Coming down to Austin, and Shlomi would say I'm probably biased, a great place to be. I'm glad to have you guys all come down here and join us today, and hear about some of the key announcements we had at SwampUp.
This meeting is being recorded.
And then give you guys a chance here in the audience to ask management any questions you might have about some of the announcements we made today. But with that, I get the fun job of reading the typical legal disclosure before we begin today. Leading the event today will be JFrog's CEO and co-founder, Shlomi Ben Haim, CTO and co-founder, Yoav Landman, and Ed Grabscheid, JFrog's CFO. During this event, we may make statements related to our business that are forward-looking, as that term is defined under U.S. federal securities laws, and are made pursuant to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995, as amended, including statements related to our future financial performance. The words 'anticipate, believe, continue, estimate, expect, intend, will,' and similar expressions are intended to identify forward-looking statements or similar indications of future expectations.
You are cautioned not to place undue reliance on these forward-looking statements, which reflect our views only as of today and not as of any subsequent date. Please keep in mind that we are not obligating ourselves to revise or publicly release the results of any revision to these forward-looking statements in light of new information or future events, except as required by law. These statements are subject to a variety of risks and uncertainties that could cause actual results to differ materially from the expectations. For a discussion of material risks and other important factors that could affect our actual results, please refer to our annual report on Form 10-K for the year ended December 31st, 2023, filed with the SEC on February 15th, 2024, which is available on the investor relations section of our website.
Additional information is available in our recent Form 10-Q, filed with the SEC on August 8, 2024, and other filings and reports that we may file from time to time with the SEC. Additionally, non-GAAP financial measures may be discussed at this presentation. These non-GAAP financial measures, which are used as a measure of JFrog's performance, should be considered in addition to, not as a substitute for or in isolation from GAAP measures. With that, I'd like to turn it over to JFrog CEO, Shlomi Ben Haim. Shlomi?
Yes, thank you, Jeff, and thank you, everyone. Can you hear me well at the back? Cool. Thank you everyone for joining us. A very exciting day, obviously, for the Frogs, but from what I hear after the keynotes, I hear that it's a very exciting day for the community as well, not only because of the announcements, but also because of the amount of innovation that is injected into what we call software supply chain management, and some of it was shared here today by JFrog. I'm sure that other companies are doing a great job as well. Today, we will focus on three main announcement. The first one, something that we were working on since last year.
Those of you who joined us at SwampUP last year in San Jose remember that we announced the availability in GA of Curation and JFrog Advanced Security on a hybrid version. JFrog Advanced Security and JFrog Curation were the first add-ons on top of Xray, and the results of the acquisition of Vdoo. And during this year, they started, as Yoav shared on his presentation, to see some success within with among our customers and portfolio. And today, we completed a process of taking care of your binaries all the way to production, to the runtime environment, with something that is very unique to JFrog, with a differentiator that no other company can provide unless they want to integrate with our assets, which is the shift left, shift right, take it to whatever side you want.
Full visibility and traceability in order to generate one thing, one value, which is fast remediation. It doesn't help you if you have the best runtime security on the planet, and you know about the vulnerability in your production environment, if you cannot trace it back and replace patient zero on whatever repository. JFrog Runtime Security was something that we built on top of the other assets, like JFrog Catalog, JFrog Curation, JFrog Advanced Security, so it will not just be a siloed solution, it would be part of the platform, and it's available starting today to all of our customers and prospect. The second announcement that was shared today on stage in three different talks, as you could see, is the second stage of the partnership with GitHub. On May earlier this year, we announced stage one.
Stage one was integration between the platform, and we knew that this is not complete, because it's not all about developers. You have to make sure that you provide a one-platform experience for the user. That's checked. But what happen when it comes to security and you have different stakeholders? And what happen when someone start to ask you if you have to go between the different product and UX? So we announced today the availability of JFrog Advanced Security and GitHub Advanced Security, all displayed with the findings from source code and binaries on GitHub and JFrog. So you choose where you want to be. If you are a developer, you will probably land at the GitHub platform. If you are a DevOps engineer or a release manager, probably on the JFrog, but we unify the view on one pane of glass.
And the third. Is it okay or is it a mistake? Or am I speaking too much?
Shut it down.
And the third one, the third tier on the GitHub integration was the Co-pilot, how you bring GenAI into the process of managing, securing your software supply chain. Co-pilot is not only a nice chat box, this is a window to the JFrog assets. That's a window for developers to the JFrog asset. Like, in what world can you sit as a developer and ask, "What packages should I use for X or Y? Who's using it in my organization? Who's using it in. Not who's, but how popular it is in my sector and my industry, and all of it from the get-go, so you would prevent any mistakes.
So if you think about the main pillars that GitHub and JFrog now, with this very strong partnership, provide, it's the speed and the trust among the developers and security community. And the third announcement that we covered today was the NVIDIA collaboration. And what we've heard from our customers, as I mentioned at the keynote, is that this is really a scary world. We don't know. Everybody's speaking about AI, everybody want to have AI, everybody's willing to pay money for AI. Nobody knows what AI is, okay? And if someone tells you that they have all the answers, they are probably smarter than me. But we hear it across our portfolio, SMB, enterprise, public companies, private companies, self-hosted, cloud. It's across the portfolio. And another thing with...
that we hear is that unlike in the past ten years ago, you could be a developer without caring about your security, today it comes together, and therefore, you also saw the CIO survey saying, "Now find a solution for AI security, ML SecOps." Our customers started to inquire about enterprise models coming from NVIDIA. This is where this collaboration started with few of our biggest customers and with a very strong relationship with the NVIDIA team, co-engineering, working on a solution that NIM models from the NVIDIA public repository will land on a secured registry for all models of your organization. So basically, a single source of record for your models as well, including NIM models coming from NVIDIA.
If you put together what we have built in the past few years, we actually brought JFrog to a level that all ops are supported in one place: DevOps, DevSecOps, MLOps. And the reason is actually split to two. One, there is only one asset that we keep saying in JFrog. I know that sometimes we say it a lot and too much. There is one asset which is the primary asset. Ask every engineer outside this room, "What is it that you spend most of your time?" And they will tell you, "80% of software supply chain is about software package management. This is what I create, this is what I comply, this is what compile, this is what I test, this is what I deploy, this is what I secure, and this is also the asset they have in runtime." So this is a...
And the second thing is that we know that the world is consolidating around best-of-breed platform, and there will be no vendor that will just provide everything. We heard in the past that there will be vendor that said that they will do DevOps and security and Atlassian and Datadog, and they will be everything. It's not happening. And cloud-only, also not happening, therefore, the hybrid. So we feel that we got to a point that we now can serve our community after very intensive investment, we can serve our community within every op solution. And those of you who follow the past few years know that we are very serious about what we promise and when we deliver it.
That will open up the Q&A session. I will bring the mic around. If you can utilize the mic for the questions so that the webcast participants can hear, it'd be much appreciated.
Sanjit Singh, Morgan Stanley. Thank you, Shlomi, for the great session today, and a lot of announcements. And I think from my perspective, since the kinda higher rate environment has taken hold, I've seen JFrog's product velocity enormously accelerate, and that's the good thing. I think what a lot of investors are trying to figure out is the go-to-market motion behind it. So let's take the GitHub announcement, the native integration today. So you're sounds like you're natively integrated the platform from the product side. It sounds like from a developer perspective, the workflows are gonna be much more seamless. What can you tell us on the go-to-market side with GitHub? Are there any sort of financial incentives for their salespeople behind it, or any sort of other sort of?
What's the go-to-market strategy for those joint JFrog-GitHub customers to drive that consolidation opportunity that you were speaking to?
Yes. Thank you, Sanjit. Good question. What we have learned in the past fifteen years, that when you sell from the bottom up or top down, but you sell developer tools, first thing you should do is to build your credibility, and first thing is to avoid any fluff about integration of features. And when you say a real platform experience, you should stand behind your word. So we build it in tiers, and we want to deliver it. Next month's GitHub Universe will kind of cover also the beta program of Co-pilot. And once it will be adopted, this will be, for me, the trigger to start and speak about co-sell. We already have co-marketing. Everything we do here, as you saw, is in full collaboration with GitHub and with Microsoft.
But, when it comes to joint packages, joint subscription, sale, same offering offered by different salespeople, this is too early. We will wait for the adoption, and we will see it happening. But as you know, net new is not only coming from prospect and new customers, it's also coming from the renewals. And I can already say that from what I hear, and it's too early, this is also a tool for retention. We have 97% retention rate, which is amazing. I'm very honored, but I know that I have as we grow and as we expand and as we cover more and more persona, I have to invest not only in net new and new offering, but also in retention.
The GitHub integration, once you chose GitHub and JFrog, especially if you migrated to solutions like that, and especially when you combine security on that, it would be a very important investment that you do. You don't just move two years after or three years after. Retention is also very important.
Thank you very much. Just one quick question on runtime security. What's the sort of the monetization strategy around that? Is that gonna be included as part of advanced security, or is that gonna be another add-on for customers?
Runtime Security is going to be offered as an add-on, available only to our Enterprise X and Enterprise Plus customers, on-prem and cloud. As you know, curation and JAS is already there. Runtime Security requires JAS and curation so we see two paths of goals. A, customers that are not yet on Enterprise X and Enterprise Plus will see enough value to upgrade themselves, and then to take on top of it, JFrog Curation, JFrog Advanced Security to enable, JFrog Runtime Security. Runtime Security also come with two different capabilities. Enterprise X enjoys the integrity piece of it, and Enterprise Plus is the only subscription, this is the full platform, the only subscription that will also have an impact, the runtime impact, what we call, to provide you with the full information that we presented today.
Hey, everyone, Pinjalim Bora, J.P. Morgan. Thank you for taking the question. When I was walking around and I was talking to a lot of investors, seems like there is a little bit of a skepticism around JFrog getting into the security budgets. And, you know, obviously, with runtime, you are diving deep into the security budget. So help us understand, and you have had some time now with advanced security, right? So help us understand, what are you hearing from customers around that, your ability to get into the security budgets? Yeah.
Thank you, Pinjalim Bora. Skeptic people are part of my life since I was two years old. That's, that's fine. We build for the long, long run, and what we've seen, a few years ago is that whether people like to admit or not, the landscape of security is changing. And don't take my word for it. Look at the big security companies and look at the companies that they are acquiring. They are shifting left because they know that they have a blind spot. And if they will not shift left, they will try to recover on the runtime environment and try to find out what happened, like two weeks ago, when someone released, the last software update.
So we took advantage of the fact that we own the single source of records for all of our customers, and we started with Xray securing that. And then people started to be skeptical because Xray is just protecting your Artifactory. And when three years ago, we started to heavily invest. This is not hiring six people, five people, to build your security solution. We acquired a company, a leading company, with a very strong research team. This team, I don't know if you noticed what we said there about the Python package. This team saved the world a few weeks ago. Don't, don't ask me. Go to LinkedIn and see what the community is saying. And then on top of it, we started to build the solution that enables A, automation, and B, quality, and C, traceability, that no one else in the market can offer.
Now, let's say that other security providers will say, "We can offer it as well." Ask them if they have an integration with Artifactory, and the answer is yes. And if they don't, they are blind to whatever happened to your, to your binaries. Now, listen, when Tesla came out with this idea of building a radio, I'm sure they didn't do a market pitch and ask how many people would believe that there will be a box in their kitchen listening to the radio. We speak about binaries, and you've been with us from the beginning.
JFrog is the first company that said, "This is what you should be focused on." So I'm quite happy that we have over a hundred customers that signed up this year for the full stack, and I see these customers coming, and you have shared some of the logo on this slide. And it will take time, and skeptic people is, you know, they are part of my community and my life, and then we will have to prove it's on us to prove that our philosophy about software supply chain security is the right thing.
I wanna add to that, that the shift in security that happens is from detection to remediation. I don't know if you saw the whole keynote today, but what we're giving you with runtime, so if you find out about a heavy vulnerability in runtime, and you don't know how to relate it back to your software supply chain and how to fix it, it's only part of the job, so you become unproductive, and you kind of persist the risk, and this is the big change, because once you get the visibility, once you have a finding, and you know exactly how to tie it back to your software supply chain process and fix the vulnerability, that changes the whole picture.
The generation of tools that are only alerting you and bleeping and giving you this bleeping alert. They are the old style tools.
Yeah, yeah, the image integrity part, I think, was phenomenal on the runtime security that you were showing. I think that seems like a big differentiator. I want to ask you one last question on MLOps. I was talking to some of your customers, and this is not really related to ML, but I extrapolating to ML. There were some customers who were basically saying, on the cloud version, they don't like the pricing because there's a transfer element to it, and it becomes very costly for them, right? So they're not putting everything on JFrog Cloud. They're putting some on on-premise, maybe using some open source stuff. But I'm thinking as you move in more into MLOps and you're talking about bringing in models, which are two gigs, one and a half gigs, right?
How do you kind of get over that pricing hump?
It's a great question. I guess that the customers that you quoted are not yet using MLOps. They are using JFrog Cloud, and they say it's too expensive for us. We hear that, but we have to divide it to two different practices in the journey of our users: what they build and run in the development environment and what they deploy. Now, when it comes to data transfer, millions of Docker containers that are pushed from Artifactory to the cloud, this is the deployment piece. This is the distribution of software piece. This is where sometimes they are challenged by the price because some registries that are just plain container registries can offer it for a different price, sometimes lower.
When we look at the platform, we look at the full value of the platform. And don't get me wrong, we are working on the benchmark, understanding who are the competitors, what changes, who's doing what. Everyone says that they have a Docker registry somewhere, and then when it comes to scale, I gave an example of Cisco today, but all of these customers, these are hundreds of millions of artifacts. Not every container registry scale to our Artifactory. Some of them moved back to JFrog, some of them moved some of the workload to JFrog, but we are very well aware of it. And look at the prices, then sometimes some changes need to be changed, especially when you look at deals that are few million dollars.
The recording has stopped.
The consumption. Specifically on the MLOps, first off, our MLOps offering will be part of the enterprise. Offering to start with, and this offering is going to be available for our customers on a model that comes with a base included in the subscription, and then the GPU unit, like that's the world of AI, and this is how this is the unit price that you use. When I look at the MLOps landscape and the competitive landscape of MLOps, and I'm looking at the players, first of all, it's a different market, completely different market. Not mature yet, very evolving, and second, most of the players there are startup companies. Some of them are more successful, and some of them are less.
So I think that the fact that JFrog is the only company in the universe that provide all three, practices, DevOps, security, and MLOps, in one platform, will be appreciated by our customers, and we'll see about, you know, the final prices. We will go out with introductory prices for the MLOps, and then, we'll see, based on the adoption, how it goes.
Thank you.
Hi, Jason Celino from KeyBank Capital Markets. You know, keeping on kind of the runtime theme, it seems very logical to verify images in production. Nice logical step for your platform. What else, what might we like the next step, without giving like the roadmap, but help us understand, like, where you're going?
For runtime, first of all, integrity is one part of the deal. I think the most critical part is actually being able to recall an image in runtime. It's not just the image. If you speak about the Log4j incidents, for instance, it's really knowing that this Log4j library is embedded in a container that is currently active in runtime, loaded into memory. We didn't get into the fine details in the keynote, but we can actually tell you whether it's applicable, it's loaded into memory, whether it's effective. When Log4j happened, we had many customers that were freaking out about Log4j, and they had some tools that were alerting them about, "Yes, this Log4j is actually on this in production," but it was not even loaded.
So the impact analysis Shlomi mentioned, the higher tier, the impact, this is a big deal for runtime. We're going to invest without not going to reveal the roadmap, naturally, but we're going to invest a lot more about policies and alerting and the whole remediation, the ease of remediation, for your findings in runtime. So that's going to be the next direction.
And then, user conferences like this is always great to talk to customers. We've had a chance to speak with a few self-hosted folks. As we think about migrations and kind of the path to migrations, what do you hope your self-hosted customers walk away from the conference today?
So as all of you know, some macro challenges stopped, froze, put on hold all type of big projects that were planned in 2024 to migrate DevOps and DevSecOps workloads to the cloud, to the public cloud. One of the repeating, repeated question we get outside at the booth is about the cloud migration practices, how you do it. It's not just, okay, move your repository from self-hosted to cloud. You do it in different stages and different projects and different technology. I think that when the market will start to recover, I don't think that we are yet out of the woods, but when the market will start to recover, our customers will first look at where they left the decisions moving back to the cloud.
Now, remember, these guys that you speak with, if they are planning strategically to move workloads to the cloud, they are also paralyzed in terms of what they invest in the self-hosted. They don't invest anything. They know that they are going to move. It's just a matter of maybe a year more. But therefore, they are in what we call the twilight zone, which is they are not investing in the self-hosted, but on the other hand, they didn't start yet the migration to the cloud. So cloud practices, if you speak about the migration to the cloud, there are customers that did it here with us and customers that not yet, and this is one of the top of mind. They are very, very unsafe when they are moving their environment from self-hosted to cloud.
Thanks for taking my question. Thank you, management team, for doing this. It was extremely helpful, and we've learned a lot. This is Yi Fu Lee with Cantor Fitzgerald. So I guess the first question is going back to the GitHub partnership. Would you say, Shlomi, like, this is another way of saying, "Hey, look, you know, stay in the lanes?" 'Cause I remember, like, when I covered cybersecurity, you know, you have Okta in the identity space, CyberArk in the PAM space, right? You know, how would the relationship change, I guess, right? 'Cause you guys obviously dominate in the artifact and them in the source code management, as well as advanced security in their respective area. So if, let's say, they were to branch out or vice versa, you know, how would that dynamic change?
From technology perspective, you mean?
Not personal, from the partnership perspective.
From what they have already?
From what they have already.
Yeah. Well, listen, you know, there is overlap between all vendors. There is no vendor that you would tell me, like, I'm collaborating, I'm deeply invested in AWS, Azure, and Google Cloud, right? But all of them also offer container registry and all type of developers tools. There are overlaps. With GitHub, we have some overlaps, with GitLab, we have some overlap, with Atlassian, we have some overlap. But I think that what counts is, A, what level of sponsorship you get from your partner? Is it like developer to developer with, you know, with all due respect, or is it CEO to CEO? And second, or maybe this is the first thing, is what your customers are choosing.
If our customers are telling us, and I'm talking about customers at the size of AT&T and Morgan Stanley and Fidelity, these are the customers that came to us and said, "Guys, we chose you for this, and we chose you for that. Thomas, start work with Shlomi. Shlomi, start work with Thomas, or you are both grounded." And that's it. It's like, it's the customer choice, and then we are driven by the customer choice, and I think it will be beneficial for both sides. I don't see GitHub Package Manager, I don't want to say anywhere, but I don't see it on pre-sales. I don't see GitLab Package Manager on pre-sales. People start to standardize around best of breed platform, and Artifactory will represent that.
Okay, and then my follow-up is, I'm gonna lump it together, a two-part question. On the MLOps opportunity, what needs to happen to be, you know, showtime ready? Like, do you need more integration? Do you need more work in it, to get it ready? And then follow-up for Ed is, any color on, like, the sizing of the opportunities, right? We talked a lot about whether it be GitHub, MLOps, you know, can you give us a little guardrail of the upside to think about it? And obviously, you know, NVIDIA, don't forget NVIDIA as well, right? And lastly, is the, you know, from the earnings call, not asking for an interquarter update, right? Is the migration slow down? Any status change to that? And thank you very much.
I'll start with the product side. So it's all in terms of showtime readiness, it's already the situation. It's GA, you can start using this. This, we showed you in the demo how you can go from Artifactory, and and curate all the ML models that using JFrog Curation, how you can store the models in Artifactory, how you can-- we are also supporting datasets that we didn't show. And the bidirectional navigation between JFrog ML and the JFrog platform. JFrog ML today is technically it's not integrated into the UI of JFrog platform, till-- so that's one of the first things that we are going to do. I don't know if you noticed, but there is a, like, it opens currently in a separate tab. So we're going to embed it even closer to the JFrog platform itself. Of course, there are always gaps.
There are always things that we would like to be more perfect. Given that it's two months into the acquisition, this full level of integration that we already offer, for us, we are considered a GA. We are considering to what you call showtime ready.
Just, to put a, like to add to what Yoav said, we acquired Qwak two months ago. We announced the integration with Qwak nine months ago. It's not yet ready to full-blown on, on our portfolio. We have responsibilities. We are checking it. We want to see to where it scale. We want to know that we are ready to serve our enterprise. You don't build the, this trust with this enterprise, and then you bring some solution, especially in the world of MLOps, which is still an evolving market. So there will. It will take time, and we will take this time because when we will come with this, solution, it will be the best solution in the market. Already today, there is no other company, in the market that provide this capability as part of your software supply chain.
Regarding the financials, as you heard, we're still in the process of integrating. We just closed the acquisition two months ago. There takes time to integrate. We're still learning about the company. In addition to the announcement that we made with GitHub, and now this announcement we made with NVIDIA, again, we're taking time to build that. We haven't commented on 2025 yet, but in terms of 2024, we don't have anything in our model today that would be around contribution from either of those opportunities. With regards to the end of Q2 and what we saw with the migrations and kind of this behavior change that we saw regarding these really rigid procurement practices, that we called out specifically at the end of Q2.
With this very, very large customer, and we said part of the reason, we de-risked these opportunities because of this construct of multi-year, seven to eight-figure deals with security embedded in those. We looked at those, and we said, "Okay, we understand it's very difficult, in this macro uncertain environment to get those deals across the line," therefore, we did not want to have those in our guidance going forward. We think we made the right decision, and we haven't commented on this particular customer. We will at the end of Q3, but we believe we made the right decision by doing, pausing those discussions for now.
Awesome. Hey, guys, Nick Altman from Scotiabank. You guys had that slide that said hundreds of customers using advanced security curation and SAST, and there were some pretty impressive logos up there, you know, large enterprise, sort of tech, tech-native customers. When you think about those products being more of a needle mover next year, pairing the fact with, you know, that's a lot of customers that are using those products, very impressive logos. Why is that? Is it they're sort of smaller deployments, and they're gonna ramp? Just like any comment you can make on sort of the delta between some very splashy logos, hundreds of customers, but it kind of being more of a needle mover next year. Thanks.
Yes. Well, first of all, yes, we are very honored to have these customers using JFrog Curation and JFrog Advanced Security. Just to make sure we understand, this is not JFrog Xray customers, which is the other arm of JFrog Security. This is just Curation and this is also what we report during the earnings. Not surprising, and going back to Pinjalim's question, not surprising, all of our customers had something that is called security. To be honest, most of them had five other things that is called security, and big customers with over one thousand developers had over ten different tools: one for static analysis, one for secret detection, one for infrastructure as code. Each one of these aspects was covered or is covered by a different vendor.
So I don't expect any of my customers to just switch on and switch off from one security solution to another, especially when they don't know yet how strong JFrog is in the landscape of security. This is why it takes time. Now, what is my expectation for the following years? This is why we build it on a per-seat model, to allow them to ramp up, and once they feel secure with what we offer them, I hope that they will go to where we see the potential, thousands and thousands of developers, and this is how we will charge. The other side of it is a ramp-up in terms of number of developers is one thing. A ramp-up in terms of consolidation, JFrog also consolidates six different point solution in one solution. Six different companies can be replaced in one solution.
In one of the earnings, we told you that we replaced Black Duck, Sonatype, and Checkmarx with one just subscription. So consolidations also takes time, and a lot of time, you know, they gather budget from other places. They will have to run the first year or the first two years paying to both of us until they fully migrated, and this is why I'm saying, have patience. I'm going back to the skeptic people. I know that we build for the long run, and we are building right.
Hey, Ryan MacWilliams from Barclays. Gotta ask the generative AI question, but you can tell your customer is becoming more sophisticated around it, and it's more of a priority them, for them. So as we stand today, I guess, where would you see generative AI adoption become more meaningful in your financial results? And any changes on the timing for that, or when you can see that really start to impact?
Start though.
So you're asking about whether generative AI is going to be adopted for, with the MLOps solution? This is the-
Yeah. Or just how do you think it, the JFrog platform, will start to see more customer interest and revenue?
Yeah. So we're starting slow. We're starting with just hosting your models and curating them. Obviously, Gen AI is a new thing, and we are still learning. We are actually, I think, like many other players in the industry, we want to bet on the right horses. We don't want to solve pains that wouldn't be pains in a year from now. So we are speaking with customers, we are identifying the patterns that we think are there to persist, and we will add them to JFrog ML. So that's the situation for now.
You have mentioned the pain. When we are building our roadmap, we are looking at two aspects of pain, developer's pain. A, if it's a known pain, and B, if it's a major pain. If it's a known pain, but nobody cares about it, okay, so drink a glass of water, it will pass. If it's a major pain, this is where enterprise will be willing in the future to invest their money. So, Gen AI, especially in the landscape of security, is going to be a major pain. It's already known. It's already known. It will take one episode or two episode that will explode somewhere in the world, that everybody will wake up, but you already saw the surveys of you guys telling us that this is where CISOs are investing a lot of money.
Just to add to that, the world today, one of the major pains that Shlomi spoke about, and it's a realized pain that's validated from what customers are asking, is just controlling which models are allowed to be used in the organization to the level of the version of the model. This is the situation today. Organizations are very skeptical. They are very careful in what they allow in, and this is a feature that's a pain that we are already solving with curation.
Hi, Andrew Sherman with TD Cowen. Thanks for doing this, guys. I wanted to come back to the major industry outage that happened this summer and any impact you've seen because of that. Has that shed more light on the software supply chain and the importance of updates? Have any existing or new customers reached out and asked you, you know, to help on that? Is it showing up in pipelines at all? Would JFrog have helped prevent it from happening in the first place, that kind of thing?
Yeah. It's been almost three months since we announced the partnership. Today, we announced the completed stage one. So obviously, whatever I'm sharing here is based on three months analysis, which is very, very early. But in over 70% of our pre-sale call, support calls, tickets, announcement, marketing, hitting map, everything that we can track, people are very excited about this partnership. I would also add that Bitbucket users are very interested, asking a lot of questions about that. And I'm speaking only about JFrog customers. Bitbucket users are also working with Artifactory, and GitLab users are working with Artifactory. So Bitbucket users from Atlassian side are also very interested, and people are inquiring a lot about this collaboration and where it will lead. Now, we announce the security and the Co-pilot.
We'll see. I'll keep you posted.
Sorry, Miller Jump, Truist Securities. Congrats on all the announcements today. Maybe just digging into the NVIDIA one specifically. I'm just curious, like, how heavily demanded this was within your customer base. Just trying to get a sense of, like, how much of the customer base is currently leveraging NIMs, and maybe just any sense of how quickly you think this could impact the actual business when it launches.
So first of all, NIM is a new thing by NVIDIA. You have to understand it's a new technology from NVIDIA. It's new for NVIDIA themselves. So we already started to have conversation with the enterprise customers because this is really targeting the enterprise-level customers that want to get large language models into the organization. They have the iron to run them, and they want to get the best trusted models, but also the most fine-tuned models that they can run on this hardware that they purchased. And the initial feedback was, "This is awesome. We really want that. We really want to get the speed and the trust, but we need it in JFrog.
We need it in Artifactory for many reasons. First of all, it's our single source of trust in the organization. It cannot live elsewhere. Second, it's part of a larger scope application. The model is not there living by itself. It's being packaged and integrated with the rest of the software that my organization is producing, so it doesn't make sense to put it on some kind of island and isolate it as well, or keep it in the cloud. And the last reason is that when you consume the models, you mentioned, these are huge files and you don't want to be loading them all over again over the internet. You want to serve them over the local network. That's like a must for scalability.
So this was like everything makes so much sense as the reasons for why you would want that in JFrog, and that's the exact feedback that us and NVIDIA got from mutual customers.
Thanks. If I could just ask a quick follow-up for Ed. I mean, now that we're through earnings season, we heard pretty mixed messages about the software demand environment. So just curious, more digging into the headwinds you called out in procurement, like, do you see those as DevOps specific? Is it potentially JFrog specific, or is it something where you saw it before others might? Just any color there would be helpful.
Yeah, so we certainly saw in our monthly customers that happening earlier than what we saw from a procurement perspective. That came more towards the back end, the final few days. After earnings, we've seen actually it's not just a JFrog problem. This is what we're seeing across the software industry. I think you've seen now several during the earnings season that have called out specifically around challenges with large enterprise deals. We've certainly gone from a bottoms-up and moved more downstream with larger customers. This creates challenges around longer sales cycles, working with multiple functions and different decision-makers. So certainly there were some challenges around that, especially in this uncertain macro environment. We believe it's temporary. We're hoping that it's temporary. I don't see this being a long-term challenge for us.
We haven't commented, obviously, on Q3, and we will at the end of the quarter. But certainly from the standpoint of how it's impacted JFrog, I think it's not just a JFrog issue. I think it goes beyond JFrog and more in the software industry.
Hey, Kingsley Crane from Canaccord Genuity. Thanks for doing this. So I want to return back to the twilight zone comment when a customer's paused the cloud transition, and therefore also pausing investments on-prem. I know macro is involved, but how long might that be sustainable? Because customers are still gonna need to consume more over time.
So obviously, there's an incentive to move from self-hosted to cloud. It's better return on investment for the customer. We take the infrastructure. They do not have to invest as much. It creates standardization across their organization. So over a long term, it's the right decision and the right move. When you're in a macro environment such that we are right now, these are customers today that are utilizing JFrog on a self-hosted instance. They see the benefits, they see the value, but as we talked about, this is kind of a dead zone. They don't invest, they're not expanding, but the incentive is still there to move to the cloud. It's this is very much macro-driven, so when the macro improves, these customers are committed to JFrog to move their instance from self-hosted to cloud.
And 99% of the time, once we get past the POC and the technical gate, those customers are committed and move from self-hosted to cloud. Therefore, once we start to see budgets being unlocked and the macro environment improving, we think it'll go back to what we saw previously.
By the way, I might add to it. It's that when we spoke about de-risking opportunities, and especially big opportunities in our pipeline, some of it has to do with migration. That even though the customer is saying, "Yes, we are scheduled to do this here," we were very, very conservative about the pipeline, knowing that this is going to be very big accounts.
All right, we want to thank everyone. We've got time for one last question today, and then we're gonna wrap up today.
Hi, this is Shrenik Kothari from Baird. Again, come from the security background, and not a skeptic at all, and not coming from a skeptical angle. But to your point, Shlomi, you mentioned, of course, the traditional security vendors are consolidating and moving more and more towards the left. You touched upon, of course, Sysdig and the likes of that, but when it comes to, like, Palo Alto Networks and CrowdStrike, as you said, right, those guys are trying to invest more and more on the shift left. How do you view the competitive positioning from the larger traditional security vendor perspective? And how do you see, of course, advanced security tools, the Curation, Runtime in light of that? And then I will follow up for Ed.
Yeah, so in terms of differentiation, from the big security guys, if you look at Palo Alto, Check Point, CrowdStrike, those companies, they are great. Some of them started to shift left, and we are opening, like, our big frog eyes on them to make sure that they are not shifting too left. But now, even if Palo Alto Prisma would like to provide you with the full traceability all the way to your image, to your Docker registry, what is the Docker registry? Artifactory. So I think that we're coming with a very solid, strong differentiator. And to be very humble with my foot on the ground, they are a much more savvy security company. They are protecting your network and cyber. We are talking about software supply chain, and it's a, it's a different landscape, and, and I think it's evolving and evolving fast.
Got it. Thanks. And then, Ed, please chime in. On the go-to-market kind of strategy, right? As you said, of course, the advanced security tools and, of course, curation runtime, all kind of part of, of course, Enterprise Plus, and that's kind of gaining more traction, more, I would say, larger lands upfront. Of course, there's this macro aspect, but, like, how do you view the expansion strategy, right, going forward? Is it more built around seat expansion, more and more data on your tools, or kind of adding more and more security features going forward?
Yeah, so we actually see opportunity in two different areas. Number one is the migrations, moving from a self-hosted instance to a cloud. You have over 60% of your assets today still sitting in self-hosted. You can migrate those to the cloud, and when you have a migration, you have anywhere from 20%-80% uplift on a like-for-like subscription. And in addition to that, you bring them over on the full platform. Only today, 10% of our customers are on the full platform, and it contributes 50% of our revenue, so there's a huge opportunity there. Secondly, leading with security. Security will be a significant driver of growth for us. Security is monetized by seats. We started with the general availability in the second half of 2023. We said we had tens of customers.
As you saw today, in the keynote, we now have over 100 customers and some very big names, and we're maybe even a little naive to think that we would bring these customers in at a very low, introductory pricing with few developers. And today, what we're seeing actually is quite the opposite. We're seeing customers want to come in, negotiate now for much larger opportunity over multiple years, replacing the point solutions. It's not just a sale of a one-year, POC-type sale. This is truly a value that they see, by coming to JFrog for more of a replacement and consolidation of their tools, and that will take time, and they're willing to invest with us.
And by doing that, they're coming with a much larger opportunity over multiple years, and this takes time to build that, as Shlomi had mentioned. You know, there's skeptics out there, but we believe in this, and we see the opportunity.
All right, we wanna thank everyone who joined on the webcast and the participants here that joined us live today. Shlomi, would you like to give some closing remarks, please?
Yes. Well, first of all, we are honored, and we are excited to have you at SwampUP. If you guys want to hear the real story of the frog, if you want to really know what's the value of JFrog to our customers, you have over 500 of them outside. Feel free to speak with them. Feel free to share with us their feedback. We are looking forward not only to leap, keep leaping forward, but also to meet you next SwampUP in Napa next year. Thank you very much, everyone.