Good afternoon, everyone. Jason Ader with William Blair. Very pleased to introduce the guys from JFrog: Ed Grabscheid, the CFO, and Jeff Schreiner, VP of IR. Before we begin, I'm required to inform you that a complete list of research disclosures or potential conflicts of interest is available on our website at williamblair.com. Ed is going to go through some slides, and then we'll have some time for Q&A. Then we'll have a breakout upstairs in Richardson.
Yeah. Thank you, Jason. Thank you for having us. I will not go through all the disclosures. You can go to our IR page and read through those. I'll save the time for the presentation and for the fireside chat. I want to just give a quick overview of JFrog. I won't spend a lot of time on these slides. I wasn't sure of the format of this, but I want to give time for the fireside chat. I see a lot of familiar faces and maybe some that do not know the story. Just quickly, we are a little over 7,300 customers as of the end of 2024. We have penetrated more than 80%, 82% of the Fortune 100 across all industries. We have over 1,600 employees and what we believe to be a more than $40 billion TAM.
Over the last 12 months, we've delivered $450 million in revenues, and that's 22% YoY growth. Our free cash flow, we have very strong free cash flow, $119 million in free cash flow, and we've delivered 116% in our net dollar retention rates. We believe that's stabilized in very, very healthy financial metrics and done exceptionally well, obviously, as a company. Our mission, you know, we're here to create and bridge the developer and operations together to streamline the DevOps process, to make that efficient, to make that secure and frictionless. In addition to that, we also have security, DevSecOps, and now we have JFrog ML, so MLOps. We're the only company in the world that delivers in a platform DevOps, DevSecOps, and ML in one platform. As our mission says here, we call this liquid software.
No matter when you want to turn your software and updates on, you have the ability to do that with JFrog seamlessly, secure, and fast. In the center of it all is the binaries. I could spend probably the whole 30 minutes talking and educating on binaries, but binaries is a machine language, zeros and ones, and JFrog is the company that manages the binaries. We are the center of the software supply chain. Around that, you have the developers, you have operations, you have security, and you have AI and the ML. In the middle is the binaries, and the importance of JFrog is the management of those binaries. Real quickly, just to kind of highlight the software supply chain and the platform and what you see, you have open-source packages coming into your organization. You can protect that through curation.
That's an advanced security product that protects what we call the castle to minimize malicious packages and unwanted packages into your organization. Then you can scan those with Xray. Artifactory, as I mentioned, is the heart of our system. That is the binary management tool. You can secure that through our advanced security products, including Runtime. At the end of the process is distribution, and that goes to the end devices. You can host both on self-hosted and on cloud. Now we have JFrog ML, which will also manage your large language models. That was recently acquired technology in Q3 of last year. That's the Qwak acquisition that we did. We released JFrog ML in Q1 for cloud, and we're getting ready to release it for our self-hosted customers. Again, the only company in the world that offers DevOps, DevSecOps, and now ML.
Just to double-click quickly on ML, the way that ML is working, first of all, large language model is a binary. That is why we believe that this is so important and critical to JFrog and why we should win this market is because we manage the binary. Hugging Face is the largest repository of large language models in the world. We have a proxy with them, so customers can bring in their large language models into JFrog to manage that large language model as the binary repository. Also, companies like OpenAI and others that you can bring into your organization, these large language models. This allows you to host the model, secure the model, train the model, and deploy the models. You see an impressive list of customers. I mentioned that we penetrate more than 80% of the Fortune 100. We have many large enterprise customers.
We don't believe we've penetrated all of their budget. There's a long runway still to go. If you look at each of these industries, we're in at least eight of those top 10 customers within each of those industries and verticals. Looking at revenue, you can see consistent growth in our revenue on a quarterly basis. On the right-hand side, we continue to grow revenue. It's a subscription-based model, and it's continued growth. On the left-hand side, on the YoY, we delivered last year 22% revenue on a YoY basis. In Q1, we also delivered 22%. We guide right now, indication of 17% on a YoY basis. We also have very high gross retention. When customers come to JFrog and they standardize their infrastructure on JFrog, they don't leave. 97% gross retention rate. Customers love JFrog.
They stay with JFrog, and they deliver net dollar retention rates in the mid-teens, 116% stabilized at that rate. This is a trailing four-quarter metric. We believe that we're well-positioned and very much stable at that 116% gross, sorry, net dollar retention rate. I think this is a very interesting slide, and I put this in here to share the journey of customers of the land and expand motion. When a customer comes to JFrog in the past, typically they come at a very low subscription level, maybe one organization within a large global company. You can see on the top left-hand side, you have a Fortune 100 automotive company where they start at a very low subscription. They standardize across their organization. They increase to the full platform, the E+ platform. They start to add additional features like advanced security.
This is a customer that is now delivering more than $10 million in ARR. They have a three-year agreement with us to deliver nearly $30 million in total contract value. On the right-hand side is a healthcare company, one of the largest healthcare companies in the world, again, adopting across their organization, taking a migration from self-hosted to cloud, increasing with a big data consumption package. You see the outcome of that with over $3 million in ARR. Bottom left-hand side, a financial company that, again, expanding their footprint across multiple geographies, adding security on top of that. Lastly, a defense company. This is broad across multiple industries, significant growth. It shows the potential with JFrog of a land and then a significant expand. We have penetrated around 10% of our install base for the full E+ platform.
It's delivered more than 55% of our revenue, so it has significant opportunity and a long runway, we believe. Just to highlight this before we go into the fireside chat, again, net dollar retention rate, very effective from a land and expand of 116%. We continue to deliver strong revenue growth of 22% over the last 12 months. Our revenue is 100% subscription. As I mentioned, free cash flow, we're positive free cash flow for the last seven years. We are focused on rule of 40, so the combination of the revenue growth and the free cash flow margin, this is our compass and our North Star of what we are focused on as a business. We continue to deliver value to our shareholders. Thank you very much. As we say in JFrog, may the frog be with you.
Awesome. That was very efficient.
Yes.
Thank you. Thank you. This is more fun anyway, right?
It is. Absolutely.
I wanted to start out just because you kind of went through the sort of the Artifactory story fairly quickly. Can you just talk about what was the original problem that developers were having where JFrog came out and said, "Okay, we need to solve this problem," and we created Artifactory?
Yeah. Yeah. The problem started really when open-source packages became more prevalent and Docker was really that drove the shift. As you started to bring in containers into your organization and created software at a much faster pace, you may remember, for example, back in the day with Microsoft, when you would do an update with the Microsoft operating system, that might have happened once every other year or every three years. Today, software updates are happening once or twice a day, if not 10 times a day. The speed in which software is being created created the opportunity for JFrog. Software was a source code. Source code turns into a binary. We manage the binary. Every time a new application or a new software update is being pushed to the end device, it requires a binary.
It requires JFrog to carry that through the software supply chain. This is why JFrog became such an important piece, the asset being the binary. Binary became exceptionally important with the open-source package and the delivery of software updates.
What were people doing before JFrog?
You didn't update at the pace of what you update today. It was managed probably on a spreadsheet. It was managed internally. Once you increased that pace, it was no longer feasible to manage it internally. I'm finance, so I'll give you a good example. If I continue to expand the number of entities in which I, through an acquisition or open up entities, I cannot close my books independently. I have to have a tool to consolidate that and improve the efficiency and the pace of when I close the books. This is very similar for software updates.
It's like a centralized, consolidated.
Correct.
Tool.
Approach.
Tool to your binaries. Okay. Gotcha. All right. Can you talk about the shift that you guys have made into security over the last couple of years and what prompted that? Was there customers come to you and say, "Geez, it would be great if you guys also did security"? I knew you were kind of doing some security before, so maybe it was a natural extension. I know there was some M&A in there as well. Can you just talk about this sort of journey around security for JFrog?
Yeah. So our CEO, Shlomi, and our founder, Yoav and Fred, they saw an opportunity to penetrate a huge budget in security. Today, we have over 7,000 customers. Every single one of those customers has a security product. The difference is each one of those products is an independent point solution that is securing a binary. You have six or seven point solutions that are sitting on top of JFrog securing the binary, but you're getting false positives in terms of multiple tools not using the same database or the same application in order to get the right result. We saw an opportunity, and we were questioned about this to consolidate and create a platform. We did the acquisition of Vdoo in 2021, and we said that everything would start to go to consolidated platform approach. We own the binary.
We should secure the binary, and we secure that with the JFrog Advanced Security platform sitting on top of the most critical asset, which is your binaries.
The DevSecOps space, or the security in particular for DevOps, is pretty crowded. There is a lot of different players, pretty fragmented, right? What explains kind of your right to win there, your differentiation relative to a lot of the other players? I am not just talking about the point tools. You could argue maybe the point tools, it is hard to manage. Like you said, there is false positives or other errors. You also have the GitHubs and GitLab that are moving into security pretty aggressively. Those are not point products, right? Those are more platforms. Why would a customer choose JFrog over one of those guys?
Yeah. I'll start, and then why don't you jump in a little bit around the GitHub discussion as well, because I think there's a lot to unpack here. First of all, why would a customer choose JFrog over another security product? And what is the value proposition here? First and foremost is, again, it's around securing the most critical asset, which is the binary. The binary is owned by JFrog. That is what is being managed by us. So customers, A, they look at it and say, "If you're managing the binary, it makes a lot of sense for you to secure the binary." Secondly, all of these tools that you're talking about, these point solutions are private companies. There's no public companies that we know today that are in the point solutions. They do not have a roadmap around a platform.
They don't have a roadmap around their next stage. The fact is we are a publicly traded company, and there's one throat to choke when you talk about the platform, which is important and critical to the customer. They see a significant value in the consolidation and management of one vendor.
Yeah. I think it talks to the various groups that you address, Jason. So there's the point solution guys, and there's a secular trend going on of consolidation of those point solution tools. You see Forrester and Gartner no longer wanting to do AppSec or not going to do AppSec reports going forward because they've acknowledged that a platform is the way that the enterprise will work going forward. When you brought up some of the Git guys, the source code guys, well, what we're not seeing from them is competing with us in binaries because what they're very good at is handling the security of the source code. The difference changes when you move to the binary, which is deployed in the wild.
Securing something that's deployed in the wild without the assistance of a firewall is a definitely different technique than what you're doing with keeping the source code internal behind the firewall at all times in-house. As it relates to the Git guys, I think they have new things to worry about, not only each other and the competition between the two companies you mentioned, but in the new technologies we're seeing, such as Cursor and Windsurf and the new IDE technologies that are emerging in terms of developing code. I think if you look at also the hyperscalers as another alternative to using them, they don't really have security as it relates to security.
That's one reason why they're not a best of breed alternative or a better choice than JFrog, because really what they're offering to you is come to our network, move your containers, and we'll give you something to put your one, two packages that you manage. Maybe you can put those into a container registry. Again, the depth, the knowledge, and the expertise around binaries, that's all we do. That's really what's led us to be able to take this market or be participating in this market.
Can you talk about the partnership with GitHub?
Yeah. You want to start off first, and I'll go into the details?
Yeah. So we started the partnership with GitHub about a year ago, and this was actually led by our customers. Our customers came to us, joint customers between GitHub and JFrog. They said, "Listen, we recognize that GitHub is the best of breed in source code. We're using the best of breed in the binaries. And JFrog, the two of you are not speaking together in terms of when I'm on my user interface, I'm working with GitHub, but I don't see JFrog. I want you guys to work together." It started out as a co-engineering, co-marketing agreement. It was born together with Thomas, the CEO of GitHub, and Shlomi, our CEO at JFrog. They started the communication. The first step was co-engineering.
We developed a technology to bridge the two together so that you have traceability and remediation going from source code to binary and then binary back to your source code so that you can secure from writing the code to putting the code into production. The second piece was co-marketing. We did some co-marketing together. Thomas has joined in our LEAP events. Shlomi has joined, which is, by the way, the 100 largest customers for JFrog. Thomas joined us. Shlomi has also joined Thomas at the GitHub events. It is very clear now to the user that the best of breed in your source code is GitHub. The best of breed in your binary is JFrog. There is no question anymore.
The line is drawn in the sand that you're not going to have the Gits kind of moving to the right into the binaries and JFrog trying to move to the left in terms of the source code. It's very clear who are the best of breeds.
Yeah. I think just let's talk about this in terms of the relationship and what it is today. It's been beneficial to JFrog in the sense that two, three years ago when I joined JFrog, speaking to many of you, you'd go speak to your friend, the developer, and he'd say, "JFrog who?" The reason being is that we were running possibly as a service behind his IDE workstation. He wasn't familiar with what the value JFrog was proposing. Now we're on that GitHub workstation. That developer is interacting with JFrog as he's developing the code. He's also able to now go into Artifactory. He's building the code and pull the binaries as needed. That is a key integration.
The next step of integration that we've done on a technical side is with Curation and Copilot and working those two together with the code completion and making sure the Curation is there. It's a centralized security policy that I only allow certain packages into my organization. Thus, if a machine's grabbing what the organization has to offer, I know that it's the correct package that it should, in fact, be using. Finally, I think another opportunity down the road for us is the fact that we're working together on security.
It ties into some of the discussion we were just having earlier with Jason in that this secular trend of consolidation we see could benefit both companies by having GitHub focus on the GitHub advanced security of source code, JFrog focusing on advanced security in the software supply chain, taking out eight tools in total, managing those two tools now as one. I have one screen. To me, the user, it looks as if I'm managing one tool, all my vulnerabilities, all remediations handled on that one screen. It is a very technical relationship today with more engineering announcements to come that I think are going to be very unique. The goal is maybe someday to try to get a co-sell motion. I think today, as it stands, it has stood a benefit to us, as Ed talked about.
When speaking to you guys, it no longer is addressing the Git moving right and everyone's going to roll over binaries. I think one thing we see down the road that it could be is that company X, a Fortune 100 company, is utilizing JFrog and GitHub. I'm just a lonely SMBC, so what do I know? That seems like that's the way to go and design my organization. That is some of the benefits that we're seeing on the technical side so far.
Speaking of competition or potential competition, I think you rightly point out that we have not really seen the kind of the encroachment by the Git guys into your market. Maybe just talk about why you think that has not happened and then who is your main competition today for Artifactory in particular?
For Artifactory, we have two main competitors and one more so than the other. One's upcoming, a smaller guy. That's a cloud-native company in Cloudsmith. Their alternative is that they offer cloud, where the other competitor, Sonatype, doesn't offer cloud and has scalability issues. In fact, Sonatype has been around as long as JFrog and actually took the binary market in the first few years. Because of what we did and the focus that we had, we were able to win that market over time. Sonatype is a company that we often are able to pick new customers off from that they have scalability issues. That's just the core Artifactory competitive landscape. Other than the guys I mentioned with a hyperscale here, maybe a Git guy says, "Hey, you're using one language stored in my source code repository," but those aren't who we're seeing at the presale.
The presale, we see Sonatype or this Cloudsmith company. I think then the competitive landscape changes as we go into security and we get into the private security guys and those aspects. Again, I think as part of your question earlier, the thing that differentiates us there is the integration with Artifactory and the native integration that I would love to do this, but it's not a great business decision in terms of you could shut off access to Artifactory and all these point solutions would be blind. Obviously, it would cause disruption to the customer, what have you, but it shows you the value that they need to extract from Artifactory to be relevant themselves.
Right. So it's like Artifactory is like a strategic control point.
It's the heart of your software development.
Kind of a natural adjacency to security or a natural point of insertion for security.
I think you're correct. I think why that's changed, Jason, is it's become the attack vector. Five, ten years ago, Vlad sat in Eastern Europe, tried to hack your firewall for 12-18 months to get to your source code. Now, after hundreds of millions invested in firewall technology, other things, that's probably not as viable as just taking a malicious package, putting it in the NPM repository, have you download it, put it in production, and now I'm in. The attack vector is now becoming what's out in the wild, which is the binary, and that's no longer source code.
Is that what happened with SolarWinds?
SolarWinds, if I remember right, it was a binary package that was brought in, yes. I believe it was a binary package that was brought in, and then they had to quickly remediate to find where it was and what environments it had been deployed in.
Okay. Good. I'm going to open it up in a minute to the audience. One last question from me is just on the go-to-market strategy. When we helped take the company public in 2001, when it was 2001, 2021, sorry.
2021.
2021. One of the question marks on the story was the enterprise sales motion. Frankly, didn't have much of one in 2021. Can you just talk about how over the last four years-ish that's evolved and how confident are you that you have the kind of go-to-market approach now that's going to help you be successful?
Sure. Yeah. You know us well. You've been with us. I know us well too. I've been here for six years. So I've seen this shift in the maturation process going from a bottoms-up where it was inbound, inside sales led. We were creating a platform, building a platform. We talked about penetrating the enterprise. We talked about go-to-market. We thought, man, maybe we were naive that that would happen overnight. It's taken time. It was a three-year investment for us. We first started by bringing in strategic sales. Then we realized strategic sales alone cannot do it. You've got to bring in the supporting team around that. So you've got to bring in solution engineers. You've got to bring in architects. You've got to bring in people that know how to penetrate the C-suite. So it took multiple years.
Now what we're seeing is we've actually started to penetrate that. Why? Because we have a platform, a true platform. We now offer security, which sits on top of that. We have ML to sell. In addition to that, we've seen it through the growth in our million-dollar customers. We've seen it in the growth in our over $100,000. Our RPO has been exceptionally strong. Those customers want to do multi-year agreements. It includes security on top of that. We had significantly strong growth in our RPO over the last three quarters. A lot of proof points that this motion is now starting to work. We feel really confident going into the second half of 2025.
We saw something similar in 2024 where we started to build the pipeline with a lot of enterprise opportunities that started to bake over time, talking about migrations and multi-year and then security added on top of that. We are seeing something similar in 2025 as well.
Okay. Great. The floor is yours. Yes.
Net dollar retention given the big upsells.
Sure. So net dollar retention,
yeah.
Oh, okay. So you want to speak about net dollar retention. Maybe I'll give you some insights in terms of the net dollar retention and what can drive the net dollar retention. The big upsells are included, obviously, as those deals are closed and the upsell on those specific deals in the mid-teens. What could drive additional expansion in my net dollar retention is going to be two factors. The pace of migration. As customers move from self-hosted to the cloud, I get anywhere from 20%-80% uplift on a like-for-like subscription. Any pickup in the pace of migration would drive incremental net dollar retention. The second piece is usage over the minimum commitment. You have these large deals that commit to us. Let's say, for example, they commit 10 petabytes of data.
We recognize the revenue ratably over the period of time, one year or so for those agreements. If they start to use greater than the minimum commitments, we would see an increase in our net dollar retention rates. Hopefully we would capture that as an increase in a commit going forward.
What is your net dollar retention now, and where do you expect it to go?
Our net dollar retention right now is 116%, and I expect it to be stable right now.
What does it mean if we move to a world where the amount of software written in a given day or year increases five-fold or ten-fold using AI software writing? How does that show up in the JFrog model?
The thesis, so first the question was, if you start to see an increase of 5x or 10x in terms of the amount of code written, how does that impact JFrog? The thesis is this: more code means more binary. More binary is good for JFrog. At this point, we are not necessarily seeing any benefit from machines writing code in JFrog. We saw some significant usage above minimum commits during Q1. That could have been some experimentation. It was something we did not expect in a historically slow quarter for us. Q1 tends to be one of the lighter quarters, and we saw this robust usage of data consumption during Q1 across a diverse group of our customers across multiple geographies all three months of the quarter. Could that have been some experimentation? It is possible.
The thesis is, as you'd see more code being written, more code would generate more binaries, and more binaries would be a benefit and a tailwind for JFrog.
Can you just expand on how AI changed the relationship between binaries and source code and how does that affect your product?
Yeah. I'm going to have Jeff take that, but the question was, how does AI change the relationship between the source code?
This presentation has now finished. Please check back shortly for the archive.
How has AI changed the relationship between binaries and source code, and how does that affect your product?
Yeah. I'm going to have Jeff take that, but the question was, how does AI change the relationship between the source code and the binary, and how does it impact JFrog?
Yeah. Thank you. It's a very good question. I think we hit on something earlier that we think over the next two to three years, the machines will move left, not the Git moving right. What do I mean by that? I mean that the LLM organizations, the data scientists organization, will eventually, in two to three years, be integrated into the DevOps organization. At that time, you'll probably have a majority of the code being written by machines on large language models. That machine and that large language model will inherently be a binary that we will be controlling. With our MLOps platform, we give you the ability to generate and deploy those models.
Artifactory has also been found to be a great use case for managing and securing these large language models. To answer your question, I think what is going to change with AI and ML is that we're going to see less human developers going forward. I think all of us have heard that thesis. We're going to see an influx of code that Ed just talked about, driven by machines generating that code. I would put forth that machines can generate more code than even the most productive human.
That is basically the same comment that you made earlier: more code, more binaries.
More code, more binaries. Right. Personally, I think it's going to happen more when the machines take over. I think we're in a period where the code completion and the copilots and the duos are going to make a more efficient developer. Again, to my last answer, just not to the level that you have a machine just waiting to build, waiting, waiting, waiting.
Yeah. Do you have any prognostication, crystal ball, on just the profession, developer profession, and should kids be learning to code?
I don't know. Ask the guys that were told that 10 years ago now and see if that was the right career path for them.
To be clear, though, if there's fewer developers, it doesn't impact you guys, right? Because you're not pricing.
We price on seats only for security because that's the common currency. I'd also note that a seat in two years, Jason, could be a machine.
Right. Okay. A seat could be a machine. That makes sense. The way you guys price overall, though, is based on storage and compute?
We have three pricing models. If you're a self-hosted customer, we price on the number of servers that you're using on the self—I'm sorry, on the cloud. It's data transfer and storage. And then with advanced security, it's the number of contributing developers.
Okay. Okay. I think we're out of time. We're going to, again, go up to Cunningham.
Richardson.
Richardson.
Richardson. Thank you very much.
Thank you.
Thank you for having us.
This presentation has now finished. Please check back shortly for the archive.
Good afternoon, everyone. Jason Ader with William Blair. Very pleased to introduce the guys from JFrog: Ed Grabscheid, the CFO, and Jeff Schreiner, VP of IR. Before we begin, I'm required to inform you that a complete list of research disclosures or potential conflicts of interest is available on our website at williamblair.com. Ed is going to go through some slides, and then we'll have some time for Q&A. Then we'll have a breakout upstairs in Richardson.
Yeah. Yeah. Thank you, Jason. Thank you for having us. I will not go through all the disclosures. You can go to our IR page and read through those. I'll save the time for the presentation and for the fireside chat. I want to just give a quick overview of JFrog. I won't spend a lot of time on these slides. I wasn't sure of the format of this, but I want to give time for the fireside chat. I see a lot of familiar faces and maybe some that don't know the story. Just quickly, we're a little over 7,300 customers as of the end of 2024. We've penetrated more than.