Hey everyone, thanks for joining this session with JFrog. We've got Ed Grabscheid, the CFO, as well as Jeff Schreiner, the Head of Investor Relations there. Just as a reminder, there are QR codes in front of you, so if you have any questions, you can feel free to scan the QR code, type it out, and I'll just read it out up here. But Ed, you've been in the seat now, I think, as CFO basically since the beginning of the year. Previously, you were head of FP&A at JFrog. I wanted to start out, maybe you could just give us, you know, for those new to the JFrog story, a bit of what you work on, a bit of, you know, the DevOps and the progression into the security motion, as well as, you know, ML and AIOps as well.
Sure, so first of all, thank you for having us. It's always great being in Arizona, especially in the wintertime, to get away from those from the East Coast and even from the West Coast where it's really cold, so great to be here. First of all, JFrog, what do we do as a company? We've been around since 2008. We were founded in Israel. Founders came to the Silicon Valley with the idea of taking the company public, raising money, and being here in the Silicon Valley, having this dream of bringing software for developers, in particular with the binaries, and making developers more productive using a binary repository tool. Since that point, we took the company public in 2020. We've now evolved from a point solution for developers to more of a platform approach.
So a platform to take software for developers from the source code, most of you understand source code for those that are writing code, to the binary, which is an open-source package, bringing those into your organization and then taking those through the software development lifecycle onto observability. And that's where JFrog has now evolved to a platform solution. On top of that, we've included Advanced Security and Curation, which is an add-on product. So we acquired a company three years ago. We released security as an add-on feature in the second half of 2023, and we've seen great momentum with our security products. Recently, we announced during the beginning of Q3, we did an acquisition, and the acquisition was in our MLOps sector.
We see a tectonic shift similar to what we saw in terms of security, this movement going from just having point solutions to a platform in terms of securing your binaries. We see a similar tectonic shift in MLOps, where large language models, which are a binary, will become a driver of growth for this company in the years to come.
Got it. Very helpful. Maybe clicking in on the security add-ons that you've started to roll out. It's an exciting area for the company. It's an area you're very focused in. Could you give us an overview of just that security focus and, you know, how much uplift can that drive even just with your existing customer base? You know, what does that pipeline look like, the discussions you're having? And we can touch later in the conversation about some of the larger deals you've started to land.
Sure. So as you mentioned, you know, security, which was an acquisition that we did, Vdoo was the name of the company, three years ago. We acquired Vdoo with the idea of bringing advanced security to the company. But even before we did that, we realized that Xray, which was a service that we provided for scanning capabilities, was not at the level that it needed to be. So security was, Xray was developed by developers for developers, and it certainly wasn't a product that CISOs would look at to replace existing security tools. So the first step was to enhance Xray. Next was then building and injecting additional investments so that we can build out our security applications, advanced security and curation. As I mentioned, those products were released during the second half of 2023. We released those products.
We had tens of customers, and we did that at introductory pricing. We thought it would be very similar to what we saw in DevOps in terms of the sales cycle: start with introductory, low-level number of developers, number of seats, and then build over time. As we entered 2024, what we actually saw was customers requesting much larger opportunity. We saw multi-year based on their roadmap to replace point solutions. And this is the value of what we see in JFrog: replacement of six, seven, maybe up to 10 tools. So consolidation of these different vendors, better total cost of ownership. And therefore, what ended up happening was larger opportunities, longer sales cycles.
Some of the deals that we thought maybe we would have landing in the first half of the year, those pushed out to the second half of the year because of the magnitude of the deals being much larger and having a multi-year element to it. So what we're seeing today is great momentum. We're building the pipeline. We're seeing advanced security as part of the roadmap. We're seeing curation as part of the roadmap. We're seeing these opportunities become very large. But we're also seeing elongation of the sales cycle because of these elements.
Got it. On the consolidation piece, you earlier this year announced a pretty important and tight integration with GitHub, with your advanced security offerings, their advanced security offerings. When you're talking with customers about potentially squeezing down from eight to ten tools down to maybe a few, you know, who are you perhaps displacing in those types of discussions? And maybe you could talk a bit about, too, just the GitHub partnership, how it came about. You know, did you both organically come together to talk, you know, with customers, joint customers? And could it be an avenue for maybe new logo growth as well?
Sure. I'll go ahead and start with that. And I have Jeff here that can talk a little bit more about the efforts with GitHub and the integration with GitHub. But what we're seeing, the vendor consolidation or the point solutions, Snyk, Mend, Aqua, Veracode, these are the type of companies. These are point solutions that we're displacing with the platform approach. Now, the GitHub integration and the co-marketing was being led by our customers. And the customer coming to us saying that, A, 70% of our customers today use GitHub. They see it as the best of breed in terms of their source code. JFrog is the best of breed in terms of the binary. Let's bring the two together. And that's where the discussion started, maybe.
Yeah. I think picking it up from there, what you really saw is, to Ed's point, is customers saying that, "I'm standardizing on GitHub. I'm standardizing on JFrog." Eventually, there may be some type of observability buy-in as well. And I'd really like to see the two platforms integrate more to create more value for us. And so the team started working together late last year on a co-marketing, co-engineering basis. And I think from there, we started to see that there would be opportunities to bring various features from each side, combine those features to add value to the customers we have today. I think key aspects of that agreement, as we look at it today, some of the key features that were just released at GitHub Universe is the integration with Copilot and Artifactory.
Before, if you had gone out and many of you have talked to your friends in software development and they said, "JFrog who?" Now, you know, we've possibly been running as a service in the background, wasn't present on their workstation. Now we'll be present on that GitHub workstation where that developer can say, "Go into Copilot, say, 'Here's my build. Show me the last five builds. What were the packages used in those builds?'" And then pull that in and become a more efficient developer. And I think overall, the opportunity as it relates to GitHub is, as Ed talked about, the consolidation of point solutions. And instead of an either/or discussion, which I think it might have been, you know, six, 12 months ago with, "Do I start at source code and use GitHub? Because, you know, they're a very large company. They do source code very well.
Do I go with JFrog?" You know, they do static code analysis, but they also cover a lot more technologies and software supply chain. Now it becomes, "I can buy both JFrog and GitHub, manage it on one pane of glass, all vulnerabilities, all remediations," and essentially replace, as Ed said, seven to 10 tools with just those two vendors acting as one.
Are there any potential future opportunities to expand your integrations with GitHub? Or, it's been interesting, just throughout the year, you've announced more and more over time. This has not been just one thing.
I think there's more to come. But I think that right now we want to use 2025 as a proving ground, right, in order to move into the next, let's call it, iteration, which would possibly involve a co-sell. I think that both companies, GitHub and JFrog in 2025, need to demonstrate the value that we can create together to then bring attention to the sales organizations that there's something here that they're not capturing yet today. So I think there's still going to be a lot of co-engineering working on. But the next genesis of this would be possibly moving to a full co-sell. But that would be more with Microsoft, not just with GitHub.
Got it. Shifting back, you talked about the large deals and how that has, you know, also seen some elongated sales cycles as just big chunkier deals they can take a very long time to work through. I believe you closed some of the largest deals in company history, basically just, you know, a few months ago. As we're sitting now in December, and obviously you can't give us too clean of insight into, you know, Q4 in general, but just curious, you know, last year, I think a lot of software investors saw a bit of dynamics of budget flush. And JFrog historically seems to be more of an H2-tilted company. I was curious if you could provide just additional color on that. Like, is it really just, you know, even historically, you just have more deals tilted towards the second half of the year?
Should we expect this to continue even into something like 2025?
Yeah. Let me actually start with Q3. I think it warrants a discussion on its own. It was an exceptional quarter. As you mentioned, we had some of the largest deals in the history of the company close during the quarter. First, we had a deal, which we talked about during Q2, that we decided to pause the discussions, and we got questioned around that. Did we lose that deal? I'm happy to report that, in fact, not only did we not lose that deal, we closed that deal, which was the largest deal in the history of the company in the beginning part of Q3. Not only did we close it, we closed it with better terms than what was originally negotiated, so we knew that JFrog was critical to this customer. The interesting thing about this deal in particular was that it was led by security.
The decision in order to come to JFrog was brought to JFrog from the CISO. It's the first time we've had a deal led by security. Once that deal was brought around security, then the discussion became, "How do we now migrate our self-hosted opportunity to cloud?" This opened the door for a massive deal for JFrog. That was deal number one. The second deal, which was a tech deal, we closed in the middle of the quarter. Thank you. That was the largest deal in the history of the company, followed by the largest deal in the history of the company, which was at the end of the quarter, which was an automotive deal.
It was an exceptional quarter in terms of a lot of big deals closing in the quarter. Additionally, two of those deals were security. One of them had JFrog Connect attached to that. A, that was important. The second piece you talk about is being a second-half company. You're absolutely right. What we see is with these large deals, they tend to fall towards the second half of the year. Now, these deals don't happen and are not born within one quarter. It typically takes anywhere from nine months to a year, in some cases even longer. But what we tend to see is those close in the second half of the year. Last question that you had was regarding Q4 and what we saw in terms of the behavior in Q4. I want to remind everybody last year, Q4 and 2023, we had a one-time benefit.
This was a true-up for customers in the cloud that had annual contract commitments, and those unused budgets were trued up at the end of the contract, and this was due to the mechanism that we had, which the unused portion was then recognized at the time of the renewal. We've, over the last 18 months, moved customers from annual commitments to monthly use it or lose it, so we would not expect that we would have the same level of true-up in Q4 of 2024 that we did in 2023. What we also see is that customers today are not spending above their commitments, so the dynamics of what's happening in 2024 is very different than 2023. From a budget flush perspective, what we see is that, you know, most customers are very disciplined.
They understand how to manage their budgets in the way that they align their usage patterns more towards commitment, and to get an additional dollar above commit is very difficult today, unlike what we saw in 2023 and certainly unlike what we saw in 2022.
Makes sense. And I don't think that's unique to you. Historically, just thinking about go-to-market, obviously the roots of Artifactory as an open-source, you know, developer tool, saw a lot of bottoms-up, just groundswell adoption. And there's been a lot more focus from JFrog over the past several years to shift more towards a top-down C-suite selling motion. What have been the key learnings, just organizationally, internally, as you've gone through that progression? And how do those learnings tie into now trying to sell to CISOs as opposed to a developer audience now?
Yeah. So the company was founded as a developer tool for the developer. And we started a bottoms-up motion. It was a product-led strategy. And that's what the developers wanted. And we served that through the open source and through the developer. It gave us the foot in the door. And what we saw is most companies started at a very low subscription level and then, over time, worked through either additional servers as we monetized self-hosted through the number of servers or by adding additional usage in terms of data consumption and storage on the cloud side. This is how it started. Over the last three years, we've invested heavily in more of the downstream enterprise go-to-market.
So this meant bringing in the right sales organization, bringing in the teams that understand how to close very large deals, the infrastructure around that, solution engineers, architecture, and systems in order to manage that. So we've done that over the last three years. Now, what we're seeing as we move forward is, A, we know that developers don't have the budget to sign very large six-figure or seven-figure deals. So naturally, you start going into the C-suite. The decision is being made by the CIO. Security, on top of that, brings in a different persona. It brings in the CISO. That's another element that's brought into the whole discussion and negotiation. So you have two different personas in the negotiation. The duration in terms of the deal cycle and how long it takes to close the deal is elongated. The size of the deal becomes much larger.
And additionally, what enterprises they don't want to come back to the table and have another negotiation in a year. They want to have a multi-year. In some cases, they're even asking for five years. Today, we're limiting it to three years. But the discussion becomes around multi-year. It becomes around adding security on top of the platform. It's also step-up. So they're considering what the budgets are going to be in years two and years three and how much usage and how many seats are going to be required from a security perspective. All of this creates complexity. We're still learning. We're building the playbook. We've now shown that we can close these types of deals. We did that with three very large deals in Q3. We continue to build that playbook.
We're learning quite a bit from each one of these deals that has a unique flavor to it.
I would just quickly add, Jeff, I think it's also maybe a reflection of the industry. Whereas several years back, it was much more developer-led. Developers got to try out all the new tools and kind of, you know, organically bring those into the organization. Now, in the large enterprise, it's much more top-down dictated as to, "We're going with a platform. Here's the tools you will use in this organization." And so I think there's been somewhat of a change in the customer base and how they're viewing things as well.
Perfect. Shifting gears, like you brought up, self-hosted and obviously a big driver to the cloud growth rate is just the pace of migrations from self-hosted customers over to the cloud. That's been an area you've been focused on. Has not been at the same level of, you know, the same trajectory relative to a couple of years ago. Just thinking, you know, maybe into 2025, what level of visibility do you have in, you know, some of your larger customers actually doing migrations from self-hosted to the cloud? And is there anything else you could do or you're thinking from either like a sales incentive standpoint or just a product functionality standpoint that you could deploy to try to juice some more migrations?
Yeah. So the visibility comes from the pipeline. I have really good visibility into the pipeline. And I know that there are many customers that are looking to migrate. I also know that I don't have a crystal ball of when that is going to happen. And that became very evident in Q2. And it's becoming more and more evident as we start to look at the pipeline and we see movement in our pipeline. I also know that I'm a second-half company. And we've seen that now for the last couple of years. So my visibility is typically anywhere from six to eight months. And that's where I have clarity. These larger deals tend to move around based on a couple of factors. Number one, I think the macro is certainly contributing to that.
Number two is the magnitude of these deals and the resources that are required, not only from a budgetary perspective, but from the number of people that are required in order to make this happen. So what do we do to help incentivize this? Number one is that we run parallel your self-hosted instance, your cloud instance, giving you the opportunity to seamlessly migrate. Number two is we provide you with tools to allow you to move your workloads from self-hosted to cloud as well. And we provide the professional services and the team to help do that. We also understand that we are not going to force you, especially in this macro environment, to do a migration. Understanding the magnitude of the budgetary and resource requirements, you'll make the decision. What we see is that once the customer is committed, 99.9% of the time they do it.
The timing of that is uncertain. We certainly provide kickers and incentives for the sales team to help kind of motivate and incentivize them to, you know, get the fire going in terms of the migration. But it'll entirely be up to the customer in terms of the timing. We'll continue to show the value of why it makes sense to move from self-hosted to cloud.
Could you also talk about just, you know, structure around sales incentives when it comes to selling security? That's obviously a big area you've talked about becoming more of a driver in 2025. Could you potentially see yourselves making any tweaks to just the seller compensation incentive models or any other areas? Yeah.
2024 was the first year that every single enterprise sales rep had a security target, regardless if you were brought in as an overlay to sell security or you were previously a DevOps rep, meaning that you sold the platform. Now you'll have both targets. That means that if you only sold DevOps, you would not get 100% of your incentive because you had a security target on top of that. We will also carry that forward into 2025. Every sales rep will be required to sell security. We see that A, it gives you line of sight into your target strategically, and it creates accountability. We see it as the right structure to drive what is a strategic driver for JFrog. We'll continue to motivate the sales organization through giving kickers and making sure that they're targeted based on security.
Got it. Digging into just some of the numbers you know most recently posted, net dollar retention of 117%, pairing up with, you know, 20%-23% revenue growth. Could you help us just understand what the underlying drivers of that 117 are and how we should think about the sensitivity of those moving forward, maybe from a standpoint of, you know, DevOps/Artifactory as well as security, as well as just self-hosted to SaaS migrations?
Yeah. So, the 117, we're very happy with the 117. Our guidance was around the mid-teens, and so we're very pleased with delivering 117 during Q3. That's driven off of, obviously, the large deals that were closed during Q3 and the migrations that we see from self-hosted to cloud as a primary driver. Anytime you have a self-hosted instance to cloud, we see somewhere between 20%-80% uplift in the first year, and then it continues to grow from there based on how we monetize. We also see existing customers in cloud based on their commitments driving the net dollar retention, and to a lesser extent right now, security, so the security add-on is also driving some of that net dollar retention. Now, as we move forward, we believe that the stabilization right now in the mid-teens is probably the level that we'll be at going forward.
What will drive that is going to be continuation of these large customers and what we see in our pipeline and the conversion of those deals from self-hosted to cloud, the continuation of the commitments, and again, security will be a driver. What would accelerate that is going to be the pace of migrations improving and then any spend above the commitment, so going back to what we saw maybe in 2022 and the first half of 2023, where you saw usage patterns that were above commit, that would help drive net dollar retention above the mid-teens.
I would just add that that point that I just made is that this year has been a headwind for us, that we are comping over a year that saw significant customer overusage. In this environment now, or at least in 2024, and Ed and I think both agree that for the near term, we don't see anything changing yet, is that the customer is being very disciplined and staying within the budget and not exceeding the budget. So to that extent, it's been somewhat of a headwind in 2024. In 2025, you'll be comping on a similar year, in our opinion. That could be a stabilizing factor as well.
Got it. That's helpful. Thinking about 2025, you've been more vocal recently about just maybe your approach to guidance, maybe being a bit more conservative guiding to what you can, you know, truly see. Just given the large deal variability you saw in Q3, how will that influence your guidance philosophy moving forward? Maybe you could just elaborate on that.
Yeah. There's actually a couple of factors. The large deals certainly play a big part of that because the magnitude of those deals have significant impact based on the revenue ratability in any given quarter. So today, it's very different than what we saw two years ago where I have deals that are in eight figures. Whereas when I have a deal that pushes out in a quarter, not only does it impact my quarter from a revenue perspective, but it's a deal that I cannot replace. So if I push a deal out, I don't have similar deals that I can pull in and replace that. Unlike maybe two years ago where you have a smaller or multiple small deals push out, I can certainly incentivize a customer to pull deals in and replace that. So that leads me to kind of change my philosophy. That's number one.
Number two is that what we saw in the past, and in particular this year, is that when you try and peg the full year, and we know we're a second-half company, and you start to see maybe a deceleration because you have seasonality in Q1, you're questioned and maybe even punished for very good results because they're looking at the full year. So what we did is we took an approach: be very conservative now. We have visibility into the first half. There will most likely be an acceleration in the second half, and then we can always increase the guidance, but it's harder to bring the guidance back if for whatever reason things did not play out as expected, so therefore, we're much more conservative in the approach. It's certainly different than what my predecessor did, and going forward, that is the approach that I'm going to take.
I think most investors and analysts got used to JFrog anywhere between 1% to 1.5% deviation in the beat. I'm not going to peg a number, but it will certainly be higher than what you've seen in the past.
That's very helpful. One coming from the audience, thinking through the Qwak acquisition and MLOps, how does that compete in the marketplace? And how can that, in a sense, in any way be differentiated with your GitHub partnership? And obviously, a lot of these DevOps players are also rolling out MLOps functionalities.
I think that one thing that we feel we differentiate, Jeff, is that the LLM is a binary. From Genesis to finish, it's a binary. And so it's something that we feel we have an inherent advantage given that we feel we are, in fact, the binary experts. Where we see MLOps going, and I think Ed may have alluded to this earlier, is that it's another tectonic shift, much like the Vdoo acquisition, where I wasn't here in 2021 when they did the Vdoo acquisition. Spoke with Jacob a lot about it at the time. But there was pushback as to why is a DevOps company buying security? They're security companies. They'll do security. You'll do DevOps. We had a different vision, a vision that security would be layered on top of a platform.
That's what you see is coming into play today and what's benefiting us for following that strategy. If we hadn't had done that, then we would be behind the eight ball as a platform, not having security on top of it. In the same aspect in MLOps, we see something that is going to be integrated with JFrog and then likely fully integrated into the software development process within an enterprise. Being a platform, we feel we need to acquire the technology, have it developed and ready for our customers to use because we eventually see that data scientist organization moving in with their LLMs and becoming much more of the generator of code three to five years from now than the individual developer sitting in the seat today.
Got it. I think we maybe have time for one more question or maybe a couple if we can squeeze in. But I wanted to ask just within your customer cohort, comparing smaller and larger customers, if you could give us a bit more color on what you're seeing with those monthly customers. And you've called out slower free-to-pay conversions. That's something we've heard from other DevOps vendors like Atlassian over the past several quarters. Are you seeing a significant divergence in the spending appetite between the largest customers you have and smaller ones? Or are they more impacted by macro?
It's a very good question, Jeff, and first, this is very much aligned with our strategy. We started the year with a strategic view of going after large enterprise and landing larger deals and getting those dollars because we see it as more durable, so that was number one. Now, what we see in terms of our monthly pay-as-you-go customers, three years ago, that was a third of our business. Last year it was a quarter of our business. Today, it's less than 20% of our business. There's two reasons for that. Number one is that, A, we see it as top of funnel, and we take those customers once it becomes economically beneficial to move them to an annual commitment. Number two is that they tend to be SMB, and today SMB dollars tend to be a little bit tighter.
We don't see as many SMB dollars acquiring infrastructure today. It's more of the larger enterprises that are, again, deeper pockets, more durable. And that's where the focus has been. It doesn't mean that we've abandoned that strategy. In fact, there is an opportunity with products to go after the SMB. And we also understand that today's SMB is tomorrow's enterprises. So once the timing is right, we'll reengage and refocus on the SMB.
I think we're at time, unfortunately. But thank you both. Thank you, Ed. Thank you, Jeff, for sitting with us today.
Yeah. Thanks, everyone.