Great. Thanks to everyone for joining us today. My name is Mike Cikos. I'm the lead analyst here covering JFrog at Needham. With us, I'm pleased to say we have the management team here, CEO, Shlomi Ben Haim, as well as the CFO, Ed Grabscheid. We have 40 minutes set aside for this. I have some direct questions on my side I'd like to get through, but just wanna make sure that people are aware. You should have some sort of functionality to submit a question. I will do my best to make sure we're getting to that while we have the management team here. With that out of the way, Shlomi and Ed, thank you again for your participation. You're really looking forward to this fireside.
Thank you for having us, Mike. It's a great pleasure being here.
Excellent. Thank you. Just wanted to start very high level before we start digging in. But based on your customer conversations, what people are coming to you, I guess with today, where are customer conversations going? How does demand feel? Do you have a decent sense for how budgets are shaping up? Anything on that front as we head into 2025?
Yeah. So, Mike, as you know, JFrog today serves over 7,000 customers worldwide. Our portfolio is very diverse. Some of the biggest companies in the world, some of the SMBs. So we have a variety of customers to be educated by. And what we usually hear these days is that, A, they are looking to consolidate DevOps, DevSecOps, and MLOps tools around one platform, best-of-breed platforms that will coexist next to each other instead of having multiple point solutions. We are hearing that we are not yet out of the woods, but they are still looking at the cloud migrations. And cloud migration projects that were delayed in the past because of the macro situation are maybe going to come back.
The last thing that we hear is that AI, while was very amplified almost on every conversation, it takes longer to adapt and to bring all the way to production. That's the main notion that we hear in today's market coming 2025.
Excellent. Thanks for flagging that 'cause it does feel, at least at the margin, like 2025, things are slightly more positive. I don't wanna say it's anything that we've sadly checked with a number of companies. It doesn't feel like anyone's baking in anything for the change in the US administration here, but budgets do feel like they're growing at a slightly healthier clip this year. I'm just curious if the macro is relatively unchanged. What is it JFrog is doing from its go-to-market process to potentially help customers through that macro? Is there any way to accelerate whether it's the adoption trend or help encourage usage as an example?
Yes. I'll start in it if you want to chime in. Listen, we invested a lot in the past four years in building our up-market, top-down sales mechanism, coming with a full offering of a platform that not only includes DevOps capabilities but also security capabilities and MLOps capabilities, distribution, and fleet device management. What it gives us today is more flexibility when we are landing in a customer's in a much broader way, speaking with different personas. So in terms of how we help our customers, we bring a lot of experience in cloud migration. We bring a lot of experience in maintaining both environments. Listen, Mike, this is crucial for the enterprise. If you are migrating from an on-prem setup to a cloud setup or even multi-cloud setup, having those environments still running in parallel, this is something very unique to JFrog.
Our customers love that, and the practices that we developed around that are very important for them. So in terms of how we help, first of all, we can maintain two environments. You don't have to choose. JFrog gives you the freedom of choice. The second thing, we have best practices from the world's biggest companies. And not only that, but probably on several industries and sectors because each one of them comes with a unique color. So professional service packages, escorting them, consulting, advising, working with them, partnering with our customers, making sure that not only your DevOps assets are secured, but also the holistic security solution is something that we can bring into the same migration. So we are very excited about that. And again, I don't want to be too optimistic, early in the year.
But there is maybe a reason for a slight smile.
Okay. Understood, and I didn't mean to cut off. Ed, did you have any additional commentary on that one?
Sure. What I would add to that also is that when the customer makes the decision to migrate, then we've seen that that customer will migrate. So once that decision is made, there's a high probability. It's the timing of when that will happen is not always very clear. We don't have the crystal ball in that, for that situation, especially in large migrations, but once the decision is made, now, as Shlomi said, they can also continue to use their self-hosted. So those customers today are self-hosted customers, and they will continue to use that, and we'll get the revenue from that self-hosted until they migrate, on the cloud.
Understood. And for the audience as well, I think about the usage trends. And correct me if I'm wrong, but I think that the assumption in the guide for Q4 was that usage would remain relatively stable. So I just wanted to get a sense, is that stable usage from Q3 to Q4, is that typical, or are there seasonal patterns that we should consider when we're building out our models and trying to get a better understanding of how the customers are using the platform more broadly?
Mike, there are no surprises about the holidays, right? Every year we know exactly when Thanksgiving is, and we know exactly when Christmas is, thank God. Seasonality because of holidays is not something that you should be surprised about. Mainly, you know, maybe there is some changes between one year to another if it's happening during the week or on the weekend. But the seasonality was as expected. We didn't see any abnormal moves in terms of consumption. We didn't see any kind of different changes compared to previous years in terms of the holidays. I will tell you one thing, and this is super clear, and it's been very clear throughout 2024. Our customers are very strict and very disciplined as they consume software today, data transfer and storage. They're not going over the budget. They're very disciplined with that.
You know, we spoke in the past, and I said, if you were a developer in 2022 that used more than your budget, you would be considered as a hard worker employee and maybe even get a pat on the shoulder. If you would do it in 2024, you would be fired for it. So that's how they are disciplined. And we also see it with our biggest customers. When they see that they get to the quota, they will reach out proactively if our sales team didn't do it first. And they will ask to renew and maybe change the quota, maybe negotiate a bigger volume for a better price. But we didn't see anything abnormal in 2024 end of the year.
Understood. And for those cloud migrations, I know, Ed, you were commenting on that just previously, but when customers are going through that, consideration of, hey, we've been on-prem hosted, we're thinking about going to cloud, is GenAI coming up as a reason why customers are maybe weighing that decision or maybe elongating that sales cycle to a certain extent? Like, does that slow the process when GenAI comes up?
That was a question to Ed? Did I hear you?
Either one of you. Either one of you.
Okay. I'll stop. GenAI, well, first of all, Mike, GenAI is a very big world. Okay? There is a lot of things that are coming under GenAI. Currently, our customers are speaking with us about the offering of the MLOps and about the offering of managing their models, LLM, technologies. They are speaking about the integration, tight integration we have with Hugging Face and scanning and securing their model. This is what JFrog provides as an infrastructure to the world of GenAI at this point. As I said in the beginning, there were a lot of statements in 2023 when they forecasted 2024 about GenAI in production. You can see it in the market. You can see it in the field. You can see it on the CIO surveys. Most of them were delayed.
And the main reason for the delay was compliance and regulation coming first and then budget coming second. I think that your question was more referring to the budget because it's a very big black hole now. And they know that once they run in the cloud and they need to run models in the cloud, it would be more expensive from a compute perspective. So what we have seen is a slower adoption of GenAI in production in 2024, mainly because of compliance, regulation, and budget estimations.
Mm-hmm. And as we're walking down that maturity curve, is it fair to think that while things have been slowed by pulling in those different constituents, we are, I don't know, quote unquote, like getting the hang of it? Like, is that becoming less of a roadblock, or are we just progressing further through that pipeline now where these parties have been pulled in?
It's a fact that companies will use GenAI. It's not, it's not a question. And most of them are becoming mature with it. If they thought that having Copilot to code with will take a quarter, then they understand that it takes three quarters. But once it's in, it's in, and it will be fully adopted. And I assume that we will see that some of the projects that were pushed from 2024 to 2025 will get into production. Same thing happens on the government level when it comes to regulation about AI, when it comes to ethics rules about AI and the usage of AI, IP protection, and other things that organizations are, you know, you cannot blame them, but freaking out from not knowing.
In terms of budget, I think here 2025 will serve us as a kind of a trial and error year because I don't know even one CFO that can say how much it will cost to migrate some of the workload to be handled by AI and agentic AI tools. It might be more than expected, might be less, but I think that they will have their eyes open on the AI budget. I know that Ed is when it comes to us using AI inside JFrog.
Great. Great. And again, to come back to that cloud migration question for a second, but like when a customer has decided they wanna move from self-hosted to cloud, how does the parallel subscriptions work? What is required for the customer to go through that transition?
It really depends. If it's, as is, just moving from on-prem to cloud, then it is set up your environment in the cloud. Probably you will choose the region and the provider, the hyperscaler you want to go with. JFrog supports all regions and all major clouds. It's really up to you where you want to be. It will be usually next to your team or next to your customers. And we can set up your environment in a matter of hours. The migration of your artifacts from self-hosted to cloud is a non-brainer. It's easy. We have tons of practice with it, and we have migrator automated, migration processes. It's really easy. But most of the enterprise, and we will focus on the enterprise in the last year, we chose to be focused on the enterprise in the last few years.
Most of them, when they are getting into the migration process, they are taking more than what they had in the on-prem. And hey, you can understand, like most of the headache they had from maintaining their own environments and their own infrastructure is now in the vendor hands. So, they start to speak about security. They start to speak about consolidations of security tools. They start to speak about distribution to their customers using JFrog as a download center. JFrog today enables software delivery for most of the biggest bank, biggest automotive, biggest healthcare companies, bigger tech companies. It's not just the CI/CD pipeline. It's all the way to the Docker image, component container on the customer side.
So, they will probably take more time to run a proof of concept of this cloud migration in parallel to their on-prem. But once ready, it would probably be bigger. And I think Ed, in terms of numbers, we showed how it impacted JFrog growth, right? But what a customer that is moving from on-prem to cloud on average.
Anywhere from 20%-80% on a like-for-like subscription, you see an uplift moving from self-hosted to cloud.
Excellent. Yep. Okay. And just coming back to security, right? 'Cause you guys are obviously building a broader platform here. Can you talk about that security element? It's great to hear that it's driving deals could be a material contributor this upcoming year. When security is introduced, and I think Shlomi, you might already be touching on this, but how does the procurement cycle on the customer's part change? And then again, I know it's an earlier offering, but is it, I guess, how does that customer relationship change? Do we have evidence that the gross retention dynamics are actually improved because of that security attached?
Yeah. So, Mike, thank you for this question. We are known for Artifactory, and Artifactory is a core capability of JFrog. It's a flagship product and the center and the core of our platform. But Artifactory became the single source of truth for most of our customers. If you want software packages, no matter what technology, if you want artifacts, if you want containers, if you want AI models, this is where you go to. So Artifactory really became the standard maker in the world of DevOps. And just like GitHub for source code, Artifactory is for binaries. And that's the standard. And I'm honored to say that that's became the standard in the market. On top of it, we started to build the security capabilities.
So if you are back to your question, if you are already a JFrog customer using Artifactory, then the procurement process, the master service agreement, this is easier. Yes, still negotiating the bigger deal. Yes, still want to understand how the subscription covers that, but we already have a relationship with you. Therefore, what we've seen in 2024 was really good news for JFrog. We bet on a model of expanding within our portfolio. And we shared that swampUP our user conference back in September, the growth that we saw on the security side in terms of the logos they started to adopt JFrog Security.
What was amazingly fascinating, very exciting, we were surprised actually that we started 2024 with introductory prices for security because we thought that someone, you know, in our world, it's we like the term swallow a frog is positive, not negative. But if you have to swallow a frog, now you have to pay for security as well, then you might want to test it and test the water with the introductory prices. What happened to us in 2024 was amazing. We started the year saying, hey, why don't you just test it, and our biggest customers told us, like, if what you are showing us is true, it will take us longer to test it, but we are not going to start small. We are going to start big.
That was an amazing kind of fresh attitude that we saw in 2024 coming from our customers. So procurement would be shorter, not the negotiation, but the old crafting the agreement. Proof of concept would be longer. Especially if they are displacing point solutions, it would be more than one. It's not just the Black Duck, the Snyk, the Mend, the Veracode, the Aqua of the world. It might be all six of them together.
Mm-hmm. And, just to come back to that, again, I don't know if it's too early to start discerning, but are you showing different retention rates for those customers once they've adopted security, or is it still too early?
I think it's too early. At the end of the year, we will disclose, and the next earnings, we will disclose the security numbers as committed to our shareholders, and we will gather all the information that is required to tell the story of JFrog 2024 security success.
All right. Looking forward to it.
Two weeks.
I think the other question that a lot of people have asked us as well. I understand you have this broad customer base that you can go and cross-sell now. Are you actually seeing new logos coming in and adopting security right at the start, or is the sales motion still predominantly centered on, hey, you land with Artifactory and then you'll expand into security over time?
Yes. That's, that's actually a very good question. And, and Mike, you are following the JFrog story for a few years now. We had, or I had to take a decision on what we want to be focused, whether we are going to keep focus on the developers and the developers and individuals sometimes and the SMB, or we want to go after the enterprise. And four years ago, a bit more than four years ago, we were very clear about our main focus, which is going after the enterprise. And it's not just the sales mechanism, the marketing, the go-to-market, the customer success, and, and the front, the customer front. It actually changes your entire company. Everything, the relationship with the customer, the persona you speak with, the, the upmarket, methodologies and, and playbook for sales, the people you hire, the overlay you have, everything changes.
You also have to understand that you might let go on a $1,000 ARR customer or $3,000 ARR customer because the people that you now hire are not even selling this type of offering. They are not selling this. On one hand, you want to keep the SMB because you know that some of them will become the pipe for tomorrow's enterprise. On the other hand, you have to choose how you build your offering, how you build your service, how you build your sales team, and how you take over the enterprise. That was my focus for the past four years. What happened is that when a new logo comes to JFrog or we land on a new logo and it's an enterprise, usually they will take everything. They will start with a platform.
The SMB, they will start small and maybe grow. So that's the main difference. To be honest, we were focused, very focused on the enterprise side of it. And in the future, we might look and come back and revisit the question of SMB and if we have a light offering for them.
Excellent. It's great to hear the traction you're seeing at that enterprise level. That's, that's fantastic. I think.
By the way, sorry to interrupt, you can also see it in the numbers that we are reporting every quarter. The number of Enterprise Plus subscribers, the numbers of customers over $1 million, the number of customers over $100,000. These are not the numbers that we used to see three years ago and four years ago and the consistent growth on those $1 million club represents and demonstrates the change that we have done on the go-to-market and sales force.
Mm-hmm. Let me ask, and this is just taking a step back for a second, but most, I think, if not all security vendors in some way are largely focused on security detection at the code level. Again, you guys with your roots in Artifactory, the top of mind technology and focus for you guys is at the binary level. Can you just take a second to explain, like, what is the advantage of taking a binary level view versus looking at the code?
Yeah, well, I would argue about the focus on the code. I think that the code security was there for the past 30, 40 years. And, you know, some of them changed the experience and some of them changed the technology. But the way CISOs and security experts are thinking, they don't think about the product. They don't think about the solution.
Mm-hmm.
This is different than developers. They think about the threat. So when you are looking at the threat of the past three years, most of the big, very big, episodes we saw on the security landscape was coming from software packages, therefore binaries, artifacts, not source code. So the Log4j, the npm, the PyPI, the SolarWinds, this is all binaries. Now, why this is new? Because the hacker started to understand that software development is not starting from scratch anymore. Developers all over the world, no one in the world starts from scratch. You bring software packages from different public hubs. Either you go to Hugging Face or you go to Docker Hub, or you go to the C/C++ center or the Java or the npm, and you bring your packages, binaries.
If I'm a hacker and I'm leaving something there for you, and then I want to get into your organization, I find a way to get through developers. Why this is something that became so risky? Because the only asset, the only asset that you have in production in runtime where the hacker can meet you are binaries. There is no source code in production.
Mm-hmm.
So yes, source code needs to be secured. By the way, we cover that with JFrog Advanced Security as well. Static code analysis is being covered by JFrog as well. It needs to be secured because you don't want your developers to do anything by mistake and open the gate for someone to come in. But the only asset that you have in runtime is binaries. Therefore, when you reverse engineering your, the risk from runtime back to dev, binaries are the only asset that you have to protect when you protect your software supply chain. And this is being elevated every year more and more and more CISOs start to understand that's the only way to protect the organization. And not only that, the White House already issued two executive orders about that. How you protect your software supply chain, software packages, period. It's like binary, zero and one.
There is no middle area here. So this market is growing. The understanding of the new threats is starting to be more and more kind of on the level of best practices. We are very excited to lead that. And again, it doesn't mean that you don't need to protect your code. So when you look at the integration we announced with GitHub last year, we know that developers will go to GitHub to see the finding on the source code. But what they really need is the binaries protection. And when we collaborated with GitHub, we brought it under one pane of glass, everything together, binaries and source code. Again, no conflict, just consolidation of point solutions and understanding the threat of the hacker coming from runtime.
Great, and there's obviously been a number of announcements for you guys as far as new products out there that, like, there was the GA for runtime. You have curation out there as well. Can you, I don't know if a compare and contrast is right, but can you just walk us through it? What has customer reception or initial feedback been for runtime and curation?
Yeah. I've learned something in the past two years since we got really to the core of security. Selling DevOps and selling DevSecOps is not the same. You speak with a completely different side of the brain.
Mm-hmm.
When it comes to security, there is a lot of suspicion around what you said. So, the main questions would be, what's the value of having JFrog Runtime Security? And you know, there are huge companies in the world of security that protect your runtime environment. But the value that JFrog brings, and I will repeat it over and over again because we are the single source of truth for all companies, the value we bring is that we are the only company that can give you access all the way to your developers. And if you think about production in the cloud and developer environment, you need to build actually two bridges. Bridge number one is what do I have on my screen when I'm monitoring my production environment in terms of risk? What do I have on my screen?
I want to have as minimum as I can open items that might be a risk, and with our contextual analysis coming back from the binary that we host for you, telling you, Mike, don't worry, this binary might have a vulnerability, but you are not exposed to it because you don't use it in runtime. Only JFrog can build this bridge. The second bridge is the cloud to dev, the backward, the traceability of telling you, listen, yes, something's wrong in your production. You have to recover and you have to do it fast, but with the million dependencies line, you will never be able to find the developer. Log4j, some of our customers needed over seven months to recover. Seven months, Mike, this is an alternative for CISOs.
So when you can have on a click of a button a name, and we call it in JFrog next to zero, if you have a name on a click of a button, then remediation becomes easy. And this is very appealing for the CISOs that we are speaking with. And obviously JFrog Runtime is new. We are also working very hard to build the partnership, the technical partnership around JFrog Runtime because JFrog is not a runtime animal. We come from the dev environment. So collaborating with the clouds, collaborating with observability tools, collaborating with this type of customer, partner, sorry, is a plus. Regarding JFrog Curation, and again, I'm not going to disclose any numbers now, but I was very pleased with the adoption of JFrog Curation.
It was so easy for the DevOps persona to understand why you need a firewall between your repository and the public hub.
Mm-hmm.
And just to say, if this binary is coming with a GPL, don't let it in. Everybody can understand why this firewall is useful for the company. And we had some major adoption of JFrog Curation in 2024.
Great. And pivot, 'cause I don't wanna leave it laying there, but MLOps, right, is obviously a major talking point for JFrog right now. Super high level, but you guys had acquired Qwak. Can you help us think through what is the vision for bringing MLOps into the JFrog platform here?
First, we heard it from our customers. It was very clear. They said, listen, we all, you host all of our binaries, models, AI models are binaries. Please make sure that they are being hosted natively in Artifactory. This is how our kind of wakeup call from our customers, even before GenAI became so popular. And when we looked at what would be the next natural expansion of our infrastructure, because it's not that easy to expand an infrastructure, right? Infrastructure are supporting thousands and thousands of users. And usually you would not see an infrastructure being expanded. We expanded once with security, and now we are doing it again with MLOps. But it all goes back to what is the primary asset we sell. It's the binary. We host your binaries. We are the repository.
We are the registry for your models and binaries. So when they started to ask for hosting it and securing it with Xray, we scan your models as well. Then there is one thing that you miss. Where is the deployment and where is the test and where is all the CI for AI that JFrog can provide natively? And then we looked at companies like Qwak. We integrated also with MLflow and with Amazon SageMaker and with others. We liked what we saw, and we also understand that this world is rapidly changing. So if we would not be part of this change, it would be a risk for JFrog because five years from now, you might manage binaries differently. And it's not going to be, it might be the machine. So we know how big this addressable market is.
And when we are expanding our platform, it always has to come with an authentic value to our customers. And when it comes from the customers and the technology and innovation coming from JFrog, usually we saw a win-win situation.
Great. And maybe, unfortunately, probably the last question we'll have time for here, but just sticking with Qwak, I'd be interested. I know that you guys were partnering with them before you acquired them. So can you tell us about what went through JFrog's calculus when deciding, hey, do we continue to partner or do we acquire? And then Ed, if you could comment as well as far as the criteria when you guys do go through that M&A process, how does that look at JFrog?
So, I'll start and Ed obviously will complete the full picture. Mike, we first look at the opportunity, how big the addressable market. And we are looking now today. Analysts are saying that it's over $60 billion mark. This is huge. This is huge. So obviously we want to be part of it. Second, we started to see that a lot of companies like Qwak start to integrate with Artifactory because otherwise they are blind. They don't have access to the model registry. But some of them build their own model registry. This is why I said it. It can't be something that JFrog misses. And the last thing is that it's not a secret. All of those young companies that are part of the GenAI festival are getting crazy valuation and crazy numbers and crazy offers.
So if I would do it two years from now, it will cost me five times more. So JFrog is very efficient. We deploy our capital into our own growth and into our own inorganic growth. So I think it was the right decision and the good move. And still it's on us to prove how we expand the business, and the revenue stream with the MLOps and not just DevOps and DevSecOps. Ed, go ahead.
And to complete the picture on that, Mike, what we're looking at when we make a large M&A transaction like we did for Qwak, it's not only the value that it's gonna bring to the top line growth, which, you know, we're looking at the size of the market, but what it will be in terms of the disruption if we do not do an investment in that technology. And as Shlomi explained around ML, this is what the customer is asking us. They want JFrog that owns their binaries and ML large language models are a binary. It's a natural fit. And have we not, had we not made that decision and doing it now, even with valuations the way that they are, if we miss that node, it will be a very costly mistake for JFrog. This is a natural fit for us.
These are considerations that we take when we make a transaction and do an M&A transaction. So it goes beyond just the size of the market, but the disruption to the company and the relevancy of JFrog beyond just one year. It's multiple years. We wanna be a very relevant company for a long time delivering durable growth and shareholder value.
Awesome.
And then to continue, Ed, just touch on the most amazing thing because we saw it so many times at JFrog. What would happen if we wouldn't pull the trigger on this deal, Mike? What would happen? I will tell you from our past experience in 2016, if we wouldn't become the most popular and biggest Docker registry, I'm not sure that JFrog would exist today. And again, with Kubernetes, and again, with the migration to the cloud, and again, with the merge of security and DevOps. So we see an opportunity. It's authentic. We can bring value to our customers. With 7,000 customers, I know that if we build it right, they will come.
Excellent. Excellent. And with that, we'll have to cut it. But Shlomi and Ed, thank you very much for the time. And thank you to the audience for tuning in today. Take care everyone.
Thank you very much for the opportunity. May the Frog be with you.
Talk soon. Bye.