog, Mr. Shlomi Ben Haim. And, Shlomi, thank you for your participation today. We really do appreciate it.
Thanks, Mike. Thank you for having me.
So as a reminder to folks, I have some drafted questions on my side I'd like to go through with Shlomi, but if at any time you have a question you wanna send in, please send that through in the chat box. I will make sure that we are using your time as efficiently as possible. Logistics aside, first thing I was hoping we'd be able to talk to, Shlomi, would really be a little bit about the environment that we're in today. So just very high level, but how have customer conversations been when thinking about the IT budget environment for 2024, especially in the context of the year we just had?
Yes, so Mike, as we all remember, we stepped into 2023, when things were unclear. IT budget was frozen, CFO started to push projects from the first half of the year. We started to see the macro changes kind of impacting the IT budget. I'm not sure that we are completely out of the wood, but in terms of consumption in the cloud specifically, we see an accelerated pace. I hear customers speaking with us about new initiatives like consolidations of different capabilities of software supply chain management, like security and AI, into one solution. There are initiatives about adoption of MLOps and MLSecOps.
So, while we are not completely out of the woods, it starts to feel that those who migrated already to the cloud are raising the consumption, and those who understand that there are some strategic decisions to be taken, like adoption of MLOps, will be considered this year. But, you know, it's too early to say. We are in a process of learning the first quarter.
No, it's great. And I, I know we're gonna be talking to some of those themes with the product portfolio, which has meaningfully expanded over the last year as well. I did just wanna ask, while we have you, too, geopolitical, right, is one thing that we're talking to. So at least on a global basis, the environment feels, you could argue, better than where we were 12 months ago. However, we obviously have the ongoing war in Israel now. Is there anything to consider from that front? And could you give us an update on JFrog's operations there?
Yes. Well, October 7 was an unfortunate event that I don't even think that it changed only what happened in Israel and the conflict we have with our neighbors. What Hamas did was a barbarian, cruel attack over civilians in Israel, and obviously this was something we never experienced. And thanks God, three months after, it looks like the IDF is kind of of leading the operation there. On the first few hours of the war, JFrog executed our BCP, our business continuity plan. Most of our assets are based outside of Israel, in the cloud, obviously, in different regions, most of it in North America. We do have 800 employees in Israel, but the rest of our employees, almost 1,500 in total, are outside of Israel.
So we made sure that not only we secure our assets and customers and services, but also executing on a very well-planned BCP that proved itself. We reported that we have approximately between 80-100 reservists out of 800 employees in Israel. We didn't see it as a disruption. We do have our February 14 earnings, and we'll speak about the results there, but but JFrog did a very good job handling the situation. Moving forward, I don't think that anyone knows exactly what will happen, but it start to feel like things are stabilized. Also, we live with a new routine now, which is a war at the background, unfortunately.
Understood. And if I think about this year, again, not looking at guidance, right? Because obviously we have a call in about another month until we get there, but are there specific considerations that investors should be thinking through as they piece together calendar 2024 versus calendar 2023, or anything thematically there?
With thinking about the macro environment or geopolitical, or both?
This is more specific to your business.
No. Well, as you know, Mike, our portfolio, customer portfolio is very diverse. 95% of our revenue is based outside of Israel. It's not by sector, it's not by geography. Our operation is very strong. JFrog is strong. This will not impact. This will not be the reason for us to change anything. As I mentioned in our previous earnings of Q3 we see JFrog provide and deliver what we committed to.
And I don't want to get ahead of my skis here, and so tell me if I'm mischaracterizing this or, or if it's the wrong way to think about it, but one of the things I think about for calendar 2023, the year we just went through, is that cloud usage really only started to show improvement in March of last year for JFrog as far as that stabilization trend. Is it fair to then assume then that 1Q of calendar 2024, at least the year-to-year comps should be a bit easier until we anniversary when those cloud trends started to improve? Again, just wanted to stress test that while we had you.
Yeah. Well, the cloud is, I think the story of 2023 because it got to a level that it was very mature for all industries, and then the recession and the macroeconomy kind of hit, and some budget decisions were taken. There were two decisions that we saw our customers considering. A, is when are we moving to the cloud? What is the right timing to migrate from self-hosted or from an on-prem solution to the cloud? This is project number one, migration of workloads to the cloud. The second one is obviously the acceleration in the cloud, how much we consume, data transfer, storage in the cloud, how many assets we are moving to the cloud. These are two different considerations that our customers have to look at.
What we've seen is that, as we predicted, on the first half of the year, it was quite slow on both. Migration to the cloud was stopped. Even if you took a decision strategically to move to the cloud, you would wait until we will have a better clarity in the market. And second, the consumption, the usage of the cloud was also slowing down. Like, only what need to be to be executed was executed. Only what need to be in production was pushed. And in Q3, we started to see the usage coming back, yet the big project, the migrations were not fully back. So we start to see while we start to see the consumption and the usage coming back, we don't yet see the big customers kind of waiting to migrate their solution. They are speaking with us.
It's still part of the strategy. I don't think that there is a company in the world now to think that everything will be self-hosted. But yes, they have some concerns about when is the right timing, because once you move to the cloud, you won't go back.
That's kind of feeding into the next question and where I want it to go. But, like, again, a consistent theme over the course of last year was the slower pace of migrations from self-managed to SaaS. And at least based on the way that you're answering the previous question, if you'd allow me, but it sounds like we're not out of the woods just yet. It feels maybe more stable, but we're not necessarily seeing an increase in the velocity of those migrations. Is that fair?
Absolutely. And, Mike, you touched something very interesting. There are customers who have a DevOps setup, a DevSecOps setup, a software supply chain security, an overall management setup as a self-managed. Self-managed is already cloud. What we speak about is that JFrog will provide you JFrog as a service, the JFrog Platform as a service, and this is our SaaS business. So while we reported a significant growth in Q3 of 2023, we know that the market is still not completely out of the woods. Some projects are being on hold in terms of the migrations of the workload, and some projects are starting to kind of push down the gas pedal on the usage. But self-managed is already cloud. These are customers that they understand the concept, that it would be easier for every vendor to migrate them.
There are the self hosted, which are the on-prem, high regulations environment, customers that, or companies that never thought about cloud migration, and this is a very big chunk of of the traditional enterprise that we will have to address. Some of them, by the way, are great customers, and we are honored to have them, but this is two different self-hosted or self-managed type of customers.
Okay. And with self-managed too, I think one of the things I'd, I'd love to get your perspective on, but let's say you have 100 customers that are signing up with JFrog, like, how many of those customers tend to opt for self-managed over SaaS? And maybe as a reminder to folks in the audience, but like, what's the logic or some of the common refrains from people for why they would go for self-managed over SaaS? Again, I think you were already starting to talk to maybe regulatory requirements, but that would be beneficial.
Yes. So there are several. Well, I'm just reflecting what we see in the market, but there are some reasons of why this will happen. But to your first question, most of the customers, most of the new customers that will land on JFrog solution today would go with the full SaaS. Most of them, the majority. We see it with the big companies, and we see it with the SMB, we see it with the mid-market, and we see it with the enterprise. It's just kind of, it doesn't make any sense to start a new project, as a self-hosted solution or self-managed solution, unless you don't really have the option to choose. Now, what will prevent customers from moving to SaaS? A, it's an investment, and migration process comes with best practices.
I think we migrated today over 1,000 customers, enterprise customers, to the cloud. The best practices about how you migrate is not less important than how you use the cloud data. There is zero tolerance for disruption. You don't, you don't let your vendor to kind of be free with what they do and to distract your business. The software supply chain process need to keep going. You cannot take any security risk. There cannot be any type of downtime. So migration process by itself is a project that need to be really well planned and think about from all dimensions. The second thing is, there are some customers. I'm putting aside the regulation around specific highly regulated environment.
There are customers that are looking at a vendor lock-in, so they want to have a multi-cloud solution, and not just one. They don't want to be an AWS shop or Azure shop or GCP shop, and those customers will usually start to move projects according to their strategy to different clouds in different regions. There are customers that are also thinking about, "What should we move first?" And it's not only by the domain, DevOps or not DevOps, but by the team, the R&D team that they need to support. We need to move this project, or we need to move that project. And there are customers that are also already self-hosted, and now, out of an acquisition, they have to merge another environment. Sometimes it triggers a migration to the cloud.
Most of the time, if they are self-hosted, they will go backward. They will try to consolidate around the legacy they have. And I'm putting aside all the, you know, political situation that might happen. You have a team that is maintaining the solution, and now you give it to the vendor, and obviously, the ROI is amazing, but it's another reason to consider it. Although it sounds like this is something that is behind us.
And just to tease at that real quick, I wanted to make sure I heard correctly, but let's say JFrog has migrated, call it 1,000 customers from. Was it from self-managed to SaaS?
Yeah.
The second piece, those that cost that we're talking about, to your point, but I can only imagine the organization has zero tolerance for downtime. So as a result, through that migration process, there are the spinning up of redundancies and additional costs to make that migration as seamless as possible, and that's really what you're talking about with the execution of those best practices and those playbooks you've built out on behalf of your customers.
Yes. We have thousands of customers using our SaaS solution, Mike.
Mm-hmm.
At least 1,000 of them were migrated by JFrog, with JFrog solution engineers and the support team, and this is a project. During this time, connected to the second point, there is zero tolerance for downtime. We will remain your self-hosted environment alongside the new cloud environment. If it's a multi-cloud, even better, and only when we are ready, we are switching off the self-hosted and switching on the cloud environment. Yes, it requires a lot of experience and a lot of responsibility, and a lot of transparency with the customer.
I know management has also previously called out slower expansions for self-managed customers, and I just wanted to see if we could get some more color on that aspect. Is it really just because organizations are weighing whether or not they go to SaaS, or can you help qualify maybe why those slower expansions are occurring for self-managed customers? Or is it really just tied back to the macro that we started this call with?
Well, first of all, we will wait with the guidance to the earnings on February 14th. But the overall environment is that some projects that clearly address the cloud as the environment that they want to deploy on are on hold and still on hold. Maybe it's because of the macro environment, maybe it's because of other reason. As we reported in Q3, we start to see a climb on the usage, so we see more volume on our cloud business, and the growth on the cloud businesses was communicated to the street on the Q3 earnings. And what we will see next, I think, is that we have to understand this hardcore of on-prem users, when are they planning to move? The early majority, they moved already.
They are already in the cloud. You hear it from all companies, not just JFrog. The hardcore on-prem users from our over 7,000 customers, when do we think that these customers will move? This would be the biggest, I think, challenge of 2024 and 2025.
And if we just shift over to the platform for a second, right? And I don't mean to be intentionally vague, but let's talk about security first, right? And you guys obviously have a lot of expansion opportunities with the different products that you have for security today. So as a reminder for folks, what are some of the newer initiatives around security, as well as can you help frame out why JFrog is in a strong position to now go and execute on the security space coming from its roots with Artifactory and the binary layer?
Mike, this is a wonderful question, but I'll start with the reflection on the last five years. JFrog took some very important decisions, and we took it very seriously, and as you know by now, we mean what we say, and we do what we say, and we're committed to it. And we decided to bet on three main items. Item number one, we are going to provide a full platform, and this full platform will be with the center of gravity of software packages of binaries management, because that's the heart of software supply chain. Second point was, we are going to slowly migrate all of our business to the cloud, and we will provide a hybrid solution, a multi-cloud solution, but cloud first in mind. And we delivered on that, as you know, already.
The third one was, if really Artifactory became the single source of record, if it became the single source of truth for all of our customers, every piece of software coming in or out from Artifactory, if this is really happening, if this is the database of DevOps, then it doesn't make any sense that all of the point solutions, security point solution, will just integrate with Artifactory instead of getting it as a service from us. And when we ask the CIOs of the market, "What is it that you prefer?" When we ask the CISOs of the market, "What is it that you prefer?" We heard it over and over again. Everybody spoke about consolidation. Bring us to a point that the best of breed is not a disadvantage, it's an advantage, something that is manageable.
So what we did with the JFrog Security, and especially after the acquisition of Vdoo, and we delivered this year. We announced it in Q2 and Q3, and later this year at swampUP, our user conference, we actually built on top of Xray, which is tier one for security, the secure Artifactory. We built JFrog Advanced Security. JFrog Advanced Security, Mike, is six different capabilities gathered together to one solution, from your static analysis to secure your code on your source code, to the container security, composition analysis security, contextual security, contextual analysis security, secret detection. Each one of what I just said is a point solution.
Now, I'm speaking with my customers, let's say if you have an organization with over 500 developers, 1,000 developers, you most likely have already more than 5 different security solution, point solution, that you need to manage. That's unmanageable. But put all of this aside. Let's say that I'm completely biased and I'm wrong. CISOs, they are not thinking that way. It's nice that we speak about developers, and shifting left, and bottom up, and so on. The CISO forever will end thought about the threat, and the threat is the hacker that is waiting for you on the production environment, on the runtime environment. And the hacker that is waiting for you there can only go after one asset, which is the binary. This is Log4j, this is SolarWinds, this is npm, this is PyPI, this is the executive order from the White House.
Take control over your binaries, because this is your software supply chain. What JFrog built is not just to be the hub of all binaries, but also to be the dome that it sits on top of it and secure all of your binaries flow from the hacker threat to the developers on the source code environment. This is A. That was not enough, and our customers told us, "This is great to protect from the inside out. What happened from the outside in?" This is where we released in Q3 JFrog Curation. JFrog Curation is a firewall between the public hub, that all of your developers are going there whether you like it or not. They are going to Docker Hub, Maven Central, they are going to all the public repositories, bring home a bunch of millions of software packages.
What JFrog Curation does is setting a layer that is based on the policies of the organization, and act as a firewall between the public hub and your internal software supply chain flow. This is not the end. We still have some things to release this year, but we are very excited about two things: A, it comes together with the understanding of what the primary asset is, which is the binary. Second, it's a consolidation of all tools. Instead of sending you to have 10 different tools, 15 different tools, one of our customers said that they have 25 different tools. Yes, they have 23,000 developers, but it's still unmanageable. And then something even more exciting happened.
We started to see that the market, and you see it as well, the market is also changing. CIOs and CISOs become one. You see more and more CISOs being promoted to CIOs and take over the entire responsibility, head to toe, when it comes to Software Supply Chain management, automation, and security. I'm sorry, very long answer, but I'm-
No, no
I'm getting excited when you ask me about it.
I appreciate the response. And so again, I know we're early days, but can you help us think about security today? Like, what is it as far as contribution to the total revenue?
So in 2023, 2022, those two years were years of investment. As you know, we rebuilt the solution. We have thousands of customers that are using X-Ray, our security tier one, and then what we committed to the market is that in 2024, it would be a material part of our revenue. And material for us means 5% at the minimum from our total, and this is why we invested so much.
Okay. I know there's three products that we just talked. Well, four, if you count Xray, but three newer products in the last year. There's Advanced Security, there's Curation, there's ML Model Management. And I just wanted to check on Curation first real quick, but I know that we're talking about those outside-in capabilities you're delivering to customers with Curation. Is it currently being sold independently, or is that an add-on or part of the Advanced Security offering?
Yes, a good question. All of our security offering, as for now, are sold on top of our current subscription as an add-on. So you must use Artifactory and Xray in order to have JFrog Advanced Security and JFrog Curation. It's available only for the Enterprise X and Enterprise Plus customers, so a customer that have a lower subscription will have to upgrade, and it's available, everything that I mentioned is available in the cloud and on-prem. What we also discussed internally and executed when we announced the products was, how easy can we make it for you to compare apples to apples? And if we would come with a crazy model, you wouldn't be able to do so.
So we came with a by- seat, and the by- seat is what you pay to all the other security vendors, and now it's a buy- seat on top of your current JFrog subscription. So I think it's also easier to see how much you save on cost and not just the efficiency of the technology.
Right. And that third component, the ML Model Management, I know that is currently in beta for cloud customers. Can you describe to people, first, what the solution is doing on behalf of customers? And then secondly, we'd just love to get feedback, but is ML Model Management potentially tapping into a new persona or a new buying center with your customers?
Yes. Mike, drinking wisdom from our customers and community firehose is the most accurate thing, and the first thing that happened to us in 2023 when GenAI started to explode because of ChatGPT was that our customers told us, "We want to host it in Artifactory because AI models, at the end of the day, yet another form of binary. So if we have 32 different type of software packages inside Artifactory, why can't we have ML models inside the Artifactory as well?" And then, just like every other CEO, I had to make sure that this is not yet another AI fluff, because I'm tired from everyone that says AI five times a day. So the first thing that we provided our customers is a native support for the most popular AI repository, Hugging Face.
Now, you direct Hugging Face with Artifactory, and you cache Hugging Face with Artifactory. It already solved one problem for these users, which is a single source of records for all of your models. The second thing was that they told us, "While bringing it, it would be great if we can also scan it and make sure that there is no malicious models, or some licenses that we are not allowing our users to bring." The users are usually Python developers and data scientists. These are the users of MLOps and ML models. So, the first step that we provided, announced on September, was native support for Hugging Face and native scanning of the models before they are in your system.
What we are building now, as you mentioned, first of all, the beta program is about to be completed. The self-hosted solution will be available as well, and we are building more capabilities on the security of ML models, and more public repositories that will be natively support in Artifactory.
And just to be clear, so appreciate the response, but just wanna make sure that ML model management, right? So that is still going after the same persona who's already been using JFrog now. It's still going after that same wallet that JFrog's already been addressing, or no, does it potentially tap into a new wallet or a new budget line item with your customer base?
Well, listen, I think it's too early to say.
If it's a new budget line or not, and I'm not going to wave with my hand and say, "Well, you will see how great this tailwind will do." I don't know, and nobody knows how AI is going to contribute to revenues. It's too early. But what we see, and this is good signs, new customers and new personas. So there are new customers that are reaching out to JFrog because they heard about it, and there are also a new persona. Like, I'm not usually speaking with data scientists, I'm speaking with developers, I'm speaking with DevOps engineers, I'm speaking with security stakeholders, I'm. But this is a new persona that, that we are learning about.
I think that the most encouraging thing was that it was super native move for them to use Artifactory because they already have JFrog Platform in their premises. So once they heard about it, they started to test the water. In the cloud, we hope that it will raise the consumption. In the self-hosted, we hope that it will require more setup, but it's too early to kind of know how this will impact our income.
Okay. And just to be. I mean, to focus on the GenAI theme here for a second, and I know we've kind of tiptoed around this in multiple ways, but just to be explicit here, like, again, you have native support from JFrog for MLOps and MLSecOps within Artifactory. So again, for the audience, why is JFrog the natural choice for supporting companies and their LLMs? Just to put it out there.
Yes. So I'll take a step back, or as we say at JFrog, a leap back, to explain. We don't know what the world will look like when machine will build it from scratch, when machine will build software for us from scratch. But we do know that there are ML engineers that are dealing with what looks like the first step into GenAI, which is machine learning. What they do is that they use public models that are shared on repositories like Hugging Face. They bring it home and start to build with it, but they don't just bring the model, they also bring another model to train this model, because the whole idea of AI is that the model is training itself and then become better, improving. Both forms are binaries.
Both of them are binaries, and JFrog is the binary expert, the standard of binary management. So for us to manage it inside Artifactory was just like having Maven or Docker or Python or others. This is a form. It's not source code, it's binary, and therefore it was natural for us. But there is another reason for the adoption of the market to the JFrog solution. The people who are using it are Python developers that already use JFrog Platform for PyPI solution. The people that are using it are engineers that have to provide DevOps and DevSecOps as a service, and they already use JFrog. So for them, it was just like adding another capability to something they already use, and it's scalable, and it's secured, and it's proven, and it's end-to-end.
So, I believe that, more than other players in the market, managing, hosting, and securing ML models is more natural for JFrog.
And if I take that opportunity and put it in the context of the, let's say, the long-term model that JFrog's provided, I believe the last time we received the long-term model, GenAI, I don't know where we were on the roadmap for the potential there. Is it fair to think that GenAI is a potential tailwind to that long-term model then?
As I mentioned, it's too early to know how this will change the model. Obviously, we are not just doing things because of fun, we are doing things in order to make sure that what we build is not going to be disrupted by future technology. If you ask me if JFrog Platform 2030 will look different in the way it operates, absolutely yes, and it will not just be by developers and engineers, it will also be by machine and AI that leads our software supply chain and secure our software supply chain. So it's too early. The model we provided to the market is until 2027. I just recapped 2023. I'm preparing myself to February 14 with 2024. You're asking me about 2027 and AI this would be another leap forward.
Understood. I know just a couple of minutes left here, so let's make sure we're getting to some of the client inbounds we got. The first was asking about advanced security demand, and I wanna read this to you, but it says, "Can you compare advanced security demand that you're seeing and bifurcate, like, the demand you're seeing from cloud customers versus self-hosted customers?
That's a great question, very relevant. Most of the legacy security solution, especially the point solutions, are self-hosted. So for them, it's easier to replace self-hosted with self-hosted, especially when it comes to open source threat, especially when it comes to developer security. This is a very self-hosted environment. But we see, we see it coming from both, and we are very excited to see that, when our customers are speaking with us about migration, they are not just talking about DevOps workload migration, but also security workload migration, and this, this comes back to, to what you mentioned, moving from self-hosted to cloud in security as well.
And then the final question we had before we have to wrap up but was more with respect to go-to-market. So, I know in mid-September, JFrog hosted its inaugural Partner Day, and so just to set the table for folks, can you discuss how much JFrog revenue today is being sourced through partners? And what has the partner response been to the new program?
Partners and channels are part of our enterprise sales, sales team. We invested a lot in the past three years since we went public. We invested a lot in building and maintaining the top of the funnel all the way to the execution, and partners and channels were obviously another escalator to get to where we want to be with the enterprise sales. We now have signed over 100 partners in the market. We have a very close relationship with AWS, with Azure, and with Google as our partners to do co-sell, co-marketing through the marketplace and outside the marketplace. We are working with partners on a geography base, but also on a sector-based security versus DevOps, and we.
Yes, we held the first Partners Day at swampUP in September, and the list is already grown significantly. So, we expect to see more and more revenues coming indirect and not just direct from JFrog, but it's part of our enterprise sales efforts.
Great, and we'll have to leave it there, but I'm sure, everyone's excited for a February 14th update. Thank you very much for the time, Shlomi.
Thank you very much.