Ladies and gentlemen, thank you for joining us, and welcome to JFrog's third quarter 2022 earnings conference call. I'll hand the conference over today to Jeff Schreiner, VP of Investor Relations. Jeff, please go ahead.
Good afternoon, and thank you for joining us as we review JFrog's third quarter financial results, which were announced following market close today via press release. Leading the call today will be JFrog's CEO and Co-founder, Shlomi Ben Haim, and Jacob Shulman, JFrog's CFO. During this call, we may make statements related to our business that are forward-looking under U.S. federal securities law and are made pursuant to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995, including statements related to our future financial performance, including our outlook for the fourth quarter and full year of 2022. The words anticipate, believe, continue, estimate, expect, intend, will, and similar expressions are intended to identify forward-looking statements or similar indications of future expectations.
You are cautioned not to place undue reliance on these forward-looking statements, which reflect our views only as of today and not as of any other subsequent date. Please keep in mind that we are not obligating ourselves to revise our public release, the results of any revision to these forward-looking statements in light of new information or future events. These statements are subject to a variety of risks and uncertainties that could cause actual results to differ materially from expectations. For a discussion of material risks and other important factors that could affect our actual results, please refer to our Form 10-K for the year ending December 31st, 2021, filed with the SEC on February 11th, 2022, which is available on the investor relations section of our website and the earnings press release issued earlier today.
Additional information will be made available on our Form 10-Q for the quarter ended September 30th, 2022, and other filings and reports that we may file from time to time with the SEC. Additionally, non-GAAP financial measures will be discussed on this conference call. These non-GAAP financial measures, which are used as measures of JFrog's performance, should be considered in addition to, not as a substitute for or in isolation from GAAP measures. Please refer to the tables in our earnings release for a reconciliation of those measures to their most directly comparable GAAP financial measures. A replay of this call will be available on the JFrog investor relations website for a limited time. With that, I'd like to turn the call over to JFrog CEO, Shlomi Ben Haim. Shlomi?
Thank you, Jeff. Welcome everyone to our third quarter earnings call. I'm proud to report yet another strong and fruitful quarter for JFrog. In Q3, JFrog exceeded the high end of our guidance across all metrics, driven by the strength of our platform across our DevOps, security, and IoT pillars. Our third quarter revenue was $72 million, reflecting 34% year-over-year growth. Our cloud revenue increased 60% year-over-year. This is driven by expanded adoption of our platform and continued customers migration to multi-cloud and hybrid environments. The list of global enterprise customers making JFrog a part of their backbone of their DevOps and DevSecOps process also continues to grow. Customers with ARR over $100,000 grew to 696 compared to 647 in the previous quarter, increasing 49% year-over-year.
Customers with ARR over $1 million increased sequentially to 18, up from 17 in the previous quarter, and up 29% year-over-year. Our trailing four quarters net dollar retention was 130%. As the single source of truth and system of records for our company software deliveries, the JFrog Platform, which is the only binary-focused end-to-end solution, continues to be mission-critical for our customers. We're proud to be our customers' strategic partners and thankful for their trust. Now, allow me to elaborate on how this played out in Q3 with some key themes. First, the growth in full platform adoption, demonstrating maturing needs for end-to-end DevOps and DevSecOps consolidated solutions. Second, a growing interest in our binary-focused security solutions, including our recently released advanced security offering.
Third, the ongoing transformation of companies managing their software supply chain process in the cloud and enterprise DevOps migration to the cloud. Fourth, the growing need to bridge DevOps and security with IoT and connected devices. Let's begin with the increased adoption of our platform. We have been very encouraged by the ongoing adoption of our Enterprise+ subscription by some of the world's largest enterprises. The trend of the growing number of Enterprise+ customers and its increasing revenue contribution support our view that the market needs more mature end-to-end solutions. Our customers tell us how they use JFrog Platform to import, build, manage, secure, and distribute binaries to production, and how vital our solution is to the full software supply chain flow.
We recently attended Morgan Stanley's Innovation Summit, a conference the firm has hosted for 20 years, where the bank tech leadership reviewed our joint plans moving forward. Just a few years ago, they began with an initial deployment of self-hosted Artifactory and expanded to security and distribution, adopting the JFrog Platform on-prem and in the cloud. Morgan Stanley's Global Head of Enterprise Technology Architecture, Modernization, and DevOps, Trevor Brosnan, summarized it best, and I'm quoting, "JFrog's focus and vision to provide publish anywhere, available everywhere platform, uniquely addresses Morgan Stanley's need for a modern DevOps solution with global scale everywhere we operate. On-prem, in any cloud, and more importantly, near the edge of service. We continue working together to mature the next generation of software distribution with fully managed controls at enterprise scales." End quote.
We are honored to have a visionary like Morgan Stanley as a customer, and excited to keep improving our platform play at scale as today's world's enterprises demand. A full, scalable 360 binary lifecycle management to automate their software supply chain security. Second, our security pillar. We recently released our most significant set of security capabilities to date, JFrog Advanced Security. We introduced the world to the first DevOps-centric security solution that is focused on binaries. Why is it unique? JFrog serves as our customer's single source of tools for all binaries, whether it was built in-house or bought in as open source packages. Binaries are the only way development teams can fully control, automate, and secure the entire software supply chain flow, as binary includes all the data about how they were created, built, tested, and what other parts of application they depend upon or impact.
Any security tool that attempt to provide a software supply chain solution will either need to deeply integrate with JFrog Artifactory or build a binary repository. JFrog has released a set of capabilities that natively integrates with Artifactory. Therefore, JFrog is able to provide security with a unique perspective. The concept of better software supply chain security is simple. If you don't control and own the binaries, you can't secure them. With features like leak secret detection, contextual analysis, and malicious package scanning, just to name a few included in JFrog Advanced Security, we are branching out of the software composition analysis area to secure the left and right of Artifactory. The market acknowledged developers became the targets of hackers, and the world already suffered from incidents like Log4j, Spring4Shell, or other vulnerable binaries that exposed the whole organization to a risk.
This combination of holistic security with the power of the JFrog Platform, controlling and watching the binaries lifecycle, will address the need for a new era of software supply chain security threats. We are happy to see industry leaders like Google Cloud looking at binary authentication as a critical aspect for software supply chain security. We are positive that more security solutions will follow JFrog and acknowledge binaries as the primary asset to secure in a modern software delivery flow. Third, multi-cloud migration, and standardization. JFrog leads the philosophy of hybrid and multi-cloud DevOps strategy, and our customers tell us that it is here to stay. For most enterprises, this essential infrastructure migration is a multi-year effort that involves a gradual strategic change over time. JFrog's hybrid approach enables them to move workloads on their own pace while adhering to standards and regulations.
In Q3, one of the world's top three largest automobile manufacturers joined JFrog as a new customer. This multi-million dollars deal that was completed in partnership with Cloud Marketplace included a full adoption of the JFrog Platform and notably originated through community efforts around Conan, JFrog's open-source C++ package manager, preferred by many automotive and IoT groups. These customers look at DevOps and DevSecOps SaaS solution that can scale and centralize global development. They emphasize the need for binary management, universality, security, and distribution, which was perfectly aligned with the JFrog solution. They migrated from Sonatype Nexus to the JFrog Platform, looking to standardize on the cloud and evolve during the era of electric vehicles. Another example of shifting DevOps to the cloud with JFrog came from an existing customers, one of the most recognizable heavy equipment manufacturer in the U.S. s igning a deal with over $500,000 ARR.
In addition to migration, this company was also looking to standardize their software distribution process and remove manual, time-consuming tasks across all their software delivery pipelines. Now, to the early emergence of DevOps for IoT. In Q2, we announced the availability of JFrog Connect. Now, in Q3, we saw the first large deal generated by JFrog Connect in tandem with the JFrog Platform. An international defense electronics company chose JFrog to manage one of Western Europe's technologically advanced armed forces full DevOps flow to enable over-the-air software updates to the edge. In this case, the edge is heavy military equipment, such as combat vehicles. In a software-driven era, modern defensive equipment can't operate without updated software.
However, today, a soldier is required to update each edge with a flash drive manually. In a real-world implementation of our Liquid Software vision, this process will be automated and will bridge DevOps practices with other DL solutions, allowing continuous updates to the field. Again, binaries are the only software asset that is being deployed on the device, can now be managed and distributed by Artifactory, continuously secured by JFrog Security, deployed and monitored all the way to the edge by JFrog Connect. We look forward to working with more customers to build and mature this adoption at the edge, yet another task that will land on the developer's plate in the future.
The CEO of Ford Motor Company noted it clearly a few weeks ago as he shared the next era of transformation for his organization, and I'm quoting, "The next revolution in auto is digital, and Ford intends to lead that revolution. We are turning our vehicles into generators of data that will receive continuous updates." End quote. We are proud that JFrog's Liquid Software and continuous update vision leads this change in becoming a reality. I now want to address the ongoing macroeconomic challenges and geopolitical impacts many of our customers and communities are facing. Customers around the globe are looking at ways to increase efficiency and to improve their cash flow and operations through vendor consolidation and more focused strategic areas of investments. With our business efficiency and growing market demand for DevOps and security holistic offerings, we are positioned well to face macroeconomic headwinds.
We see the opportunity that customers will use an essential infrastructure like JFrog Platform to consolidate across DevOps and DevSecOps and replace legacy processes or point solutions. However, JFrog is not immune to these macro-driven headwinds, and we continue to see longer sales cycles, additional budget approval requirements, and project delays. As we step into the last quarter of 2022, I would also like to note that we stay committed to our plans to finish the year breakeven as we operate and run a solid business that not only builds value for our shareholders, innovate and pioneer the DevOps market, serve thousands of customers, but also being a home to over a thousand frogs worldwide. We take pride not only in our technology and business success, but also its resiliency during troubled times.
Before I hand the call to Jacob, I want to extend a warm welcome to the newest member of JFrog's Board, Yvonne Wassenaar . With over 30 years of experience in enterprise software, cybersecurity, and cloud, Yvonne joins our Board as she brings JFrog a wealth of industry expertise and go-to-market acceleration strategies that will help drive the company's advancement in DevOps, security, and IoT markets. With that, I'll turn the call over to our CFO, Jacob Shulman, who will provide an in-depth recap of Q3 results and update you on our outlook for both Q4 and fiscal year 2022. Jacob?
Thank you, Shlomi, and good afternoon, everyone. During the third quarter, total revenues were $72 million, up 34% year-over-year. Expansion in our cloud business continued with revenues of $21 million, up 60% year-over-year, representing 29% of total revenues, driven by new customer wins and increased usage within security and DevOps solutions. We are pleased with continued growth momentum in our SaaS business, despite some optimization of usage by our customers that we experienced during the quarter. We saw customers adjusting their usage patterns to get some cost savings as well as utilize better pricing by moving from pay-as-you-go subscription to minimum annual commitment. Nevertheless, we believe our SaaS business will continue to grow rapidly by expansion of DevOps and security solutions as well as new customer lands on the cloud.
We reiterate our belief that the baseline growth rate for our cloud business remains in the mid-50% range, with potential upside from customer usage as we have seen so far in 2022. Self-managed revenues or on-prem were $51 million, up 26% versus the third quarter of 2021. On a year-over-year basis, growth in our self-managed revenues continued to be persistent, even as vast majority of our new customers are first landing on the cloud and many large on-prem customers are gradually migrating towards hybrid deployment. We believe JFrog's hybrid solution allows freedom of choice, providing more control over how and when customers transition to the cloud. We view our support for hybrid, coupled with continued growth in self-managed deployment, as future drivers of solid growth in our on-prem business.
Net dollar retention for the four trailing quarters was 130%, in line with our prior commentary. As of the quarter end, we have 696 customers with ARR of over $100,000, up from 647 customers as of June 30th, 2022, and up 49% from 466 at the end of Q3 of 2021. We also grew the number of over $1 million ARR customers to 18. Up 29% year-over-year. As we discussed in the past, adoption of the full platform is a key factor in the increasing size of our customers. In Q3 of 2022, 39% of our revenue came from Enterprise+ customers, up from 34% in Q3 of 2021. Now let me discuss the income statement in more detail.
Gross profit in the quarter was $60.6 million, representing a gross margin of 84.2% compared to 84.5% in the year ago period. We expect gross margins will remain between 83%-84% in the near future, and then trend toward the low 80% over the long term as cloud revenues become a greater portion of our total revenue. Operating expenses were for the third quarter $59.4 million or 82% of revenues, up from $44.1 million or 82% of revenues in the year ago period. Our operating expenses grew approximately $600,000 sequentially as we initiated previously announced operational efficiencies. While we continue to invest strategically within R&D and build out our enterprise sales and channel relationship for the long term, we also have continued to look for ways to enhance productivity and reduce costs.
non-GAAP operating profit in Q3 was $1.2 million or a 1.7% operating margin compared to an operating profit of $1.3 million or a 2.5% operating margin in the year ago period. We turned back to profitability this quarter as non-GAAP net income in the quarter was $1.8 million with earnings per share of $0.02 based on approximately 105 million weighted average diluted shares outstanding, compared to a loss per share of $0.02 in the previous quarter. Turning to the balance sheet and cash flow, we ended the quarter with $434 million in cash and short-term investments, up from $430.2 million as of June 30th, 2022. Cash flow from operations was $5.1 million in the quarter.
After taking into consideration CapEx, free cash flow was $3.8 million. We remain committed to accelerating our free cash flow margin towards our long-term target of 30% over the coming years. As of September 30th, 2022, our remaining performance obligations totaled $189.8 million. As Shlomi noted, the overall global macro environment remains challenging. However, I'm proud to say that our renewal rates remain high, usage remains high, and some of the world's biggest companies are turning to JFrog to make them more efficient, more secure, and more scalable. We have already implemented some cost savings initiatives, and we'll continue to do so as we navigate these uncertain times.
We remain consistent with our forward guidance methodology, working to balance the macro challenges faced by the global economy and the opportunities we see to extend JFrog's role in the software supply chain. For Q4, we expect revenue to be $76.5 million-$77.5 million with non-GAAP operating profit between $1 million and $2 million and non-GAAP earnings per diluted share of $0.01-$0.02, assuming a share count of approximately 106 million shares. For the full year of 2022, we anticipate a range between $280 million and $281 million. Non-GAAP operating income is expected to be between $1 million and $2 million, and non-GAAP earnings per diluted share of $0.01-$0.02, assuming a share count of approximately 106 million shares.
We're guided to break-even levels for fiscal 2022, and even with the headwinds created by the current environment, we continue to execute on this commitment. Now, let me turn the call back to Shlomi for some closing remarks before we take your questions. Shlomi?
Thank you, Jacob. As I'm wrapping up, I'd like to thank my team. I'm proud and honored to walk alongside the team driving these groundbreaking innovations. We look forward to partnering with our customers to drive their digital transformation and adopt a modern DevOps security and IoT solution with our platform. Thank you all for your attendance today, and may the Frog be with you. Now we'll be happy to take your questions. Operator?
Thank you, sir. Ladies and gentlemen, if you would like to ask a question, please press star one on your telephone keypad. Once again, that is star one if you would like to ask a question today. We're gonna take our first question from Mike Cikos, Needham & Company.
Hey, guys. Thanks for taking the questions here. I wanted to circle up on some of the commentary regarding the macroeconomic environment. I know that you guys are saying that you're not immune. We are still seeing longer sales cycles, additional process approvals, and budget delays. I know that we had called out some of these factors last quarter when we last caught up. Can you help us think about have these sales cycles, the extensions, are they getting worse versus where we were three months ago? Or, is it spreading to different geographies versus what we were calling out last quarter? Any color there would be helpful.
Hi, Mike. This is Jacob. I will take this question. Overall, we see pretty comparable sales cycles, comparable to last quarter. We did see slightly more weakness in Europe.
This time, partially driven also by a stronger currency. As you know, we charge our customers in U.S. dollars, and we've seen that a strong dollar kind of makes our customers in Europe to think a bit longer before they commit to the project. Overall, we don't see any significant changes in the sales cycle length.
Thank you for that. If I could just squeeze in maybe a two-parter here. I know in the prepared remarks you guys had called out, I believe it was, competitive displacement versus Sonatype Nexus. Just curious, can you help us think about when you are seeing out there, who are the most common competitors that you're bumping up against? Has there been any change on the competitive front?
Yes. Hi, Mike, this is Shlomi. Take this question. Yes, we mentioned the large deal that we're building this quarter and displaced Sonatype Nexus. In terms of the full holistic platform that is focused on binaries, I think JFrog stands first and we see less competition there. If you break the platform to different capabilities, obviously in the world of security, we see some point solutions that competes on the static code analysis area and developers security. On the package management, obviously there are some solutions that are very limited in terms of the universality of the package and the binaries they support.
We don't see any vendor provide a full platform that is focusing on binaries and secure your software supply chain, manage your binary, and also the distribution to the edge. More of what we see at the front is homegrown solution that we are replacing and some emerging technologies that are trying to get into this market.
Great. Thank you for the color guides. I'll turn it over to my peers. Appreciate it.
Next up, we'll hear from Brad Reback, Stifel.
Great. Thanks very much. Jacob, on your optimization commentary on the SaaS product, will that linger here into 4 Q or was that pretty much confined from your standpoint to the September quarter?
Yes. It really depends when customers initiated those changes. We've seen customers kind of gradually introducing those. We still believe that our SaaS business will continue to grow rapidly. We reiterated the baseline for our SaaS growth as we keep this with potential upside from usage. As you know, Brad, we continue to introduce new capabilities in cloud and to present additional expansion opportunities for us. We're confident that our cloud will continue to grow rapidly.
That's great. Shlomi, do you still feel pretty good about your ability to sustain 30% organic growth as you've talked about historically?
Yes.
Perfect. Thanks very much.
Our next question today comes from Kingsley Crane, Canaccord.
Hi. Thanks for taking my question. Overall, your business appears to have held up quite nicely. Just wanna take a step back. How sensitive do you think your platform is to cost rationalization in general? Do you think the nature of your platform makes it more defensible?
Hi, Kingsley. Can you please repeat the question?
Yes. Do you think or how sensitive do you think your platform is to cost rationalization? Do you think the nature of your platform makes it more defensible versus something like a monitoring platform, for example?
Yeah. I'll take some of it, and Shlomi, please, feel free to chime in. First of all, we provide a lot of value to our customers. Our platform helps to significantly improve the efficiencies of the software delivery process, and it is mission-critical tool for many of our customers. Therefore, we believe that despite the fact that customers may be trying to utilize some optimization efforts on SaaS, there's still significant need for them to expand our platform usage because they generate significant value from streamlining the software delivery process.
Yeah. Well, regarding the platform, I think that what we hear from our customers is that they are looking to consume the point solution into one solution that is centralized around the software supply chain. Software supply chain is being managed through the binaries. This is what you host, and this is what you promote, this is what you distribute, and this is what you secure. With the latest release of JFrog Advanced Security, with the release of JFrog Connect, we actually provide our customers with full ability to take the binaries from the development phase all the way to the deployment at the edge. Customers find that very appealing. Plus the fact that it's available as an on-prem solution and cloud solution on every cloud, almost on every region.
That's becoming an essential part of the decision-making when we speak about the central infrastructure migration in our customer sites.
Great. Thank you. That's really helpful. Just one follow-up would be, wanna talk more about your large Connect deal. What did you learn in the process that can help with other deals going forward, and how would you gauge overall customer demand?
Yeah. Well, JFrog Connect is, you know, something that we announced in Q2, in addition to our platform. We were very, very excited to see that the large project, the defense project in one of the European militaries decided to take the leap after using Artifactory and Xray, Artifactory to host the binaries, Xray to secure them, to take the binaries all the way to the edge. Software update over-the-air is the future.
As we said in the past, security became part of the developer's task. We know that in the future, deployment to the edge over-the-air update will be part of the developer's task. Building that as part of our platform, being able to deploy this update over-the-air as the combat vehicle is running, is a big, big change. Currently in the market, JFrog is the only platform that provides this capability.
Okay. Very helpful. Thank you.
Our next question today comes from Bob Huang , Morgan Stanley.
Hi, this is Bob filling in for Sanjit. Just for starters, just to think about your security product strategy, do you have to change your go-to-market motion or do you have to invest in additional specialist sales teams or security teams to really have your products adopted or is that the way to think about it?
Yeah. That's actually a very good question. Thank you, Bob. JFrog Advanced Security was released just a few weeks ago. What we see from the market is that the excitement and the interest around it is really shows a very high demand for what we've released. We have to think about why it's unique. It's unique because of the technology that is focused on the binary, which is the only way to control and manage your software supply chain. It's also unique because it comes with a platform. Not a point solution that focus on one capability that you need in your software delivery process, but a full holistic end-to-end solution together with the registry, with the repository distribution and so on.
In terms of the go-to-market, as we introduced in our updated pricing page, two new packages that includes JFrog Advanced Security on top of the DevOps capabilities and on top of Xray. That's a new product line that we will keep investing in, and you will see more and more evolution of our security as a whole. Regarding the question of the sales force, obviously we have experts in the domain, not only on the sales side, but also the solution engineers and the architect side. And the idea of having a full solution requires people to understand not only security and what is the pain that we are solving to our customers, but how this is embedded into a full platform play.
The answer is yes on the three aspects, the technology, the full platform, and the go-to-market and the sales to market.
Okay. Thank you. That's really helpful. Just a follow-up question on the Advanced Security pricing. If, let's say, a current DevOps customer is spending about $100 today, how much of that would go to the Advanced Security? Like, if they were to adopt Advanced Security, how much of that $100 would go toward that?
We're currently in the introductory phase of our Advanced Security subscriptions, and obviously you saw the pricing. For monthly customers, it's increased to $3,400 per month. For platform plans, it's a customized price, and it's dependent on the volume and methodology that customers use to scan their binaries. Just keep in mind that this is more usage-based business model, and we're still learning about the customer, how customers would use that and the patterns. We just launched it about two weeks ago, so it's too soon to tell exactly what would be the immediate impact on customers' positions. We definitely believe that the Advanced Security over time will be a significant driver to our revenues.
I will follow up on what Jacob mentioned and maybe emphasize two things regarding the way we build the go-to-market for Advanced Security. A, we are aligning the value of our technology with the need of the customer. We are charging only per artifact scans, per binary scan, as Jacob mentioned. It's a consumption model in the Advanced Security, whether it will be an on-prem installation or cloud installation.
And B, t his is very important. JFrog Advanced Security capabilities and some of the features that we mentioned in the earnings call replace several point solutions. If you think about the developers' dollar spend, you can think about displacements of not just one security tool, but many across the software supply chain flow.
Thank you very much, and congratulations on the quarter.
Thank you.
Just a reminder everyone, it is star one on your telephone keypad if you would like to ask a question. We'll go now to Pinjalim Bora, JP Morgan.
Oh, great. Hey, congrats on the quarter. Thanks for taking the questions. One question on advanced security. Staying on the pricing question. We noticed that you kind of folded the optional Xray price, I believe, with the Enterprise X. Previously it used to be optional, now seems like it's not. Is that a change for new customers? How would that have impact existing customers if they have to choose a higher pricing when they come for a renewal? Maybe some color there would be helpful.
Yeah. Pinjalim, I'll take this question. If you recall, for self-managed customers, we made Xray mandatory already some time ago. Effective second quarter of 2021, we eliminated enterprise subscription and made Enterprise X subscription mandatory. Pretty much every self-managed customer today has Xray as mandatory portion of the enterprise subscription. Obviously Xray is also included in Enterprise+. Now, Advanced Security requires Xray. Therefore, only customers who have a Xray has ability to utilize Advanced Security capabilities. Therefore, we give these customers, Enterprise X and Enterprise+ customers, those who would be utilizing Advanced Security capabilities.
On our SaaS business, we also made slight adjustments to our subscription structure to make Xray mandatory for enterprise customers for the base package. Typically, we see that our customers use volumes that exceed base package, and therefore it doesn't have any significant impact on our business.
I see. Understood. Okay. Is it possible to quantify the cloud optimization adjustments that you talked about that customers made? Any way to quantify that? What was that impact in Q3?
Again, it's primarily happening to customers who on pay-as-you-go business model. As you know, our annual customers have a minimum commitment. Overall, we see that both groups, pay-as-you-go and annual commitment usage continues to grow. Now, each of the pay-as-you-go customers could be volatile from period to period, and we did see some volatility during Q3. It's hard for us to exactly quantify that because this volatility sometimes comes also as a result of timing of different projects and initiatives. The reason we noted that, and we know that some of the customers are doing optimization, is because we talk to the customers to better understand their future plans and how we can extend them, but it's really hard to quantify that.
Got it. Understood. I'll get back in the queue. Thank you.
Our next question is Jason Ader, William Blair.
Yeah. Thank you. Hey, guys. Jacob, did you guys provide an initial view on 2023, or is that something you're willing to talk about?
No, we currently not providing any guidance for 2023. As Shlomi noted, we see a lot of opportunities for us to continue and grow within existing customers. We introducing new capabilities on cloud and on-prem, but still we said that we're not immune in kind of macroeconomic environment, and we're still learning. Therefore, we're not ready yet to guide for 2023.
Okay. You're gonna wait till next quarter, basically?
Correct.
For you, Shlomi, can you give us an update on your go-to-market motions and how these have evolved since the IPO and, you know, maybe are there any areas that have surprised you to the upside or the downside?
Yes. Hi, Jason. In terms of the go-to-market and as the market follows, we've been very consistent with adding more capabilities and reinforce our platform. Today, JFrog supports the world's biggest enterprises, and then we have to scale to their level of expectation. What you see us adding, not only on the DevOps front, but also on the security front, together with the Vdoo acquisition, on the IoT front, together with the Upswift acquisition, all the services around that with special support and special professional services if needed. The hybrid methodology that allows enterprises to migrate some workloads to the cloud and still have their on-prem instances, this is very much aligned with what we see in the market.
Obviously, most of the value we bring comes at the enterprise level. You also see that in the numbers. The number of customers over $100,000, number of customers over $1 million, the number of platform adoption really encourage us that we are taking the right decision as it goes to market and the technology that leads that.
You talk about cloud marketplaces, has that become a more significant channel for you?
Yes. We invest a lot in the co-marketing and co-sale together with the all clouds. We have great relationship with the major clouds, and we expand that. The philosophy of multi-cloud also finds a very you know high demand from big organizations that need to follow some regulation and strategy decisions. Having this private offer co-selling at the marketplace, having this collaboration with the cloud obviously increased our ability to grow with our customers and to land on a higher volume in new customers.
If I just may to add to that, Jason. It's when the customer have commitment to large cloud providers, it's much easier for us to work through marketplace. Therefore, majority of our largest deals in cloud they came through marketplace, and we worked together with this cloud to close those deals.
Gotcha. The unit economics are better for you when they go through the cloud marketplaces versus selling direct?
Unit economics is better. Yes, correct.
All right. Thank you, guys. Good luck.
Thank you.
We will now hear from Michael Turits, KeyBanc Capital Markets.
Hi, guys. This is Billy on for Michael. Just wanna ask last quarter, you called out kind of similar macro headwinds, like these longer deal cycles and increased approval layers. Just wanna see if you made any changes to your selling motion or how your sales team approaches deals now, to kinda counter this increased scrutiny. Thanks.
Yes. We are obviously becoming more proactive, knowing that it may take longer for our customers to close the deal. We contact them earlier. We work closer with them to better understand their plans. Many times, sometimes even we work with our partners like the cloud alliances to help the customers to maybe accelerate some of the projects through migration to clouds.
Michael, if I may add to it. The other side of it is that when you come with a platform, a full platform, robust, scalable platform that also comes with a hybrid story, there is a very good chance that JFrog will displace few vendors. What we see in the enterprise market is that part of preparing themselves to recession is also consolidating different solutions into one. We are planning, as Jacob mentioned, we are going proactive with that. I think that we have a great story to tell, not just from the technology side, but also from the end-to-end solution side.
Great. Thank you.
We'll now go to Rob Owens, Piper Sandler.
Hey, thanks for taking my question. This is Ethan Weeks on for Rob Owens. I wanted to ask about the Enterprise + mix as a percent revenue. Looks like it was really strong this quarter, up to 39% on a big quarter-over-quarter increase compared to what we've seen in the past couple of quarters. Just curious if you guys are seeing some broader consolidation tailwinds or some of these more advanced security capabilities or customers move up tiers quicker, compared to historical levels. Thanks.
I will take that question. The reason for growth, and we're very encouraged by this growth and happy to see this growth in our Enterprise+ solution, is continued adoption of our end-to-end platform capabilities. Specifically, many customers realize that it's not enough for them just to be efficient on the developer side, development side of the software. They need to take software to the market, and our distribution capabilities help them to achieve that. Therefore, we see more and more customers adopting the platform to utilize this full DevOps flow all the way from developer to the market. Continue to see that the primary reason for adoption of the platform distribution capabilities. Advanced Security will also be available for Enterprise+ customers.
Again, so far, we launched it on cloud-only, and it will become available for self-hosted customers early in 2023. So far with the numbers you see, they're not impacted by Advanced Security because it was just launched early in Q4. It's just continued adoption of DevOps practices, end-to-end solution, offered by JFrog. JFrog is the only company today that offer these capabilities.
Got it. That makes a lot of sense. Just as a follow-up, I was curious, the performance of the U.S. federal in the quarter, what did you see, and how did it trend compare to your expectations going into the quarter? Thanks.
Yeah. Our U.S. federal business is relatively material, and we haven't seen any significant changes so far just because it's.
Once again, everyone, that is star one, if you have a question. We'll go next to Mike Cikos for a follow-up.
Hey, guys. Thanks for letting me back on here. I did just want to try and take another stab at maybe some of this macro volatility or customer behavior when we're thinking about the pay-as-you-go customers versus those utilizing those minimum annual commitments. Maybe it would be helpful just to have a like broad brushstrokes here, but can you help us think about the percentage of your revenue or the percentage of your customer base that currently uses pay-as-you-go? I think that might help people start to get a better feel for how these customers are trying to adjust their spend in the current environment. Any color there would really be helpful.
Yeah. Today, pay-as-you-go is about 1/3 of our SaaS business, so majority of our SaaS business is annual. Typical customer journey would be when a small customer lands on pay-as-you-go, they continue to use the platform and capabilities. When they reach a certain level of usage, they would typically transition to annual minimum commitment, A, because they already understand the capabilities and see the value, and B, because they can get some price discounts because of the annual commitment and that's what they use. We see more and more customers joining on cloud to pay-as-you-go. We continue to see this group continue to grow. Each of the customers could be volatile again, as a result of adopting new capabilities, optimizing their spend, timing of the project, et c.
Overall trend of this customer group is up, and we're encouraged to see that they, as a group, these customers continue to grow despite the fact that some of them transition during the quarter to the minimum annual commitment.
The fact, Mike, that what Jacob mentioned is the natural cloud flow. We also see a trend of migrating to the cloud, and these are customers that are using our on-prem solution and already familiar with the platform, already familiar with the technology and the services, and migrating to the cloud. While they are doing that, usually they will land immediately on an annual contract and not start all the way from the beginning.
Understood. Thank you. Thank you very much for the incremental color there. I do appreciate it.
Welcome.
Next up, we'll hear from Ittai Kidron, Oppenheimer.
Thanks. A couple of questions from me. First one on the gross margin. It did tick up quarter-over-quarter even though your cloud mix is higher. Jacob, maybe kind of walk us through that a little bit, what's behind that?
Yeah. That continued effort to improve efficiency of our cloud. Operating the cost-saving initiatives, which is an evolving process. We continue to do that. That's the reason for our cloud to be, for overall margins to be better because our margins on our SaaS business improved during the quarter.
Good. We should not assume any gross margin deterioration in the future as cloud goes up in mix. Good.
Ittai, still gross margins for our SaaS business lower than corporate margins. Therefore, the bigger the portion of our SaaS business will see this trend to go to low 80% over a certain period, over a long time. Meanwhile, as we said in prepared remarks, we expect the gross margins to stay between 83% and 84% in the immediate future.
Okay. All right. Second question regarding 2023. I know Jason tried to get some color on fiscal 2023. Are there any kind of puts and takes though you want us to keep in mind as we think about 2023? And maybe you could talk about how big your renewal base is going to be in that year. Is it gonna be average or substantially lower or higher? I don't know, like from a cohort standpoint, what comes up. Maybe you could talk about what comes up for renewal and how do we think about that.
Vast majority of our SaaS business is annual for annual contract.
Got it.
About a third of the business on SaaS is monthly. Two-thirds, slightly above that is annual. About 80% of our self-managed business annual, and the rest is monthly. We do continue to see significant renewal base every year. We encouraged to see that the renewal continue to be strong, comparable to historical levels. Churn, again, very minimal. We have very sticky products. Our cloud continues to grow much faster than self-managed. We will introduce new capabilities to self-managed solutions in 2023 in security area. We enter the year very strong.
Ittai, I.
Okay.
Shlomi here. I'll add one thing. When we are looking at the essential infrastructure, I believe that you know a company, no matter what company, when they bet on an infrastructure, usually they take a long run decision. This is not something that you would place on the developer machine. This is not something that you would place on the individual workstation. Therefore, we keep investing in our infrastructure as a platform. Customers that are betting on JFrog, those who chose JFrog this year, those who renewed this year, are probably looking at the long run as they set up their security and DevOps essential infrastructure cloud or on-prem.
All right. Well, maybe I can expand on this, Shlomi, a little bit. When I think about the current environment, there's an argument to be made, right, on the negative side of it is that, you know, in times of financial distress, IT departments are probably trying to do as little as possible and not take risks on new systems and just keep what they have for another year and then evaluate later. On the flip side, your platform now enables customers to consolidate multiple points and create savings. In this push and pull situation here, how do you think the deck is stacked up for you over the next couple quarters with macro environment a bit more challenging?
Is it on the net positive or on the net negative, or perhaps neither here nor there, but would love to get your perspective on this?
Yeah. Well, that's a very good analysis of what we see. Well, without putting aside for a moment the macroeconomy, when you look at advanced security, the world in 2022 and 2021 already suffered too much from holes in the software supply chain security. It's not something that is being articulated by JFrog. The White House is speaking about it. Regulation from the British Parliament is coming with instruction of how you should protect your software supply chain. The world start to understand that there is only one way to fully protect your software supply chain, and it's protecting the binaries. I don't think that customers, organization, enterprise or not, actually have a choice. They will have to upgrade the legacy security solution. They will have to look at consolidation of security solutions.
They will have to get control over those binaries. I think that what JFrog now released answers all of the three. Yes, I'm expecting to see a growth in the adoption of our platform and the consolidation of having a DevOps solution coming with a very strong software supply chain security solution and not point solution or a feature here or a feature there or some small research team that some of the vendors are offering. We offer the best database in the world for security vulnerability, the most updated one. By the data, we released more zero days than any other vendor in the world in 2022. We are very positive around what we are building, not only for security, but security that comes with the repository as well.
Okay. Maybe if I may then, last one, Shlomi, just on this, and I'm asking this because I don't really know the answer. Are there security threats that are specific to binaries that will not show up in code but will only show up in binaries? I'm trying to think how specific the threat is to that level of insight that clearly you have a great vantage point to and code repositories don't. What is unique about binaries that there are threats there that cannot be picked up with normal code scanning?
I love this question. I will try to make it short because it's an earnings call. There is no way, there is no developer in the world that will tell you that with static code analysis and software security, you can protect your software supply chain. What comes with binaries is also the metadata and the dependencies and everything that you need to know about where this package is flowing to. If you take, for example, the Log4j, it's not only finding patient zero Log4j, it's also finding all the dependencies that all the developers in all deployment environment build with it. With Artifactory as your single source of record, and with JFrog Advanced Security on top of it, you are not just running on the best data that you control, you actually control.
You also have the ability to look at all the dependencies and where the binaries are in all different builds, in all different teams, in all different deployment environment. That is impossible to be done with source code.
Got it. Makes sense. All right. Apologies for all the multiple questions. Appreciate the call. Very helpful. Thank you.
Thank you, Ittai.
Everyone, at this time, there are no further questions. I'll hand things back to management for any additional or closing remarks.
Well, thank you everyone for joining us to our Q3 earnings call. We are very excited about the progress the company has done. May the Frog be with you. Thank you, everyone.
That does conclude today's conference. We would like to thank you all for your participation today. You may now disconnect.