Okay, we're going to get started. Welcome. I'm Jonathan Ruykhaver. I cover the cybersecurity and infrastructure software space at Cantor. Great to have JFrog and with us, Ed Grabscheid. Is that pronounced correctly?
Yeah, Grabscheid.
Okay, Grabscheid.
That's good.
Shlomi was supposed to be with us, but he unfortunately has been ill, so we'll proceed with Ed. Let's just talk from a high level about 2024. You came in as CFO, was it the end of 2023 or just the beginning of 2024?
I was announced at the end of 2023, so Q4 of 2023, where I transitioned from the previous CFO, Jacob Shulman. But I've been with the company for nearly six years, so I was very familiar with JFrog. I stepped into the role as the CFO and took the helm officially January 1st, 2024.
That's correct. You proceeded to have a decent 1 Q, but then 2 Q was a disappointment. The second half was quite strong. Just talk about the demand trends you saw last year, what happened in 2 Q, and what drove the stronger performance in the second half, and what do you see going into 2025?
Yeah, yeah. Let me first start with the second half of 2024. We're really pleased with how we ended the year. We closed three of the largest deals in the history of the company during Q3, which was an amazing achievement considering the macro environment. These deals, deals that we've never seen before at JFrog, included migrations going from self-hosted to cloud. These included upsell in terms of a lower subscription going into the full platform. It also included some deals that had security attached to it, multi-year deals, and that's represented in our RPO, which I'll talk about in just a moment.
We move into Q4, where we had the benefit of the revenue coming from these large deals, as well as other migrations from self-hosted to cloud to really deliver strong cloud growth, 40%, above 40%, excuse me, in the cloud for the full year. We also shared some of the metrics around security, which I'm sure we'll talk about in a moment. Now, what happened in Q2? This was a great learning experience for us. It really changed my approach and guidance. In Q2, we had a deal that we thought historically as a deal, 99.9% closure rate on this. This is a deal that ended up being a deal that closed in Q3. What we learned from this is we have to be patient.
As you step into a new arena of enterprise sales, it's really truly understanding that patience and that the magnitude of these deals are exceptionally large, and there's multiple budget owners and multiple organizations that need to sign off on that. In order to get those across the line, we had to be patient. Therefore, the outlook as I step into 2025, and I explained after Q2 of 2024, is to be more conservative and more prudent in our approach. These large deals that we closed during Q3 of 2024 have been de-risked. Therefore, the guidance is more on what I see as a commitment and really have good visibility in the first half. The second half, uncertainty, much of that, and what we know and what we've seen is that we tend to be a second-half company, and that will come from these larger deals.
It may come from an increase of usage above our minimum commits in the cloud, and it may come from an uptake in security, but I do not want to call that yet. I am being relatively conservative in my outlook and my approach around guidance going forward.
Can you just talk about that large deal opportunity? What's driving that? Is that the new norm? Would you expect that to continue for the next several years?
These are deals, like I mentioned, that we've never seen at JFrog, but we've been working on over multiple years to start driving strategically our sales organization, bringing in high-powered sales reps that come from companies like MongoDB, Atlassian, Datadog, that know how to penetrate budgets and security, that know how to close large deals. That was first and foremost. Now, what are we seeing in these deals? These deals, as I mentioned, typically come with a migration from self-hosted to cloud. They're coming with security, some of them even being led by security. It's a new product that we released in the second half of 2023. We went GA on those and really saw traction during 2024.
The construct of those deals is, as I mentioned, requires multiple stakeholders in terms of budget, the CIO and the CISO, and typically requires significant sign-off from Legal, from Procurement, and from the Office of the CFO. Those deals, again, will continue to be de-risked from our pipeline, but we know how to close them. It's just a matter of not if, but when.
Yeah, it's interesting because when I first worked on my due diligence as a part of our process for initiating coverage, the sales motion was mainly product-driven, aimed at developers. I think this was two and a half years ago, three years ago, you had just embarked on a more strategic focus targeting the C level. Talk about how you balance that because you need buy-in from developers, but you want the approval that you get for these bigger deals from the C level. How does that work practically?
As I mentioned, I've been with the company for six years, and when I joined the company, it was an amazing story. I'd never seen anything like this. Driving sales inbound with literally no marketing, no outbound motion, customers coming to us. It was a developer-led tool built from the bottom up, as you know, and you've done the research. We've now shifted towards more of enterprise and top-down motion. Why? Number one is developers do not have the checkbook to sign million-dollar checks. If we want to continue to scale and grow and be part of large organizations, you need to start tapping into the C-suite. You had to move the motion from inbound, bottoms up to tops down in enterprise. That was number one. The fact of the matter is developers love JFrog. They are the champions.
They will make the decision to use JFrog for their binary management and the Artifactory, the repository, and eventually scale over time. They have to be the champion, but the budget will be held at the C level. This is where you start to build the go-to-market motion to get these million-dollar plus checks.
Yeah, yeah. Okay. Looking at the market, the software development life cycle, the market is very, very fragmented. You have all these disparate tools that one developer will use for initial coding or the planning stage of the development process. You have different tools for build, test, for securing. You look at some of your competitors, GitLab, GitHub, they seem more focused on the CI/CD phase of that development life cycle, whereas JFrog has really claimed Artifactory, binary management. Those are two interrelated phrases as the foundational layer from which to grow. Why is that? It is interesting because you do not see GitLab or GitHub really focusing on binary management. What is the challenge there that you think gives you an advantage as you look to build out a broader platform solution?
Yeah. Maybe first let me start with a clarifying point. GitHub and GitLab sit on the left. They're focused on the source code. When I go to a deal and I have my team, my sales team going into a deal, we hardly ever see GitHub or GitLab in those deals. They're focused on a different area. We're focused on the binary. They're focused on the source code. 70% of our customers today use GitHub. We know that GitHub is the standard maker when it comes to the source code, JFrog when it comes to binary. We've created clarification in the swim lanes of who's doing what, first off. Now, why you talk about this disparate, many different tools that are on the software development life cycle, but who owns the primary asset? The binary is owned by JFrog. The repository, everything is owned by JFrog.
All of these tools must integrate with JFrog. If the primary asset sits as a resource, a repository, then everything must integrate with us. That is where the metadata we hold is the value. We also have deep technology in terms of our IT stack. In addition to integration, supporting over 30 languages, we also secure your binary. The first in terms of that security is Xray. We brought Xray into our platform. Xray is ground zero. This is your software composition analysis, scanning to ensure that you're not bringing vulnerabilities into your organization. You can add Advanced Security and Curation on top of that, which we'll talk about in a moment. The differentiator is the deep technology stack, the fact that we own the metadata and everybody must integrate with JFrog. I'll give you an example.
At the end of the day, we're community-based. We have to work with the community. Theoretically, some of these tools that integrate, we could literally choke them, kill them by not integrating with them. We wouldn't do that because you're cutting your foot off. However, that's how important JFrog is to the software development life cycle because of the fact that we own the metadata.
If that's the case, that's kind of the foundational layer to a platform. Does the company over time move into these other areas where you don't have a tool today? I don't know if it even makes sense for you to move into CI/CD. It seems like partnering with GitHub is the better path. Just talk about that expansion of the capabilities around your platform.
Yeah, that's exactly where we're moving. We made a bold bet more than three years ago to move to the platform. People thought we were crazy, including employees within the company. When we said we were moving to a platform, we lost engineers because a platform, the idea of a platform three years ago was Oracle or HP . Developers saw DevOps as an open-source type community, and the movement to a platform was like a dinosaur type company. Today, that's all that everybody talks about is a platform. We've started to migrate and move towards that direction. We exited the year. 54% of our revenue comes from the full platform offering, E+. It's still only 10% of our customer base, but you can see what it does in terms of generating growth for JFrog, 35% growth on a year-over-year basis as well.
We still have a very long runway to convert many of our customers to the full subscription platform of E+. We see great benefit there.
Yeah, actually, that brings up a question just in terms of these large deals. Is that the migration path that's driving these large deals, or is it landing new customers as well? Just talk about that balance.
Yeah, yeah. Migration is a big driver of growth. When we move a customer from self-hosted to cloud on a like-for-like subscription basis, we get anywhere from 20% to 80% uplift, depending on the size of the workloads that are moving over from those self-hosted instances. In many cases, we'll see a customer move from a lower subscription to take on the full platform in the cloud. Is it the driving factor? Not always. The driving factor is to move from their self-hosted instance and then have JFrog manage that and also have uniformity across their organization because now you're getting updates. You're using the same version across the entire organization. There is significant benefit to move from self-hosted to cloud. In many cases, we do see customers move upstream from a lower subscription into the full platform and taking more with JFrog.
Good.
Is that like for like? Is that the total contract value, or is that seats like that 20%, 80% up to? Or how do you split that up?
Yeah. The question is regarding is that a like-for-like in terms of the subscription, or is that number of seats? First off, on the self-hosted, we monetize based on number of servers, not on the number of seats. Minimizing any fluctuation regarding headcount in terms of number of developers. We decided many, many years ago that we would monetize our self-hosted on seats. In the cloud, it is monetized based on data consumption and storage. When you move your workloads from self-hosted into the cloud, you are making a commitment with JFrog around your data consumption and storage. You take a package of data, 1 PB , 2 PB , 10 PB, whatever the amount is based on your expected workloads.
You mentioned E+, 10% of the install base. Are all those E+ customers on cloud? I'm just trying to get a sense for the percentage of customers that have migrated to cloud as well.
Yeah. Today, 40% of our revenue is coming from cloud, and the split is relatively similar between our E+. You have somewhere between 40%, maybe slightly higher percentage contribution from our E+ cloud, and then the remainder is on the self-hosted. We have opportunity to migrate those customers into cloud and monetize those as they continue to grow with data consumption.
Yeah. Okay. AI-enabled software development, this was a hot topic, I think briefly for maybe just a couple of months, and then people started waking up and realizing you're not a seat-based model, so it shouldn't impact you. What it is doing is it's driving more lines of code into production environments, which need to be tested, secured, so on and so forth. The volume equates to a bigger data footprint and should be a real positive for a company like JFrog over time. I'm wondering if you're seeing that dynamic yet.
It is really too soon to say, excuse me, if this is driving benefit. We are not a company that is about fluff. AI certainly we see as a growth vector in the future, but we are not going to say that it is driving X points of growth for JFrog at this stage. There is a lot of experimentation that is going on. The thesis is this: as machines start to create code and as more code is being generated, because we do not monetize off of the number of developers, I am not so concerned about the number of developers declining over time. I am excited about more code generation, which means more binaries, which means more good for JFrog. If there are more binaries, it is more opportunity for us to manage those binaries, push those through the software supply chain, and generate revenue growth for JFrog in the future.
Yeah, it just—oh, go ahead.
Hi. More binaries, there's more lines, or more reads, more megabytes, because in our position, there are many more. The thing is developers increasingly fall for whatever. This is one question. The second question is about the leverage in your model. We haven't seen the margin improve, so that's the second question.
First, in terms of the binary, software as it's created, it's created in English, Spanish, German, whatever language. Once it's converted from the source code into a machine language, which is binaries, ones and zeros, the movement of those binaries through your software supply chain, either pulling them from a repository into your organization, which is a package or a container, and then moving those through the software supply chain drives data consumption. That's number one. That's how we monetize in the cloud. If it's self-hosted, it's around utilization of the servers. As you're bringing them and storing those, it increases the capacity and requirement of the servers. That's how we monetize off of that.
Now, regarding the question on operating margin, if you look at JFrog over the last two years, in 2023, we did over 1,000 basis points expansion in our margin. This is where we started to see the economy of scale and the investments that we made in the go-to-market around security. We really saw the growth as we grew top line over 25%. We saw stabilization in our expenses. It did not grow at the same pace, obviously, as the revenue and 1,000 basis point expansion. In 2024, at the beginning of the year, I said somewhere between 200-400 basis point expansion. This is before I knew we would do an acquisition. We did an acquisition in Q2 of 2024, and I still met the top end of my margin expansion guide. I did 400 basis points of margin expansion in 2024.
We're a very disciplined and efficient company. We are focused on delivering top-line growth with profitability, and we continue to do that. Now, when you look at 2025, you may ask yourself, well, why am I seeing my guide relatively flat? I'm conservative, as I mentioned, in terms of my approach. So anything I overachieve in my top line, I would expect that to flow to the bottom line.
I just want to get clarification on the code gen market opportunity. For me, it just seems like you have GitLab, GitHub. You have Cursor. Anthropic is introducing a solution. Scaling to this new paradigm, to me, seems like it's going to be a huge, huge challenge for enterprise customers. I mean, historically, you had developers who would adhere to various standards to ensure trust and security around the code. Now you have none of those guardrails. When or what are your salespeople doing to discuss this dynamic? Is it becoming a part of your sales pitch? It seems like binaries as the source of trust, which is what you like to say, become more important. You seem to be indicating that you don't really know if that's impacting the business yet. I know it's early.
All these trends are early, but it just seems like it should at some point.
Impacting the business, that aside, let's talk about the security or what are the gates to move from experimentation into full production and where we start to see the benefit of AI. We see two gates today. We see cost predictability. These are very large amounts of code or packages. If I'm doing large language models into my organization or if I'm generating new code and bringing that into my organization, there's cost predictability. You are now talking about machines that are generating code. They have zero conscience. They don't work during lunch. They don't take breaks. They work during lunch. They work during bathroom breaks. They work overnight. You're now generating significant amounts of code, bringing that into your organization. That's number one. Number two is what are you bringing into your organization? Organizations are freaking out. They have no idea.
Am I bringing something that I'm going to bring in somebody's IP into my organization and infringe on their IP? Am I bringing a malicious package into my organization at a very rapid pace? There are two gates that you've got to get through in order to be able to start seeing more regular use of AI in production. What are we doing as a sales organization to discuss that? Curation, as one of our Advanced Security core products, allows you to set the parameters of what you bring into your organization. You can still be efficient. You can still bring in code into your organization at a very rapid pace, but setting the parameters and giving the confidence to the Office of the CISO that you're not bringing anything malicious into your organization. That's how we're selling the Advanced Security product.
We had an announcement recently with Hugging Face where we enhanced the security. It's an open-source repository for large language models, one of the most popular. We enhanced our relationship with them by adding an additional layer of security to ensure that you're not bringing something into your organization, a large language model that would jeopardize your organization.
That is probably the answer, correct? You expect security to grow materially in fiscal 2025, which there is a driver there, and it could be these OpenAI code production models.
That's the hope. Yes.
Yeah. Okay.
Good question.
Yeah, go ahead.
Are you seeing any early indications of moving across the bridge between talking to the developer and the CIO versus the CISO? Other players in the space and DevOps have had some difficulty bridging that gap, speaking to the CISO versus the CIO. Any takes there at the CIO?
Sure, sure. Yeah. Maybe we'll talk about it a little bit more when we go into the security side of it, but we are starting to see now the Office of the CIO and the CISO coming together. Where you had two separate budgets, now you're starting to see those converge into one budget, which makes it easier when you have the discussion around security as well as the DevOps, the expansion in the DevOps, or part of the migration from self-hosted to cloud. We see this in CIO reports. It's very clear. We've had discussions now in the financial sector where we've seen both offices coming together as one.
Sticking to security, we've seen this shift left from one-time production environments to the development phase in terms of security applications. Talk about why Advanced Security and Curation are competitively better than what GitLab is doing. In addition, you have observability vendors moving. They monitor production environments, but they're moving more to the left as well. Do you see that?
Yeah. Everybody has some crossover moving to the left, moving to the right. Even JFrog, we introduced runtime in Q4, so we're kind of moving to the right into observability as a request from our customers to have better traceability. It's an act of God sometimes to ask people to open up their production environment. It's something that we certainly were requested, and we've done that. Other companies are moving, like I said, from source code maybe into software analysis, et c. The bottom line is who owns the asset? The asset is owned by JFrog. At the end of the day, customers want JFrog to secure that asset. JFrog Advanced Security, we're focused on the binary. The binary, the Advanced Security secures the binary as a platform. We replace multiple point solutions.
It is again under the genesis of a platform, replacing those point solutions, best-of-breed point solutions, consolidation to one vendor and a better return on your investment. This is where the value proposition comes in. You may have, as you mentioned, maybe a GitHub that has some security elements that move to the right, but at the end of the day, it is very clear. GitHub is focused on the source code and securing the source code. JFrog is focused on securing the binary. Where the value proposition is the platform and replacing the point solutions. Who are these companies? These are small, privately held companies for the most part. You may be aware of them: Black Duck, Mend, Aqua Security, Veracode, Snyk. These are the type of companies that we are replacing. Again, consolidation of multiple point solutions to one vendor with a better return on your investment.
Yeah, no, that's interesting. I was going to say, if in fact there is real value in having that deep understanding and integration with the binary from a security perspective, whoever is there currently, you should be replacing. I would also assume there's a lot more binaries being generated, so there's a volume component to that equation as well. In terms of competition, the one vendor I look at that seems to have, you could see these different security solutions, like you mentioned, maybe at the testing prior to production, software composition analysis. It seems like it could be littered with these little tools for some time. Snyk is the one vendor that, to me, has built out a more platform-centric vision. Are you seeing that?
I mean, I think if you're actually replacing them around the repository, that would be a clear testament of your positioning and the value proposition.
Yeah. We do see them, and we have replaced them. We know developers love them, but they are not a platform. They are still a point solution, and they do not secure the full software supply chain. At the end of the day, who do they have to or what are they protecting? They are protecting the binary and the metadata. This is what JFrog owns. This is all goodness. If they are securing a binary, that is goodness for JFrog because that means that it is going through the software supply chain and it is generating top-line growth for JFrog. Again, it is still a point solution, and we do see replacement there.
How far are we in this process? Are you at 50% through consolidating the smaller point solutions to a platform over 25%? Where are we?
Specifically around security?
Even more.
It's like first inning. Yeah. I think we're just not even first inning, maybe just getting out of the dugout at this point. I think there's a long tail in terms of the consolidation. As I mentioned, 10% of our customer base today is on the full platform subscription of E+ . Generates 54% of our revenue as we exited 2024. There's a long runway. It's a very, very early stage.
The main reason people will eventually do it is you have to have a change in executive leadership. There has to be a philosophical sort of change that says, "We don't want all these smaller platforms. We want to go this way." What sets our demand for change that you guys are looking forward to?
Internally in JFrog or?
Internally.
You're talking about the companies. Yeah, the customers themselves. I think it is this is an executive and board discussion to make a decision to consolidate tools. It is not taken lightly. I would tell you, when you start to think about development of software, security of the software, inherently very conservative and ripping out infrastructure and replacing, every single one of our customers that we speak with has a budget around security. Every single one of them is going to be extra cautious around ripping out any security tools. Therefore, we can work together with the companies in parallel to show value. Many of these customers have made long-term commitments to JFrog to replace their tools over multiple years, but it will take time in order for that consolidation to happen.
Moving on, just the price hikes you've been able to pass on, it seems like for several years, they seem more focused on the self-managed products. Correct me if I'm wrong. I would assume the strategy is to try to drive more of those migrations. If it doesn't, it is still a tailwind to the self-managed business. Just talk about the financial impact there, what your expectations are.
We have not had a sweeping price change across all of our products, both self-hosted and cloud, since 2021. We do have inflationary price changes. That is what we call it on a year-over-year basis in self-hosted specifically. This year was slightly different in that we focused on a bigger price change for the lower-end subscription. Our Pro and our Pro X received close to over 50% in some cases increase. The philosophy there was, A, we removed Pro as an offering on self-hosted. Existing customers can absorb the increase of 50%, or they can move to the cloud. New customers that land at JFrog that want Pro will immediately go to the cloud. That will drive movement to the cloud. For our Pro X customers, you are now getting pricing closer to the higher subscriptions.
That may drive upsell into our enterprise platform or migrations into the cloud. Our higher-end subscriptions, we did a smaller increase. The impact on a year-over-year basis in terms of the price change is not meaningful. It's relatively the same. The impact in 2024 and 2025 based on the price changes are essentially the same.
Okay. Does anybody have a question?
No.
54% Enterprise+ subscriptions in terms of total revenue. You've seen this acceleration in seven-figure transactions. Binary management becoming the more strategic footprint within software development potentially. This autonomously driven AI production. It all seems like it's positive in terms of where Enterprise+ can go. Do you have any expectations for the momentum there?
We do because it's part of our strategy. This is where we've invested in the go-to-market and bringing in sales teams around key accounts, driving that motion, not only with the sales organization, but the supporting organizations. Having the professional services, the customer support, the value engineering, the solution engineering, and starting to build out the motion on channels and partners. Channels is not going to want to sell a point solution. They want to sell value and a platform and their professional services. We've invested heavily in that as well, including investing with our Cloud Alliances team into the marketplaces, which are a great partner. All of this is driving that motion. This is the blueprint. We're seeing a significant growth in our million-dollar customers. We've grown over the last year. We continue to drive growth in our 100,000 customers.
I know it's a wide range from 100,000 to 1 million, but significant growth within that range as well. This is strategically what we've been focusing on for multiple years. The results of that are what you're seeing in terms of our E+ revenue growth as well as the traction we're getting in those million-dollar customers.
How should we reconcile that growth with that broader platform with the net retention number of 115%? I mean, it has been coming down. I would think the expand component would be pretty substantial.
The guidance that we provided in terms of the mid-teens net dollar retention.
I mean, you don't have to grow any new customers to get there, basically.
It's on a conservative guide. It also takes into consideration a few factors. Number one is that I don't expect any increase in terms of the pace of migration on a year-over-year basis. Secondly, I'm assuming consistency in terms of my penetration and security. The last piece is I have not seen usage in the cloud above minimum commits. It's a very tight conservative environment at this point. Most customers are not spending over their minimum commit. We have a question.
Yeah. Are you seeing your improvements in your customer acquisition costs as a result of these, or are you still in the investment stage in what you expect to break even with that?
Yeah. Going from, as I mentioned, an inbound model where you did not have to market or hire high-priced sales key accounts, and then moving more towards an enterprise sale, you would expect to start to see an increase in your customer acquisition costs. That is stabilizing now.
I think we've hit our time limit. Ed, thank you very much. Great discussion.
Thank you for having us. I appreciate it.