All right, I think that's our cue. Good morning, everybody. Thanks for joining. I'm delighted to have here with us co-founder and CEO of JFrog, Shlomi Ben Haim, and CFO Ed Grabscheid. Guys, thank you for taking some time.
Absolutely.
Thank you for having us.
Maybe we start with a quick introduction about yourself and maybe a few words on JFrog as well for the people in the audience who might not know about it.
Yeah, so good morning, everyone. My name is Shlomi Ben Haim. I'm the CEO and co-founder of JFrog. JFrog is the only platform in the world that provides DevOps, DevSecOps, and MLOps capabilities to manage your software supply chain. Basically, in simple words, we power software delivery, power developers with DevOps, power security stakeholders with DevSecOps, and AI models with the MLOps capability.
Good morning. I'm Ed Grabscheid. I'm the CFO of JFrog. I've been with JFrog now almost six years and started out as the VP of Finance, helped scale and take the company public, and now have the honor of being the CFO and sitting here next to Shlomi.
Great. JFrog has been going from strength to strength in the last few quarters, right? Your bookings have been great. Last quarter, the consumption numbers were amazing. You're breaking into security in a pretty big way. You're signing some interesting technology partnerships. Talk about it at a high level. What are kind of the common threads of topics that are coming up when you're talking to your most strategic customers? How are they thinking about it?
I'll start, and then Ed, feel free to chime in. I don't know if I'm, am I sitting?
Good.
You hear me well? Okay, good. Around five years ago, Pinjalim, we took some strategic bets on what we want to provide the market. The following was having a cloud-first technology. Our technology is hybrid. We have on-prem customers and hybrid and cloud customers. Becoming a cloud-first company. Second thing was converting from single product to one platform. That's heavy lifting. Everybody's saying platform today, but a real platform experience is heavy lifting. The third thing is to double down on security. What we're seeing in the market, and this is quite awesome, is that even companies that said that they would never go to the public cloud are going to the public cloud. It takes them maybe a bit longer. Therefore, the hybrid solution is very appealing for them. Multi-cloud solutions, so no one will have a vendor lock-in.
That's another trend that we see. Consolidation is a big, big thing. Most of the CIOs that we speak with, JFrog today has something like 7,000 customers. 83% of the Fortune 100 are powered by JFrog, around 50% of the Fortune 500. All of the CIOs, CTOs, CISOs are telling us that they are looking at consolidation of tools. They do not want to have this point solution, multiple tools across the software supply chain. Basically, they look at the democracy of developers kind of settling down, and they want to see consolidation around it. The one big holy grail in the world of software supply chain is security. When you couple it all together, cloud-first platform coming with security that is coupled with the DevOps capability, I think this makes JFrog offering very appealing.
Yeah, understood. I'll go into the fundamentals of the story. Before I do that, Ed, I do want to ask you about the consumption story, right? The consumption numbers have been amazing last quarter. It seems like customers are committing above committed rates. We have not seen that too many times in the past, right? You talked about developer activity kind of picking up. I think I got a lot of questions from investors. What does that mean? Are you seeing net new workloads start to accelerate? Is AI playing a role? That is a little bit of a bull thesis on JFrog as some of these code assists start writing code, right? Maybe help us understand what is driving that.
It was really an incredible quarter in terms of data consumption, but it's one quarter. The truth of the matter is that we haven't seen this level of data consumption over minimum commits for over a year. Although we're excited about it, we're not sure yet if this is a trend, and we're being cautious about the approach that we're taking. As you know, of course, we don't include data consumption over minimum commits in our guidance. Therefore, the cloud guidance that we presented is only that of a commitment. Now, what are we seeing today? We're seeing this really explosive usage of our developers. Much of that, when we analyze the packages, are coming from Docker. They're coming from Hugging Face and from Python, PyPI.
These are the three packages where we saw the most significant increase on a quarter-over-quarter basis or on a year-over-year basis. When you start to triangulate all of these pieces, it would indicate that maybe there is some experimentation in AI. I read an article the other day, and they talk about ARR. They also have ERR now, which is experimentation recurring revenue. We do not know if that is sustainable at this point, but we see this experimentation, and we certainly are encouraged by that. What is happening is you still have a macro headwind. You still have budgets that are not necessarily aligned with the usage. We are working very closely with the Office of the CFO, with procurement, to see if we can align those budgets. Today, there is not a full alignment on budgets and the usage. We are actively working with the customers.
If the budgets become available, we'll certainly see an increase in the commitment. Right now, it's too soon to know. We're executing in Q2. Let's see how things play out. We'll have an update, of course, in our Q2 earnings.
ERR definitely is an amazing metric to probably start looking at.
Please don't ask about it next quarter.
Like another metric.
Yeah.
Just to follow up on that, if companies are consuming more than the committed rate, and if these are experimentation, do you wait another quarter before you engage with them for a larger contract? Or how does that work?
We look at it in two different methodologies. First, those that are coming up on a renewal, we obviously engage in those customers very quickly. As Shlomi talked about, we have over 7,000 customers. I can't deploy my sales organization to all 7,000. In the cloud, around 50% of those customers, so over 3,000 customers or so in the cloud. We have to focus the sales organization. We start with those customers that are renewing, that are over the minimum commits. Those that have heavy usage for a sustained period of time, we will certainly go to those customers and see if there's an opportunity to commit them to a larger data consumption package.
Understood. Okay, with that out of the way, let's talk about the fundamentals a bit. The core of JFrog, Artifactory, you were in a very critical position in kind of the DevOps, DevSecOps processes. One of the Fortune 100 financial companies we talked to, she said, when JFrog is down, nothing gets pushed to production, right? It's that kind of critical. And it has been driving most of your growth, right? Security last year was what, 3% of revenue, I think? But 97% is basically core plus Xray, which is also partially security, I guess. But that's kind of your core. How should we think of that core growth, right? The opportunity around core growth, talk about that. Is that driven by this hybrid migration from on-premise to cloud, SKU upgrades? Or I'm thinking, is there a correlation to kind of natural workload growth within an organization?
That's a great question that we keep asking ourselves for the past 15 years. We started with Artifactory. Artifactory is our flagship product. It's a software packages repository. Ever since then, we were claiming that the primary asset in the world of software supply chain are the software packages. It's not anymore your source code. Source code is amazing. It's important. You have to do it. This is what you do in-house. This is your developers writing code. Most of the software that you bring and create with comes from outside. This is software packages. These are the binaries. Artifactory became the system of record for all of these software packages. Our first step was to go universal. We will support whatever technology you have. Today, Artifactory supports over 32 different technologies.
No matter what you use, no matter what your developers are using, JFrog Artifactory supports that. That means that Artifactory goes out to the public hub, brings the software for you, maintains this, plus the metadata and the dependencies. It became really the system of record for all the software packages in your organization. Now, if this is the single source of truth, we had an option whether we are opening our add-ons to other repositories or we are reinforcing Artifactory. We decided that security and MLOps and everything that will be coupled with this power of the system of record would be more secured, more efficient, faster to use, and better integrated with the ecosystem. We kept on bringing more and more capabilities on top of the registry.
With what happened today, for example, you guys might know that the primary asset in the world of AI are the models. That's what you bring from Hugging Face. This is what you train. This is what you deploy. This is all the experiment. What is a model? A model is yet another binary. And for us, it's kind of native and natural to host it in Artifactory. You're right, Artifactory is becoming bigger and bigger and bigger. We invested a lot in building scalability and automation and integration around Artifactory. You mentioned some of them in the opening. This enterprise that you quoted, I think that a lot of our customers see JFrog and the platform as the power grid of software. If it's down, then nothing is being pushed to production. When it works, nobody cares. It's like electricity at home.
It should have a little bit of a stability in growth for multiple years. Is that?
Yeah.
Okay.
This is also what we perform and share on a quarterly basis.
Yeah. On security, that's kind of the big news on JFrog, right? Because security, or I should say the bear thesis on JFrog that I've heard for the longest time is it's a one-trick pony, and it cannot break into security, right? You have kind of diluted that thesis, in my opinion, with the RPO numbers that you have shown us in Q3, Q4, also in Q1 as well, on top of those strong quarters. Security is 3% of revenue, I think 12% of RPO, and RPO ending 2024. Talk about what is driving that success, right? You acquired Vdoo probably two and a half years ago.
2021.
2021. Okay. It took some time for that machine to kind of start. Maybe talk about what is driving that success now.
Yeah. The foundation of JFrog Security started with Xray that is included with the basic subscription. It comes with Artifactory for the enterprise customers. Xray is a scanner that scans Artifactory, makes sure that your repository is safe. That was not enough for the market. That was not enough to penetrate the world of DevSecOps and to be considered as a security vendor and not a DevOps vendor that tried to do security. What we've done in 2021, as you mentioned, Pinjalim , is that we acquired Vdoo. Vdoo, a mature security company. The team came from two very special units in the Israeli military. They started to build the capabilities on top of it. That's from the technology perspective. We cover almost everything that you have on your software supply chain. It comes together as one. For example, secret detection.
For example, infrastructure as code, containers, and container scanning. All of these capabilities across your software supply chain with the right go-to-market, telling the CISO, listen, you do not have to choose between Snyk or Checkmarx or Black Duck or Veracode or Aqua. You get it all. You get it with the repository, which from the first place is what you are trying to protect. All of these point solutions are integrated with Artifactory. Otherwise, they are blind to the binaries. They have no access to another single source of truth. I think that the combination of a very strong technology, a very strong research team, and the right go-to-market delivered the numbers in 2024.
Yeah. So you're basically saying that your core Artifactory as the system of record is actually a definite advantage for you versus a lot of those point products that have to read into your kind of system of record.
Yeah. This is how we see it. You know, sometimes people are asking me if I'm biased. If I'm biased, then all of these point solutions wouldn't integrate with JFrog Artifactory. You can just go and search the web and look for a Snyk integration with Artifactory or a Mend or a Veracode or an Aqua or all of these tools. If they don't have access to the heart of software supply chain, how can they protect it?
Yeah. Just to go back to your point that you made on consolidation, right? Are you seeing consolidation of these tools by JFrog?
This is like some of the changes that we have done in the past years is that we also moved from a bottom-up sales and go-to-market motion to a top-down and strategic enterprise sales. We secured millions of dollars sizable deals in 2024. Some of them were triggered by security. Some of them were triggered only because of the fact they consolidate point solutions.
Yeah. Are you able to name which ones you're taking share from or not?
Which company?
Yeah.
We have publicly mentioned that AT&T bet heavily on JFrog. Morgan Stanley, another big contract. There was another very big contract for us, one of the top three automakers in America. Sizable contracts are coming from big enterprises.
Yeah. No, I meant who are you taking share from?
Displacement.
From.
I think that what we see in the market is that a lot of our customers are migrating from Black Duck. After Synopsys, they sold Black Duck and Coverity. I think that a lot of them are migrating from Black Duck. A lot of the customers are migrating from Sonatype, mainly because of scalability, by the way, not necessarily because of security. They consolidate. A lot of our customers are migrating from tools like Mend and Checkmarx, mainly because of the cloud performance. They want to move to the cloud. That's the main.
Got it. Coming back to the eight-figure deals that you guys signed in Q3, Q4, is it possible to understand? I mean, your security portfolio has grown, right? There is advanced security. You have added curation. Now, you also added runtime. Which ones are included in those eight-figure deals? Or is it kind of an end-to-end adoption?
Each case is different. We have multiple large customers. It is over 250 customers today in security. A handful of those are these eight-figure deals. When we analyze those deals, there are a couple differences. As you mentioned, we also offer curation. We have advanced security and runtime. Runtime is a small piece of it. Typically, what we see is customers taking curation and advanced security. These deals typically do not go wall to wall at the start. They scale over time. They usually take a multi-year agreement, which gives them enough runway to fully adopt. In year one, it might be a lower level of number of developers. That will scale over time in years two and three. By year three, we would expect a full adoption with more developers.
We monetize based on the number of seats and number of developers, which is different than the cloud, where we monetize on data consumption. We monetize in security on the number of developer seats, which is a common currency being used for the software industry. I'm sorry, for the security industry.
Maybe I'll double-click on what is JFrog Advanced Security versus what is JFrog Curation. What we've built is JFrog Advanced Security. This is the consolidation of all the point solutions that I mentioned. JFrog Curation is a firewall between your organization and the public hubs. From the get-go, developers cannot bring something that is against the policy of the organization. Instead of letting them build with something that you don't want, let's say a GPL license, you don't want it in your organization. You want to prevent it from the get-go instead of letting them build with it, and then at the process somewhere, you will break their build and roll it back on them to fix it. It saves a lot of money. It's mainly a firewall between you and the public hub. JFrog Advanced Security comes with all the capability that I mentioned.
Ed is right. The model that we built is that those security tools are an add-on on top of your subscription. And it's a by-seat. What you've mentioned in 2024, we disclose our security numbers once a year. In 2024, we had 250 customers. These are customers that are using JFrog. And now they heard about security and add it as an add-on. We hope to go with them with a number of seats as well.
The point that you made about handful in eight-figure out of the 250, right? Are those handful companies, was there something anomalous for them to go that big? Or do you feel like a lot of the 250s could eventually scale up?
These are very big companies that are spending millions of dollars on security. I think that this is just the toes in the water before they will expand. There will be two outcomes, right? Either they will say, listen, we tried. We do not like it. Or they would like to settle on JFrog. Therefore, they will have to pay by the number of seats.
Yeah. Understood. Let's move on to the GitHub partnership, right? That is another interesting partnership you had kind of talked about. And I had interactions with GitHub myself. And they were talking about how it's very complementary. And I was asking them about their package solution that they have. And the guy in the booth basically was saying that it's not good enough for customers versus what Artifactory provides, right? So maybe talk about what that partnership brings to the forefront for JFrog versus without the partnership. Is that resulting in new deals, new conversations? What are you seeing?
First of all, I think that it's a good answer. Their solution is not scaling as JFrog. For the longest time, people asked us, what's the difference between source code and binaries? And if you are not a technical person, then it's really hard to kind of put the finger of where this is stop and that's begin or vice versa. We always knew that the coexisting of source code next to software packages, next to binaries, is a must. Otherwise, there is no way. There is no one organization, even if it's a five-developers shop, there's no one organization that can use only source code or only binaries. When we started to hear from customers, significant customers, our biggest customers, saying, listen, we settled on the GitHub platform coming from Microsoft and the JFrog platform.
We want you guys not just to integrate, but build a one-platform experience. I spoke with Thomas Dohmke, CEO of GitHub. I shared with him this feedback from the customers. We took a decision from the executive sponsorship down to build a different experience for developers. We started with four tiers. Tier one, platform to platform, seamless experience. Tier two, security to security. They secure source code. We secure binaries. One pane of glass. No ego, no developers' hassle. Just one place where developers are that they will see all the findings. Tier three, AI and Copilot. So Copilot, GitHub Copilot integration with JFrog Curation that I mentioned before. All the findings will come to you automatically through Copilot. Tier four is the joint go-to-market that we are developing. Obviously, the marketing part of it is very mature.
The sales part is something that we are discussing with Microsoft. It is still very, very early.
Yeah. As investors, we obviously like numbers, right? When should we expect kind of numbers to flow in materially?
Yeah. It's really hard to put our finger on it. The one thing that I'll say is that 70% of our customers use GitHub. This creates an opportunity when we look at scaling into security. There's this trust. They use GitHub. It's a clear best of breed between GitHub and JFrog. This gives us the opportunity, opens the discussion. We can't necessarily put the finger on the exact dollars that are being brought in. We can certainly say there's an intangible benefit. There's certainly a level of confidence with our customers when they know that GitHub endorses JFrog. We are the best of breed when it comes to the management of the binary.
Think about it, Pinjalim. Like what CIO or CTO will say, guys, let's bet on number two or number three in the market. Everybody's saying GitHub is number one for source code. JFrog is number one for binary. So why would you take, I don't know, GitLab and Sonatype? Sorry for being very clear about it. These are the numbers.
Yep. Understood. Talking about a partnership, Shlomi, in Q1, you announced a sizable deal with, this is how you explained it, one of the world's most recognizable AI technology leaders who are actively shaping the future of general artificial intelligence. I will not ask who it is. My understanding is that there is an opportunity for JFrog to power certain services that they might sell to their own end customer. It sounds like an OEM deal in a way to me. I do not understand the intricacies of it. What kind of a service could that be? Maybe just explain potentially what could flourish from there.
Obviously, I cannot share the name. I know one smart analyst that took the script and put it on ChatGPT and got the name. It is really a well-known AI native company that we were honored to hear that they want to move to JFrog. They used another solution, which was not scalable enough for them. What they are building is a giant data center that is supposed to provide services, agent services to their customers. What it means is that they will have to host and manage and train and run experiments on models. They want to bet on Artifactory as their model registry. They want to use Xray as their model scanners. In the future, hopefully, they will expand their business with us and add JFrog Advanced Security and JFrog Curation to it.
Maybe even JFrog Distribution to distribute it to the edge. I'm not sure. It's very early. I would not say anything that's even close to an OEM agreement. There is a big potential there. The main reason of why I was so excited about this new logo is because of the fact that you know that you build for modern technology when customers like that are coming to you. Every CEO, I bet that in any room in this conference, every CEO will say at least 5x the word AI. There is a lot of fluff around it. There is a lot of authentic things around it because it's a real revolution. It's not a trend. When you manage the primary assets, the trans-AI, which are the models, I think that there is a big potential for us to grow with this change.
Understood. Let's talk about macro a little bit, right? You reported last week. Seems like at this point, you're not really seeing any impact. I mean, how have those conversations fared so far in Q2? There seems like a lot of uncertainty overall, April, May. Do you feel like people are tightening their purse strings or are kind of migrations conversations slowing or any kind of a signal that you see out in the future periods?
Yeah. I'll go ahead and start on the general. You can talk a little bit more about the customer discussions. Q1, we didn't see any of the impact of the macro. We also knew stepping into the year that it was a difficult macro environment. We did see some headwinds. We prepared for that. We talked about that as we stepped into 2025 and worked. Cautious in our approach. That's why we, A, de-risk many of our largest deals because of the uncertainty of when those deals are going to close. We also exclude, of course, any data consumption above minimum commits from our guidance as well. As we head into Q2, we're obviously keeping a close eye on how the market is behaving. We've penetrated over 80% of the Fortune 100 customers.
Those customers could be impacted by some of this macro headwind. Today, JFrog is not being impacted by that. We feel very confident with the guidance that we provided. Again, we're going to continue to monitor and execute in the second quarter. We will have to see what happens after Q2 and how that'll impact the second half of the year.
OK. I want to ask you one more on that, on visibility specifically, right? Because of those large deals that you signed in Q2, Q4, your CRPO coverage numbers are a little bit better than previous years. I think you have also kind of changed the monthly commits, right? The construct of kind of the contracts and your visibility into kind of monthly commitments. Is it fair to say that you're entering 2025 with a little bit more visibility than prior years?
I don't know that we're necessarily entering the year with better visibility. I think what we're seeing is that 2025 is very similar to what we saw during 2024. Regardless of when the conversations start with these very large deals, we typically see the transactions starting to mature more towards the second half of the year. This is what we're seeing today, that these opportunities with these very large deals will start to manifest and grow more towards the second half of the year, regardless of when we started the conversation. Now, the question regarding the CRPO, I don't know that yet this is the right indication of the health of the business. It's wonderful in terms of the growth in the CRPO. We look at it from a revenue perspective. A lot of that is coming from the multi-year commitments that we have.
We now have more stability in terms of the year over year. We do not have to chase renewals necessarily every year as we see some of these larger customers now moving to a multi-year commitment. That is reflected in our CRPO numbers.
All right. It seems like we have only four minutes. Is there any questions? Can we have a mic here, please?
As we think about DevOps over the next decade, the amount of Dev that's going to be created is going to just grow dramatically. I'm not convinced that the seats are going to grow dramatically as agentic AI is a key part of that. How do you think about pricing your business model on value-based pricing versus seat-based pricing so that you capture and participate in that growth?
Yeah. When we coupled DevOps, DevSecOps, and MLOps in the same platform, the idea was using the same practices to automate the full software supply chain. Yes, there is an addressable market for each one of them. We see it as one. When you look at the cloud business, it is based on data transfer and storage. The more the merrier. If you will use more to transfer your models or software packages or containers or Python packages, we are agnostic to it. It will generate more consumption. This will grow our business. This is one of the reasons that we bet heavily on the cloud. We went multi-cloud. Even if it is a hybrid solution that some of your assets are on-prem, you still need to communicate with the cloud. That generates more consumption. Our model is purely consumption-based.
Now, for the self-hosted, we added security. Part of our customers are still self-hosted. Maybe we'll stay self-hosted forever on-prem. Our assets are starting to be based on consumptions as well, but in a different way. For example, smart archiving, the size of the repository and not necessarily a subscription-based. Security based on seat and not necessarily a base subscription and so on.
How do we think about the margin profile between the CPUs and the consumption? Is there a margin difference?
We only report on the corporate margin. We have very, very healthy corporate margins. We still maintain that. Even with the percentage of revenue that's coming from the cloud, we still maintain a very healthy gross margin profile.
Just following up on that, what is your view long-term about the growth of developers given agentic AI? I mean, might there be a lot more activity, but not more developers? Also, how's MLOps gone since it's launched, I guess, last month, two months ago?
Growth of developers, there is a lot of discussions about it. There are two different paradigms around it. One would say that tools will replace developers. The second one would say tools will replace developers that are not embracing tools. It is really too early to say. I do not want to sound a bit dramatic about it. We do not care. For us, it does not matter if a model is something that was generated by a machine or by a developer. That is the difference between source code and binaries. We speak machine language. Whether it was a developer that created it or a machine, you still need the system of record. You still need the single source of truth, the machine and the developer. If you ask for my opinion, I think that we will see more sophisticated developers that are using tools that power them.
Ten years ago, fifteen years ago, it happened with CI/CD, if you remember, Continuous Integration and Continuous Deployment. Some of the developers of the world said, we do not have to go automatic. We will build it. We will craft our own code. Those developers are long gone because you build 1,000x a day with a tool. What you will see is that there will be much stronger developers that are doing the work with machine. Again, we have to be focused on the asset. Otherwise, it is a 50/50 bet. Regarding the MLOps, your question was about revenue contribution.
We acquired Qwak, a company that we acquired in July or August of last year. The main focus was, let's expand the platform. Let's become the first platform that provides you with an every ops solution. We just released it two months ago. It is included in our offering. We do not yet see any significant or sizable revenue contribution. We will take our time. We want it to be adopted by our customers and not push. Next year, you will see a drop in the renewal, just as we did with security, by the way.
I think we are out of time, unfortunately. We could have probably gone for one hour with this discussion. Thank you so much.
Thank you.