Thank you everyone. I am Sanjit Singh. I cover the Infrastructure Software Coverage for the Morgan Stanley Software Team. Super happy to have Chief Financial Officer of JFrog with us, Jacob Shulman. Jacob, thank you for joining us at the conference once again this year.
Hi, Sanjit. Thank you for having us.
Yeah, of course.
Let's get to the disclosures real quickly. For important disclosures, please see the Morgan Stanley Research Disclosure website at www.morganstanley.com/researchdisclosures. If you have any questions, please reach out to your Morgan Stanley sales representative. Jacob, let's start the conversation from a high level. When people think about the DevOps category, the DevSecOps category, seems like a pretty attractive Secular Growth Market. Lots of sort of TAM available. On the other hand, there's lots of different players in the market.
Yes
as well, right?
Mm-hmm.
I guess to start off the conversation is so where JFrog sort of plays in sort of managing Binaries, why is that sort of strategic real estate and allows hopefully you to do more with customers over time?
Yes. First of all, if you think of this DevOps Infinity Loop, right, which comprised of multiple stages, kind of to simplify that, we believe that it will be broken into three areas of expertise. On the far right from us would be Monitoring Tools, and there are a lot of different players in there that monitor your performance. It's once the software is already implemented and running on machines, this is where they come and provide you feedback on optimization opportunities. To the left of us, there will be developer tool category, and a lot of different technologies that's coming up every year. Developers would always want variety of different tools to be able to write code. What's in between is the Software Supply Chain category, which we believe we are leaders in.
If you think about it, Sanjit, developers, as I said, always want variety of different tools. Enterprises do not want variety of different tools. They want standardized, secure framework for software releases. This is all about binary management because once the developer wrote the code is a text in its people language. Machines don't speak people language. They speak ones and zeros. They speak Binaries. Every company that wants to release software has to go through the process of converting the code into binary file, incorporating open source. Open Source also comes in the form of binary. No one sends you an email with text in it, right?
Mm-hmm.
It's you only download the binary executable package. You have to secure and physically deliver those Binaries to machines. This entire area is called Software Supply Chain, and we today believe we are leaders in this space on the DevOps side. Obviously now with the enhanced levels of security requirement, this entire supply chain needs to be also secure. This is why we kind of building our capabilities in security space as well.
Yeah, it's a great overview. 2022 was a strong year for the company, 30% revenue growth. You guys have been free cash flow positive for many years. In Q4 you did see some impact of elongated sales cycles and deal push-outs during the quarter, which worsened in the month of December. Can you speak to the macro impact? Like what are customers saying about JFrog and their JFrog investment going to 2023, and how is the company responding to this more sober spend environment?
Yes. Yeah. First of all, we started first seeing those first macro impacts even in Q2. I think when we report our Q2 results, we already started seeing some elongation of sales cycles. We started seeing more kind of efforts of our customers to optimize cloud usage. As you know, on the SaaS, we monetize it by data transfer and storage, and that's where people started kind of taking steps to optimize usage in that regard, which is consistent probably with what you've seen from the industry. Those trends intensified in Q4, and we did call that kind of in December, we did see a much more significant impact on that. Specifically...
First of all, the trend of digital transformation will continue, and the trend of adoption of DevOps will continue. We don't think it's something that change in kind of how people think about the digital transformation. It's more related to micro impact. Specifically, we did see that customers optimizing their usage. When we guided 2022, we did say that our cloud growth will be mid-50s and growth above that will be attributed to overusage. We did see that once people started making those optimizations, our cloud growth converged to mid-50s. We believe that in 2023 the cloud growth will be mid-40s, partially because of the continued optimization effort, but also because we did see some slowdown in the trend of migration from on-prem to cloud. People feel committed to migration to cloud.
Cloud is still North Star for them.
Mm-hmm.
Given the budget dynamics and more scrutiny around the budgets and more cautious stand of some of our customers, we did see some push-outs in the month of December. Even those who made the strategic decision to go to the cloud, they still kind of took more conservative approach on the pace of the transition to cloud.
Mm-hmm.
That's what, kind of embedded in our guidance.
To follow up on that topic, one of the themes of the Q4 call was. You know, customers on one hand being less willing to invest in their on-premise data center environment, but then having a tough time to secure more budget.
Right
... for the cloud. Given what you sort of said that digital transformation is still a priority, and how that translates just to the volume of software updates-
Mm-hmm
... how long can this... how long can customers sort of stay in this, like, middle ground position, given the volume of software updates? Like, how long can they put off making the decision to move to cloud?
You're absolutely right. The trend of digital transformation continues. There are more software, so customers will have to do that. What they're first trying to do is to maximize the usage of their on-prem capabilities, and that's why we saw that customers using our products more. As you know, given our kind of monetization by number of servers-
Mm-hmm
... where the customer, once they make the decision to transition to cloud, they don't necessarily buy more servers. They want just to utilize existing infrastructure more. That's why we increased our prices for on-prem installation by 3%- 5% for 2023, effective January 1st, which will be kind of effective for each customer upon the renewal of the agreements. That's one way for us to monetize and align better value-
Mm-hmm
... to that. We definitely see that customers will continue with the efforts for cloud. Some of the deals that were pushed out from 2022 already gone through, and some have not yet. Definitely what we're hearing from customers is their commitment to continue and expand their cloud. What they're saying is that they expect these projects to go into production in 2023.
Understood. I'm gonna ask Jacob for you to put on your Shlomi hat to deal with this. More of a high level business conversations.
Mm-hmm.
If you think about the category, call it DevOps or the software release cycle, the majority of that is still on-premise today, but it's shifting to the cloud.
Yes.
You have other major players in the ecosystem like Atlassian telling their customers, "Hey, come February 2024, we're no longer serving supporting your server deployments." As this category, you know, shifts to the cloud, potentially more materially over the next 18 months, is there any risk to JFrog in terms of customers sort of looking at their software release cycle and saying, "Is this an opportunity to consolidate with fewer vendors or move more with Azure DevOps or other players?" How does the shift to the cloud in terms of the software release cycle in JFrog, how does that evolve over the next year to two?
Yeah. We definitely see more cloud adoption and the width and breadth of our offering is we're by far leading company today. clouds, they very good partner of ours. Their KPIs are different. Their KPI is how much traffic you generate on our system. Our KPIs are how we enable our customers to release software fast and secure. Therefore, we provide much deeper technology level, many more capabilities, both on DevOps side and security side. clouds see that we generate a lot of data transfer. That's why they partner with us and we go cross-selling opportunities with them, and you see, they offering us on marketplaces. Having said that, they also try to be closer to developers and get some of the workloads. That's why all of them have container registries.
container registry, container is basically one form of binary package.
Mm-hmm.
When people use containers more, they generate more traffic, and that's why all of the clouds offer container registries. Again, their solutions more narrow and optimized for data transfer. We cannot just use container registry. You need to code with something. You need to build even container. Typically, customers use multiple technologies, and not all of them supported by clouds.
Mm-hmm.
There's advantage for us on the technology level, but there are also advantage for us on the business level because what we're seeing today, and we talked about hybrid, how important is hybrid even for largest corporations. They all understand North Star is cloud, but they always gonna be hybrid because not 100% of their workloads will transition to cloud. None of the clouds can offer hybrid capabilities. Another very important differentiator is multi-cloud. Very large customers of ours, they don't even think to be like Azure shop or AWS shop. What they think is about how we enable our multi-cloud solution. None of the clouds can offer multi-cloud solution. We see it's the scope partnership that will continue to expand, and we're seeing significant growth in the cloud when we work together with them.
They still get their workloads on their cloud, but they offer JFrog as capabilities to their customers.
Yeah. I think it's probably important to note that in terms of the company's market positioning, you guys are playing at a much higher end of the market-
Correct. Correct.
particularly within the Fortune 100 and the Fortune 500. Sort of the next sort of major topic that's being discussed in this category is around AI, generative AI and large language models.
Yeah.
There's a lot of excitement about how these technologies can really accelerate code development.
Yes.
What do you think are the knock-on effects outside of, like, just the source code repository and accelerating the code development? Do you see a potential that if Copilot and things like Copilot become a must-have, does that also creates the incentive to go all in with a particular vendor? Do you see any sort of, you know, what would be the impact of these types of models outside of, outside of, you know, code development?
Yeah. First of all, AI will help to generate more software, more code, which means this code needs to be translated into Binaries, which means more Binaries. It's all of this AI capability is very good for us because we'll definitely speed up the software development.
Mm-hmm
... and there will be more Binaries created, and therefore there will be more need to manage Binaries. Now, you know us well, Sanjit, and you know that JFrog is all about automation, right? Our main value is to automate this entire process and eliminate developers from the software release process, make it automated. We already embedded a lot of automation capabilities in our processes, and AI could help us to do it better, especially when you embed different triggering events and security analysis events.
Mm-hmm.
We think that, in general, this AI trend will be very positive for us, A, because of more software will be created, and B, because our products ourselves will be much smarter.
It's well said, and we'll see how this evolves over the next year. Maybe some, like, real CFO questions.
Mm-hmm
... for once. How should we think about the balance between growth and profitability? This is. You guys have, you know, the, in the spending boom, you guys were always running more conservatively. You've been free cash flow positive for several years. You're operating profitable. Growth, I think you guys are targeting low 20% growth for this year. Is Rule of 40 a framework that you think about and a timeline that you can get to that type of level between growth and operating margins?
Yes. You know as well, over time, we built our DNA in slightly different way, like maybe some other companies in the space, we never paid $1.50 for $1 of revenue, right? We've always been very, very prudent in our spending. We were profitable even before we went public. Then we made these several acquisitions, specifically Vdoo acquisition in security space, where significantly increased our investments into security. Now we're launching our security capabilities. Back then, we promised we're gonna be back to profitability in four quarters, which we achieved. We said we're gonna be break even for 2022. We were slightly profitable. We continue to expand.
The way we think about is the long term, and you can only build strong business when you depend on yourself and when you generate profits from the business. Having said that, growth is very important for us. We see a lot of opportunities. We play in a very big market, and therefore we see the opportunities for growth. Rule of 40 is one of the metrics that we look at. You know, we were above Rule of 40 for several years. Now, obviously, given the macro headwinds, we're guiding around Rule of 37.
Mm-hmm
... 35, sorry.
Mm.
22% growth and kind of, low teens in the free cash flow.
Mm.
We build our portfolio, especially with new initiatives on security, to help to accelerate the growth once the macroeconomic headwinds behind us.
One more, one more sort of questions on the financials and the cost structure. In terms of stock-based compensation and net dilution, how are you managing this in the current environment, and how should we think about share dilution in 2023 and beyond?
Yes. Stock compensation is somewhat kind of unique because of the accounting, right? It's valued on the date of grant. Until today, I have some of the grants that valued at $60+, which hit my P&L, right? Therefore, we're looking primarily at the true dilution, kind of number of shares that we grant on annual basis. Historically, we've been running at low low single digits. Last year, we increased our dilution in 2022, like around 5%, mid-single digits.
Mm.
We think about it in terms of kind of ISS guidelines. We will continue to meet ISS guidelines for the true dilution. Right now we're kind of thinking about low to mid-single digits dilution.
Low to mid-single. Great. Switching back to the product level discussion. Enterprise+ is your top subscription tier.
Mm-hmm.
Has a lot of the innovation across multiple capabilities. It's generating about 43, or I think it's adopted by 43% of your customers. That's up from 35 year-over-year. Can you remind us what are some of the key triggers that causes customers to upgrade to Enterprise+?
Yes. First of all, a small correction. Enterprise+ revenues
43%
... 43% in Q4. Less than 10% of customers adopted Enterprise+. We reported our customer base at the end of the year to be, like, 7,200 customers. The best kind of approximation for the number of platform users is a number of over 100K customers. That was 736 customers at the end of the year. Not all of them on the platform. That's why it's slightly less than 10% of customers adopted and already generate 43% of revenue. There's significant room for us to grow in adoption of the platform. Does everyone need the platform? If you have customers on one region and one cloud, then probably you don't need the full platform.
If you have customers in even multiple regions with the same cloud or multi-cloud or on-prem and cloud, then you definitely need the platform because the primary trigger for the platform adoption is distribution capabilities. It's not just important to make your software developers effective and efficient. What really matters is how fast you take the software to the market. This next step of taking software to the market, that's what the platform allows. The primary trigger for platform adoption is distribution capability. Once the company standardizes an Artifactory, once you have your Binaries secured with our products, the next natural step for you is to take that in automated way to the market. This is where the people move to the platform, and this is why it presents significant value for them.
When you see customers make that upgrade to Enterprise+, what is that doing to their spend? You know, does it go up by 1.5x- 2x? What's sort of the uplift opportunity when customers make that move?
Yeah. It really depends on what type of distribution they're gonna be using because there are two types of distribution. Internal distribution, where they kind of update internal systems in different geographic locations.
Mm-hmm.
Just think of big bank, right? They have hundreds or thousands of branches. They have multiple development centers. They have tons of ATM machines, et cetera. All of them needs to be updated. That's internal distribution. External is when they take it to the customer. Today, majority of use cases still internal distribution. When customer transitions to the platform, we typically see 2x- 3x upsell-
Mm-hmm
on average selling price. Once customer transition to the external distribution, that's different volumes, and that's how we're trying to implement more.
Mm-hmm
... metrics into the platform on the distribution side because we see a lot of potential that software needs to be distributed to tens of thousands of customers or to be updated on billions of devices. That's where the IoT core comes into play.
Yeah. Makes sense. The company has sort of played in security for quite some time.
Mm-hmm
starting with its Xray offering. Jacob, I was wondering if you could talk a little bit about, you know, the initial foray into security with Xray and how the security strategy has evolved since then with the acquisition of Vdoo. What's the thesis that's sort of underpinning the company strategy, the move into security?
You're absolutely right. We started with Xray. First of all, kind of stepping back, DevSecOps has multiple areas of focus. There is static application analysis, dynamic application analysis, software composition analysis, container security, runtime security. The different companies coming from different angles because, you know, software, the code management existed for 40 years. Therefore, a lot of companies coming from static code analysis kind of because of historical kind of trends. Xray was the tool in software composition analysis, where when you bring open source component into your organization, that basically scans the component, breaks it down into different parts, and compare those against a database of vulnerabilities, known vulnerabilities. That's how it can tell you whether it's component vulnerable or not. The best analysis for that is like indexing tool on your laptop.
When you save file in your laptop, it goes through the indexing, and then you can...
Mm-hmm
... find it quicker, and you know what it's comprised of. Now, in Q4 , we launched and post Vdoo acquisition, we developed a new set of new capabilities. As we started this discussion by saying that entire Software Supply Chain needs to be secured. It's not just software composition analysis, but you need to have capabilities across multiple areas. That's what we started doing with Vdoo acquisition. In Q4 , we launched our JFrog Advanced Security, which is our first step to branch out of software composition analysis left toward more source code development and static analysis and dynamic analysis, but also toward right, more toward container security and runtime security and Infrastructure as Code security. We will continue to expand our capabilities.
What we see, though, is that there is significant value for customers, first of all, from the capabilities that we already launched. Two most significant features that customers value today the most is contextual analysis and secret detection. It's not enough to scan your source code to identify secrets because a lot of secrets get embedded into Binaries.
Yeah.
We do that on a binary level, and therefore, the quality of secret detection with our approach is much more significant. For the contextual analysis, just because we have this visibility into entire Software Supply Chain, we can tell you that we can help you prioritize vulnerabilities because some of them could be mitigated by your firewall or some your kind of different versions of other Binaries that you're using. Therefore, that's significant value to developers because they don't need to work on all kind of laundry list of all the vulnerabilities that point solution scanning tool would give them, but they will have some context and prioritization. We will continue to expand our capabilities, and we believe that the our security capabilities will become material to our business within the next two years.
Yeah, I was just about to ask, like, how we think about the timeline for revenue contribution.
Well, we start to see revenue contribution.
Mm-hmm.
With the launch, we're really happy to see, first customers buying JFrog Advanced Security in Q4.
Mm-hmm.
last week we launched, JFrog Advanced Security on-prem.
Mm-hmm.
Majority of our customers on-prem, so now we'll have access to more customers. In addition to that, we need to build our brand as a security company.
Mm.
We established our brand on the DevOps side where Artifactory became a standard setter. Now we're building our brand on the security side. We believe that in combination with the platform, our security capabilities will have significant value to customers.
In terms of, like, as you do this sort of expansion within security and as the security portfolio gets more broad, who do you think you'll be competing with as you try to execute on this initiative?
Yeah. We started with computation on the Software Composition Analysis, right? Where core players were Black Duck and maybe Sonatype with their some of their products.
Mm.
As we're branching out to more toward left and toward right, we'll start seeing more Snyk and Checkmarx and Veracode maybe on the left, Palo Alto Networks and Aqua Security on the right.
Mm-hmm
... as we compete in more categories, as I said, there are lot different players that play in different categories, so we'll start running in all of them. Again, we believe that the platform, the DevOps platform, in combination with security, will provide significant value because it's not just important for customers to quickly identify vulnerability. What's really important for them is quickly remediate vulnerability, and this combination with the platform, Artifactory, and Distribution will be significant value in that regard.
Makes total sense. want to see if anyone in the audience had a question, can you just raise your hand? If not, we can continue. All right. Let's sort of wrap up around the opportunity, which I think a number of software vendors are talking about, which is around tool consolidation...
Mm-hmm
vendor consolidation, trying to take more share of wallet of the budget. What's the opportunity ahead of JFrog to become a net consolidator of DevOps spend?
Yes. today, still, we see a lot of room for consolidation, both DevOps side and obviously security side. On the DevOps side, we became the standard setters, but we still not standardized across all our customers. Even in our largest customers, we believe we have not penetrate more than 20%. we still see a lot of point solutions, used. Even in larger organizations, we could see ourself installed next to Sonatype maybe sometime.
Mm-hmm.
Definitely a lot of homegrown solutions. Therefore, we see a lot of opportunities for us to expand even within our customer base with DevOps core. On the security, again, we're just starting, right? Xray became de facto player in software composition analysis.
Mm-hmm.
As we're branching out, there will be a lot of opportunities for us to consolidate point solutions 'cause it's very, very fragmented market. We see our customers installing up to five different point solutions doing the same, and therefore they're not taking action. It just becomes unproductive and unmanageable, all the information. We will see consolidation in that regard as well.
With that, I think we're all out of time. Thank you, Jacob.
Thank you very much.
for giving me an update on JFrog.
Thank you.
I really appreciate it.
Thank you. Thank you.