All right. Thanks, everyone, for joining us in Utah. My name is Billy Mandl. I'm on the research team here at KeyBanc. We're with Jason Celino, who's our Verticals HCM and DevOps Analyst. Jason and his wife are expecting a second child any day now, so he couldn't be here, but we're excited to have Ed here. Ed Grabscheid is the CFO of JFrog. Ed, thanks for joining us.
Thank you for having me. If Jason, if you're listening, congratulations. It's nice to be here. I forgot about how high we are in terms of altitude. Running from the room to here, I realize I'm actually not out of shape, but I've completely lost my breath.
That's great. Maybe, Ed, we can start kind of high level. For those who aren't familiar with the story, maybe just give a brief introduction to JFrog, where JFrog sits, and what we think of as the DevSecOps landscape and what the problem is you're solving for customers.
Yeah, sure. JFrog's been around since 2008. We are located in the, or sit in the DevOps space or DevSecOps, but really we call ourselves EveryOps. Today we're a company that manages not only the DevOps, we manage the DevSecOps, and we also have MLOps. We consider ourselves the ops of everything. We solve the problem for developers in terms of fast and secure software releases. We also solve the problems for the CISOs to ensure that those releases are secure and that we're not putting malicious packages out there. We do it at a very fast pace and ensure that these updates reach the endpoints as quickly as possible.
We'll get into some of that platform evolution, but just wanted to touch on Q2 earnings reported last Thursday, I think it was. It was a pretty impressive cloud growth number, 45%. Can you maybe walk us through some of the usage dynamics you've seen now the past two quarters, kind of what you're seeing on that side of things?
Yeah, so it was an impressive first half, not only Q2, and it really started in Q1 where we saw usage over minimum commitments. First time we've seen that in a good year. What we said during that first quarter was the usage and what we saw was Docker, which we typically see where the Docker registry, the system of record for Docker registry when it comes to binary, but we also saw Hugging Face and PyPI. An indication of maybe there's some AI workloads. This is coming off of a very small base, but nonetheless it was an increase and we saw significant usage across our portfolio and above our minimum commits. As we stepped into Q2, we saw sustained usage.
What was different in Q2 versus Q1 is that we started to see momentum in discussions with our customers to take that usage into a higher annual commitment with JFrog. Unlike what we saw in Q1 where we thought it was experimental, we saw the sustained usage, we saw the ability to increase those commitments or take those commitments into a higher annual commitment. For those that didn't go into a higher annual commitment, we still saw similar package types of PyPI and Hugging Face in terms of the usage as well as NPM, Maven, and Docker.
Yeah, and you alluded to it a little bit here, but just two quarters of evidence. I mean, what do you think is really driving that usage momentum? Is it AI experimentation? Is it just general developer activity picking up? Kind of what are the breadcrumbs you guys are seeing there?
Yeah, there's a couple of phenomena that are happening in cloud. First off is the adoption of security. We're starting to see our security product really starting to take shape and the penetration of the security budgets. The majority of our customers, in particular the large wins, are landing in the cloud, and that has contribution to our cloud growth. The second piece is the usage. When we look at the usage, we know that there is some experimentation around AI workloads, but it's still a very small piece of the business. The majority is coming from DevOps workloads and growth just in general of workloads. I wouldn't say necessarily it's AI workloads as excited as everybody is. I want to kind of keep that excitement down. There's an increase, but again, it's off of a very small base.
Where we're seeing most of the growth, it's coming from developer workloads.
Yeah, there's a lot of exciting security commentary in the quarter. Last thing I wanted to hit just on 2Q was kind of the AI-native leader that expanded the relationship with you. It was exciting to see that in 1Q, and you said they kind of doubled down this quarter. Maybe what's the scope of what this AI-native customer is using you for and how they expanded this quarter?
Yeah, you're not the only one who's excited. I don't think there's a conversation that I've had today or post-call that is not asking about this AI-native company. We actually work with three of the top five AI-native companies. This one is not unique in that sense. We actually work with several of them. What is unique about this one is the potential opportunity. First, this is a self-hosted deployment. They came to us in Q1. It happened very quickly. That was a big surprise to us, and they landed in the Enterprise+ subscription, our highest subscription. We're talking about hundreds of thousands of dollars. They stress test JFrog. They looked at how we work in terms of the number of languages we support, pushing our technology to the limits, and making sure also that from an Xray scanning perspective, that it's scanning the models appropriately.
Once they got through that kind of POC and stress test, they look at the topology and see where they can deploy globally. This is where you saw the increase in the subscription during Q2. They doubled the subscription during Q2. This has a lot of potential. We're super excited about it. I do also want to mention, again, it's self-hosted. The potential is there, but there is no customer, even our largest customer today, that represents more than 3% of our revenue. I know there's a lot of concern when you talk about AI-native and what is the effect for JFrog if they decide to maybe move in a different direction. Even our largest customer today does not represent more than 3% of our revenues.
Interesting. Are they using you for security at all, or is that an opportunity down the line?
That's a great point. They've taken us for the Enterprise+ subscription. They use us for Xray, which is part of the platform, but they have not yet subscribed to our Advanced Security or Curation products, which would be an additional upsell if they do move that direction.
Let's talk about security a little bit, because the platform really has expanded a lot from kind of a DevOps, Artifactory, and Xray story to more on DevSecOps and a lot of the Advanced Security offerings that you have now and things like Curation. At a high level, what kind of traction are you seeing in your security sale? It was a huge RPO number this quarter. Any way to help conceptualize how much of that is coming from security attached or just ways for us to understand how the security momentum has taken off?
Let me first talk about the journey in security, because it's an interesting journey. We acquired the company Vdoo in the early 2020s, and we thought we could immediately take this product to the market. It took time. First, we had to start with rebuilding Xray as a product that was built for developers, not necessarily a security product. From there, we had to integrate that into our platform. That took a little bit of time. We released the product in 2023. The first half of 2024, we did introductory pricing. This gave us the opportunity to land with some large enterprises for them really to kind of check and test our capabilities against very well-known point solutions. What they found is that JFrog knows how to do security. They created a very good product.
The second piece of it is if, as an organization, I'm looking to consolidate and minimize my vendor sprawl, I have an opportunity with JFrog as a platform in security to consolidate all of these point solutions. This is where you really saw the inflection point in Q3 of last year. Now you started to see big bets in security. They said the CISOs in these organizations that we work with, we love the JFrog security product. There is no way I'm going to rip out my effective and efficient tools that I'm working with today and replace those with JFrog, but I will over time. This is why they're making three-year bets, very large bets with JFrog reflected in our RPO number, and over time we will replace those point solutions. This became a blueprint for how we sell.
It became a blueprint for some of these industries like financial institutions, for the automotive industry, and now we're starting to see that momentum take place. We saw that here in the first half of 2025. We called out specifically one of the largest telecommunication companies in Q2 that took a very large position with JFrog Curation. They already had JFrog Advanced Security, but took JFrog Curation, a multi-year seven-figure deal to protect the castle of what comes into their organization, and Curation is a great product to be able to do that.
Yeah, you said something pretty powerful as customers saying, JFrog knows how to do security, which is like we've seen other companies struggle to evolve into a security organization. You're selling to a new persona, which is the CISO, the office of the CISO versus the CIO or the DevOps team. Do you think that understanding of JFrog as a security company is starting to broaden beyond your customer base? Are you seeing any lands on the security side?
Yeah, every discussion we have will introduce security. Any new customer we lead with security, because we know every single customer has a budget for security. When it comes to managing and securing their binaries, every single customer has a budget. It's a matter of taking that budget and moving it over to JFrog. We do have those conversations, and we continue to have those conversations. New customers in a magnitude of order is a small percentage of our business compared to the expansion. Where we really see the traction today, though, is around the expansion. We have over 7,000 customers. Half of those, 3,500+, are using Xray. If you're using Xray, we know there's a path to having a discussion around security, and that's what we lead with now. When I look at my pipeline, the vast majority of my largest deals are leading with security.
Which products are seeing the best momentum there within the security suite? It's gotten pretty broad at this point.
Yeah, it's gotten very broad. What we see right now, it's a split between JFrog Advanced Security, which is the platform security product that replaces six to seven technologies, and JFrog Curation. It's split about 50/50 today.
Okay.
Yeah, there's valuable use cases for both, and we'll be talking more about that, even additional products that we've developed and we plan to release at our annual user conference, SwampUP.
Yeah, looking forward to that.
Yeah.
I guess we talked about the evolution of how JFrog's evolved themselves in security, but if we take a step back, I mean, what is the differentiation of JFrog in security versus maybe the traditional application security vendors or even more traditional enterprise security vendors?
Yeah, I kind of alluded to it in the beginning part of the fireside chat. It's the consolidation and the vendor sprawl, the controlling of your cost and the return on the investment. What our customers are looking for is to minimize the point solutions, have one vendor, and the value proposition that JFrog brings is not only that consolidation and the platform with multiple technologies and our Advanced Security, but we own the primary asset, which is the binary. If you are the system of record like we are for the binary, then it makes sense that you will also be the system that is securing those binaries. We've consolidated those point solutions, and we generate a significant value in terms of cost of ownership. You take those three factors, people are very excited about JFrog Advanced Security and Curation.
That's great. I mean, this isn't just a product evolution story. There's been a lot of work on the go-to-market. I think one of the more exciting evolutions there has been the partnership with GitHub, Microsoft GitHub. Can you maybe just explain to us what that partnership brings from a distribution and a product integration standpoint?
Yeah, this is a huge strategic partnership. First, what this created is a clear delineation between these different parts of the software development lifecycle. You have source code, you have observability, and in the middle, you've got the binary management. This became very much clear once JFrog and GitHub started to have this strategic partnership. The best of breed in the source code, the best of breed in the binaries. More than 70% of our customers today use GitHub to manage their source code, around 20% on GitLab, and about 5% or so on Atlassian Bitbucket. Where the value became much more evident is what I would call most favored nation. We started to develop technologies together, gave us a single pane of glass in order to do traceability and remediation. It also gave us the ability to sell security.
There was a question, do I go with GitHub Advanced Security or do I go with JFrog Advanced Security? No, actually, you need both. In order to go from source code to binary to runtime and then be able to trace all the way back to your source code, you need both. This is where we see the value. We continue to develop new technologies and new capabilities with GitHub. They're going to join us on stage at Swamp UP. We will join them at GitHub Universe, and we continue to build a better relationship with them. We continue to see that being very strategic going forward.
Yeah, that was an exciting partnership for sure. I think investors are curious to track the progress there. Maybe how are you guys tracking? What metrics are you looking at? How are you gauging success on that front of the partnership with GitHub?
Yeah, it's really hard to put the finger on exactly what I'm driving from GitHub unless somebody tells me I'm a GitHub customer and I came directly to JFrog because I need a binary management tool and this is the path that I went. There may be some cases of that, but really where we see the value is, again, the clarity from a customer perspective. If I know that I want to go with the best-of-breed solution from source code to binary, then I know it goes GitHub and JFrog and it's the two together. This is where it really brings the value. Most of our customers, 70%, are using GitHub. If they're taking the security product, they most likely will start to take the JFrog Advanced Security as well.
Okay.
Yeah.
We could talk about AI now. It's only the fourth or fifth bullet on here. Usually said a little bit quicker in these sessions, but it's clear that AI coding, copilots have been one of the early adopted AI use cases, and they seem to have great traction in the ecosystem. Just curious, you know, how you'd frame how JFrog participates as a beneficiary from that trend towards AI coding assistance.
Yeah, there's a lot of traction. First of all, the fact that we went four levels before we even talked about AI. I can't walk into a conference or a discussion without having AI, especially around JFrog, be the first topic of discussion. These developer assist tools and code assist tools are certainly getting traction. There's a lot that's happening at the source code level, right? They're building a lot of code. What they take from that into production and build into binaries, we're still not seeing all of that code go into production. Thematically, I think there's two use cases where I see significant benefit to JFrog. As more code is being created, there will be a need to convert that into a binary. If you're the system of record for the binary, you will have the opportunity as more binaries are being created to generate growth for JFrog.
The second piece is around security. Technologies are shifting very quickly. Every day there's a new AI company, every day there's a new code assist company. Securing that and what you're bringing into your organization will be critical. The only way it goes into production is if the organization trusts what's coming in. JFrog has a huge opportunity to secure that. Curation is one of those products that is a firewall around your organization. You can then mirror the pace of code generation with what you're bringing into the organization and the pace of what you bring into the organization securely. If you have JFrog Curation, I set those parameters as a CISO. I feel comfortable that I'm not letting anything in that I don't want into my organization or anything that's malicious. The pace of that production starts to increase, and this is where JFrog can truly benefit.
Yeah, we hear similar that some of these AI-assisted coding tools are creating more vulnerable code. Is this pulling through in conversations today, or is this something you kind of see a little further down the line? Are organizations starting to think about, hey, how do I protect against some of this more vulnerable code that's being created?
Yeah, we absolutely hear this, and we've had partners reach out to us. I'll give you a good example. Hugging Face reached out to us at the end of 2024 and in Q1. The community heard that the models that are in Hugging Face as a repository are malicious, and there's all kinds of vulnerabilities. We use JFrog Xray capabilities to scan all the models to make sure that there were no vulnerabilities, to give the confidence to the community that there were no vulnerabilities. We hear this all the time. We hear that machine-run code, so these coding assistants tend to generate more vulnerabilities. This is all good news for us because it creates additional use case for JFrog and opportunity for JFrog.
There's another kind of piece of the AI story here. You acquired an MLOps company, Qwak. Maybe outline for us kind of what that brought to the platform, and then why MLOps kind of makes sense as an extension of a DevSecOps platform. Why is that the value where it accrues?
Yeah, yeah, we saw about a year and a half ago that the data scientists in the data science community were starting to bring large language models that are a binary into Artifactory and storing those. We knew that something was happening, some transformation that was happening around large language models. We started to integrate with companies like SageMaker, Qwak, MLflow, Databricks because they wanted to bring these large language models into their organization and train them. What we saw with Qwak, there was a tremendous alignment culturally, the vision, and we did that acquisition. We felt like we needed to win this market. It's not only about bringing those binaries and those large language models into your organization, it's around training, securing, and deploying those. We know how to store and as a repository of the [fineries], we don't know how to train, secure, and deploy those models.
This is where Qwak came into play. They have a platform that can sit on top of Artifactory that can do exactly that and create that opportunity, not only to just store those models but be the system of record for all models going forward. When you have the data scientist community looking to train those models and be close to the metadata and deploying those, JFrog is the system of record for those, and Qwak provides that opportunity.
Yeah, excited to see how that Qwak story progresses.
Yeah, sure.
Along those lines, how do you monetize this NVIDIA relationship? How big could it be? What's the longer-term strategy doing this? Because on the other side of the spectrum, they're squeezing every partner. How does that work for you guys?
Yeah, so the question is around the relationship that we have with NVIDIA and how do we monetize that relationship going forward. First off, I've been with the company six years and two years as the CFO. If somebody told me that Jensen was going to be on stage talking about JFrog, I would have never believed it. From that perspective, that's a huge win. To be part of the AI factory was a big kind of shot of confidence for us. This is being used in a different fashion. They are going to host their models. JFrog will be used in order to scan those models and secure those models. They'll bring JFrog in.
It could be cloud, it could be self-hosted, but it's really around taking their hardware and moving it to a software application, probably around large language models and ensuring that the community feels confident that those models are secure and that those models will be deployed efficiently. That's why they chose JFrog. We'll see how that goes. It's still very early, but we're very happy about the fact that we've got one of the biggest companies in the world endorsing JFrog.
Is JFrog finding any efficiencies from AI internally? I mean, as the CFO, do you get excited about where you could see some cost savings?
Yeah, certainly there's opportunity. I do not review or sign any POs for new software if it does not have AI-enabled capabilities. A good example is my own team, my FP&A team. As they look to expand the capabilities of the financial planning tools, it has to have AI-enabled capabilities. Being able to give narratives quickly, provide feedback, and make them more efficient is something that I'm always looking at. We use AI capabilities around Notebook, Gemini. These are things that we're using. We also use developer tools more for experimentation. I haven't seen efficiency gain yet. I know there's a lot of discussion around efficiency gain in a number of developers. We haven't seen that yet. If we are going to be a player in AI, we also need to understand how to use AI, and we certainly build that into our playbook.
Do you have a rough sense of how much of your tech development could be done by AI in two to five years, or is it just too early to tell?
It's too early to tell. It's too early to tell.
That's fair. I think another exciting part of the story has just been the magnitude of these deals. They're just getting larger and larger, and the go-to-market has really had to change to facilitate that. Maybe just quickly walk us through what the changes have been on the go-to-market side, if there's anything incremental coming this year or into next year.
Yeah, no doubt the size of the deals, the duration of the deals, those have changed. The way you sell has to change as well. We made significant investments over the last three years to our enterprise sales team. That was important. You have to be able to speak the language of the CIO and the CISO in order to sell. It's not an inbound motion anymore where you're selling to a developer. You're actually selling to the C-suite. We made that change many years ago. We also brought in architects and solution engineers as overlays that can speak both the DevOps side and the DevSecOps side. Where we made some investments this year when we realized we were maybe lacking in our capabilities was around the product marketing team. In order to sell to the C-suite, you have to be able to explain these complex solutions that you're offering.
It's a technical sale. I can sell that to the CIO and the CISO, but if I'm selling it to the CFO and the CEO, why I need to do that, you have to have a strong product marketing team. We've invested this year in product marketing. We're now bringing MLOps into the fold. You have DevOps, DevSecOps, and MLOps. They've got to be able to tell the story, and that's where we've invested. We've seen it pay off so far.
There's also a bit of a cloud migration story here too. I know that was hampered for a little bit as organizations had a tighter budgetary environment. Are you seeing that open up at all at this point?
Yeah, cloud migration is part of our strategy. We work together with our customers to move workloads from the self-hosted into cloud as they are prepared. Most of our customers want to do that over time. As they prepare their workload migrations, we're there to support that. We see that still as a significant growth driver for us. That will happen when they're ready to do it. We do not force it. We find that it's not a matter of if, but when. The deal sizes continue to get bigger and bigger. Not only is it a migration, but you talked about how large these deals are becoming. It's because you're adding security on top of that.
If you're going to make the effort and do the heavy lift to do the migration, and if you're not an Advanced Security customer today, it's likely that you'll start to add security on top of that. These things are happening. They're building in our pipeline. We're continuing to have conversations with our most strategic customers to do those migrations, and time will tell when those happen. It's still moving forward.
That's great. A lot of exciting stuff going on with JFrog. Is there one more audience question?
Yeah, one more question.
Yeah.
I'm just curious, when you see customers migrate from on-prem to cloud, if they do that concurrently with other tools in their DevSecOps stack, or if you see it being sort of a tool by tool, or you know, when customers go from on-prem to cloud, are they also doing that on Jira, GitLab, and the whole gamut of things?
Yeah, that's a question that's been asked quite a bit. There's usually a roadmap in which they follow. The first step is typically the source code. They migrate the source code, then they would go to the binary, then they go to observability. It's got to follow the roadmap. There's a large financial institution that we work with. They've publicly come out and said they're trying to move everything to the cloud, but it follows a roadmap. We tend to be part of that roadmap. If there's something delayed, it's out of our hands. It's delayed because of the migration and an earlier step. We follow that progression.
All right. A lot of exciting stuff going on. Thanks, Ed, for joining us.