With JFrog, part of our infrastructure and security software coverage at Raymond James.
Really happy to have the team here. You have Ed Grabscheid, CFO, Jeff Schreiner is the head of IR at JFrog. Thanks for coming, guys.
Thank you for having us, Mark.
Yeah, thank you.
I think what we can start with for people who are newer to the story or maybe sharpening pencils recently, if you could just talk about JFrog's founding. You know, what the founders see, what was the market opportunity that, you know, to go about building a company, and where we are today?
Yeah, sure. I'll start about maybe where the vision was and what they thought about 15 years ago when they started the company, which was around binaries. Nobody knew what binaries were. It's amazing. You had a conversation around binaries. It was, "Oh, you must write code." Well, that's not what it is. It's actually, if you go back to a few decades ago, there would be updates. Those updates maybe happened once or once a year, once every other year. That's when you wrote the code. You moved that into a binary. From there deployed it, and you did the update. You put your USB or the disk.
What happened was, DevOps practices started to accelerate, and they needed a repository to take all of the binaries, organize that, secure those binaries, and deploy those binaries. It became a more complex process. This is why JFrog was invented. They saw the opportunity to manage binaries. It was not a very sexy business at the time. It was the picks and the shovels. This is how the business started. Developers loved it. Today, we no longer have the discussion around binaries. I think it's become very clear that binaries are critical to the software supply chain. This is why JFrog is becoming a very popular tool for developers and enterprises.
More importantly, the enterprises see the value in the binaries, and, we've seen that over the last, three years with, the acceleration and very large enterprises adopting JFrog.
Is there a way, maybe Jeff, you could explain what a binary is for someone who's less technical savvy? You know, I'm sure you get this question a lot, like how do you comfort with JFrog? For someone who's less technical savvy, what's a binary? What's the value there?
Sure. No, no better place to come from than a less technical savvy person, I guess. You know, what is a binary? When you're developing software, a lot of those that have been involved or have a history of developing software are very familiar with source code. That's where a lot of the human interaction occurs, and that's where that syntax that's written that we can all still somewhat read, though. It can be in English, Hebrew, German. We can always read that aspect of it. In the world of binaries has always been kind of opaque because it's this world that's created. I call it the matrix. We're the matrix. We're the zeros and ones that happen after you've created your source code and you hit compile. Now, what's the binary part of that?
The binary part is that of that source code you just built, only 10%-20% of that is combined with then all of these different types of packages that come from outside of your organization to help complete that build. Combined, that creates a software package or a binary. The best example we've always tried to use that I think we all can understand is that software update we all receive on our phone. What is that? That's a binary, and that's what is deployed into the wild and into the field.
Okay, great. Over the years, you guys have evolved, now be, say, a system of record for the software supply chain. I guess, what does that mean? What have you invested in to become that?
Yeah. It's been many investments. The first investment was going from a point solution to a platform in terms of Artifactory. What developers loved in the beginning was that Artifactory as a point solution. What we said was, "We have to further develop Artifactory to become a full platform from start to finish." Now what we see is more than 56% of our revenue is coming from Enterprise+. That's the full platform. This gives you the high availability, it gives you distribution capabilities, a large percentage of our revenue comes from that full platform. Step 2 was around expanding that platform with security. I'm sure we'll talk a little bit more about the acquisition we did in Vdoo, but we have a platform security offering that sits on top of the platform of Artifactory.
The next step is going to be around compliance and governance with DevGovOps, the investments that we made and that we announced actually at swampUP last year. We saw the need as AI was starting to proliferate, that for governance and compliance to become critically important. That will be the next stage, hopefully, and we don't know when this will happen, but the next stage in vector of growth for JFrog.
Okay, great. Nice, nice background. If we maybe give some more background a little bit. Can you talk about the different business segments? You have cloud, you have self-managed, and maybe frame their respective growth drivers for those areas?
Yeah. We had a terrific year in our cloud during 2025. We came into the year with some, you know, hope that usage would come back to some of the levels that we saw maybe pre 2024, 2023. We saw extremely strong usage. We delivered 45% growth in the cloud. We saw a very diverse set of our customers using over their minimum commitments and will continue to drive usage through expansion in our commitments and also those customers that continue to use above their minimum commitments. We monetize that through storage and through data consumption. The other side is the self-hosted that you talk about. Self-hosted is monetized through the number of servers.
We don't monetize on developer seats, which is a lot of concern that we hear in the market with those customers, or companies that monetize off of developer seats. We're actually defendable against that because of the way that we monetize on the self-hosted with many of the AI labs today choosing to go self-hosted. We're still well protected with the growth that can happen through the number of developer, I'm sorry, through servers. Then security on top of that. Many of our customers choose security. Security, even if you are a self-hosted customer, most of the time, and the majority of the time will be deployed in the cloud. This way it's constantly updated, and they have the latest versions.
How do you think about the growth in margins today versus maybe where you're going longer term?
We're a growth company at heart. We're very much focused on top line growth. That goes without saying. The nice thing about that is we continue to make smart investments. We made the investment in Vdoo. That expanded the platform with security. We made the investment with Qwak, with expanded the capabilities that we have with large language models and AI capabilities. We're investing, as I mentioned, last year we announced it, in governance and compliance. Clearly we're investing in the right areas, and we have a discipline within the company that allows us to really balance those investments, with the growth. Inherently we're seeing expansion in the margin. Now, I will tell you, I'm willing to give up a couple points in the margin if I'm going to drive incremental growth.
we have a very good balance, and we continue to deliver very strong rule of.
Forty
50. Rule of-
Rule 50. Yeah.
As a company. We're very, very strong. We would consider, you know, slightly shifting in terms of the margin in order to generate growth.
Yeah. I'll just add to that. Ed and the finance team and the way we look at things, I think that we try to use the framework that I just talked about. The Rule of 40 is a driver for us, and you balance that between growth and margin to equate that out.
Yeah.
Okay. I think, Ed, one of the most important things or big things you did when you took the seat as CFO was this change to guidance philosophy. Can you talk about the change, why it happened, and also what is your philosophy today?
I'm stepping into year three of the CFO, but I'm almost seven years here at the company. I have a lot of history. I took the company public as the VP of FP&A, and so I have a real deep understanding of the guidance process and where the company has come from. There was tectonic shifts in what happened with the company. Three or four years ago, a $200,000 deal was a big deal. If that got pushed, you had several other deals that you can, through negotiations, pull into the quarter.
Mm-hmm.
It was less of a threat to a miss in the quarter from a revenue perspective if you have smaller deals or large deals pushing out and smaller deals to replace that. We invested heavily in the go-to-market to become an enterprise company.
Mm-hmm.
When you do that, takes a little bit of time, but gives you the opportunity now to have seven and eight figure deals. We had 3 of the largest deals in the history of the company close last year. When those type of deals move, regardless of dollar million deals in your pipeline, those are really hard to cover. This prompted the change in our guidance philosophy. What did we do? Q3 of 2024, I made a decision to shift our philosophy where we only guide on commitment. What does that mean? It means we guide you to what we see from a cloud commitment. We exclude anything that has usage over the minimum commit, regardless of how strong that usage has been in the prior quarter. We also exclude our largest deals.
Many of these deals are deals that have security added to them or deals that are moving from self-hosted to cloud as a migration. If those come into the quarter, those would be benefit and upside from our guidance.
Maybe thinking about 2025, you had this growth acceleration throughout the year, the magnitude of the beats were getting bigger. I'm just thinking about if we turn the calendar to 2026 and you're kinda maybe a new investor looking at the story.
Yeah
maybe should they be more grounded in, you know, looking, like, carrying over what happened in 2025 into 2026? Then is it appropriate to kinda see your guidance as a floor?
for 2026?
Yeah. Yeah, that's exactly it. I think you hit on the point in the discussions that we've had. We are establishing a floor in the guidance. This accounts for any of the volatility from usage. We're seeing emerging usage trends in AI. Those can flex up or down, so we wanna protect ourselves from this up and down usage. We're also accounting for some of the uncertainties around these large deals and the timing of those large deals. By establishing a floor, it's a very similar playbook to what we did in 2025. Any of the outperformance is going to be driven by two factors: usage over that minimum commits and also large deals and the timing of those large deals and to when we close those deals. That would generate outperformance.
The point was we set a floor, and this accounts for any of those uncertainties, and we would expect that that floor would be the minimum and it would only be upside from there.
Okay. Maybe one of the key things people are looking at for 2026, what happened 2025, is your security business. Since security was 10% of ARR last year, doubled the percent from 5% in 2024. Maybe Jeff, if you wanna chime in here to start. You know, what's driving such rapid growth for Curation and JFrog Advanced Security? Then maybe Ed, if you could chime in. Like, how do you think about security's contribution in 2026?
Sure.
Also.
Thank you, Mark. I think the best way We have presented to you guys to give you an idea of how. When we talk about security, understand that we have various aspects of security. The tier zero or the very basic level of security that's included in our enterprise subscriptions and even our base subscriptions now is the utilization of software composition analysis through our tool called Xray.
That's one way that you can utilize security in the JFrog platform. We think it's the most basic way of protecting yourself in terms of vulnerabilities from outside the organization. We developed, with the acquisition of Vdoo, two additional security products that are sold as add-ons to our platform, so they're incremental contributors to our overall growth and in the revenue profile. Those two products, I would say up to about Q3 of 2024-2025, were roughly 50/50 in terms of deployment and pipeline. The one product I'm talking about is Curation. That is more of a firewall product. It sits outside your IDE workstation. The other product is more of a software supply chain.
Let's look at one as protecting the castle, the wall around the castle, then the other one protecting the inners of the castle with good citizens maybe gone bad. However, we benefited in 2025, and certainly I think it's more of a benefit for the enterprise awakening, to the realization that the attack vector, something I've been talking to you guys about for a year, a year and a half, as to why we have a right to sit at the table for security, has changed. Why has it changed in our mind? In the second half of last year, you had one of the largest open-source repositories, one of the most widely used software packages that are brought into organizations from the outside, hacked in a very sophisticated, malicious way.
It really awoken the enterprise that having this Curation product, which since this incident has seen a strong demand of not only deployment, but Ed would tell you that it's very strong still in our pipeline.
Yeah.
That's because I can set a centralized policy outside my IDE that says, "Only these repositories and these packages are allowed into my sandbox," so to speak, from which I can play. I'm sure we'll talk about this in a minute. It's setting the rules of what the human or the agents can utilize in my organization.
Mm-hmm.
Advanced Security is doing more so on the software supply chain and ironically, it covers seven-point solutions in terms of seven different technologies all in one. There's been three that really drive that, and one of those is secret detection. Lo and behold, that's something that's been done in source code for 20 years, but we've been able to demonstrate that we do it better. Another is contextual analysis, and that's akin to what others are maybe trying to do more runtime in ASPM where I have all these vulnerabilities. Okay, well, so what? If my house is locked, is the vulnerability in the kitchen really a concern, right? Then finally, container security, and those are the three kind of driving the interest. I think that...
I'm sure it's coming, but the focus on static code analysis, which is included in Advanced Security, we had zero contribution from that in 2025 and zero in our pipeline today, and that was really more of a table stakes inclusion. Also, as Ed would tell you, that if I'm going to the CISO and asking for a budget from SaaS to replace maybe something in the software supply chain, I still kind of need to say I have it if you needed it, right?
Mm-hmm.
Much more so where you've seen that taken into our business is through the relationship with GitHub and them doing kind of their Advanced Security in the source code area, our Advanced Security in software supply chain, and then you, the CISO, get to view both sides through one pane of glass, vulnerabilities and remediation, and then replace 8-10 tools over time. I think both have their own uniqueness. I like to point out to investors that Curation's more like the caffeine high, right? Because it's out here, and I have to put immediately more developers behind that to interface with Artifactory right away.
Advanced Security is something that I'm taking over, let's say a three-year contract, I'm replacing maybe one, maybe two tools each year. There's built-up step-ups in terms of my subscription for that tool, I'm of the belief, and we'll see, whether you even have some of our customers in their first three-year agreement replace all those tools. You have a much more long-tail impact of something that is going to be a multi-year trend that's just starting to unfold.
Yeah. One of the reasons we gave the metrics that we did, the percent of ARR and the RPO, was to kind of give insights into
the penetration that we're seeing with security. We committed to giving updates once a year. I don't necessarily provide guidance around what my expectations are for security, but we clearly have demonstrated great momentum, and we would expect that momentum would continue. Jeff alluded to it, what we're seeing, the groundswell, and I can only speak on the pipeline, but the groundswell in the pipeline, if we're able to convert on all of those opportunities, we would continue to see very strong outcomes in our security products.
Maybe continuing on what Jeff was talking about, Claude Code Security, February 20th, you know, caused kind of a shockwave through the cybersecurity industry. JFrog was picked on heavily that day.
or at least that afternoon. Maybe if you could just kind of set the record straight. I know your CTO and co-founder had a great blog post on this on the website. Maybe if you could summarize what is Claude Code Security going after, and why is it different from what JFrog does?
Sure, I'd love to. I'm surprised it took us so many questions to get to this. To... Okay? In the environment we're in. Yeah, you know, this is very akin, everyone, to an announcement we saw before our third quarter results, 1 week before our third quarter results, in which OpenAI announced a static code analysis tool, a scanner of source code, okay, called Aardvark.
There was some disruption there. There's been disruption since this announcement for us and others. Even network firewall-type companies were pulled into this. However, I think you need to look at things in a certain way. I think a lot of what's being discussed today somewhat has been litigated in the past and also takes a step back from where we're heading to. What do I mean by that? Well, first, I think that when I started here four years ago, the battle I was facing with many of you was that there was a certain company that built source code, and they were just gonna move right in and mud stomp JFrog because binaries are just the next thing you take out, and it's very easily done.
I think that there were bigger companies to the left of us at that time, four years ago, and if that was to be the case in how enterprise wanted to work, I think you would've seen that play out. A lot of my discussions today, I've tried to highlight to people that that's a very good point that you're bringing up, but you're starting to talk as if I'm going to go from consolidating point solutions to back to adding point solutions around my architecture to supplement what Claude may be doing. I think you referenced Yoav's blog. Thank you, because I think for all of us non-technical people, Yoav was able to put out some examples that I've been using that I've found maybe set that light bulb off for everybody.
I think some of the differences we have to think about is to assume that the enterprise is going to allow the person who wrote the code, be it machine or human, then to approve that code. That would be akin to us. You know, we look at the agents as lawyers, and that would be akin to the two lawyers both being the judge and then trying to overrule everybody's. It would be complete chaos, right?
Right.
What's a courtroom without a judge?
JFrog is the judge that says, "Listen, Mr. Lawyer, do your brilliant thing, but there's rules in my courtroom, my corporation
and you can do your thing inside those rules." As it relates to security, think of it this way. We all use Claude. I love it. I'm not that intelligent, but I can get around it. I'm sure there's ninjas out there that can do amazing things with it. Imagine, God willing, that you were a company that decided to secure your software with Claude and there was a data breach. We're in the courtroom and the judge says, "Well, can you show me the governance checkpoints?" "Well, no, sir. I have right here in my Claude chat that Claude fixed it." That's not going to work. You're going to have to have the governance checkpoints shown before that application was deployed. I'll stop there and I'll leave you with this, because I think this ends, in my mind, some of this discussion.
We believe that we are the market leader today to become a system of record for AI and AI companies.
Yeah.
Whether it is us or someone else, there will be a system of record, end stop, point blank. The guy writing the code will not approve the code, I think that's really where that argument kind of loses its oomph.
Gotcha. Very well said. Maybe if I continue on that one time and keep going a little bit. Governance you mentioned.
JFrog AppTrust.
Yep
you know, came out last year, I think.
Yep.
Ed, you mentioned that earlier.
Could this be a breakout year with the thought of what you just said with governance importance for security and using AI tools?
Yeah, we just released our governance, AppTrust. It's the product. It's a baby product today. We're starting to build the pipeline of that, and we're starting to see some good traction around that. Even maybe, having some of our customers, using that in a POC. I don't build anything in terms of a baby product yet into the guidance, so if there's an opportunity that this does break out, it would only be upside to what we've already guided at this stage.
Okay. maybe, Ed Grabscheid, you just had your sixth consecutive quarter of 40%+ RPO growth. very impressive.
Thank you.
This is despite having people concerns with A.I. absorbing-.
Yeah
software budgets. It doesn't seem to be happening with you guys.
Yeah.
I guess explain why is JFrog not seeing this AI eating seeds or absorbing software spend?
Well, first, on the seeds part, we're immune to that just based off of the way that we monetize. Secondly, this was a strategic move. This didn't happen overnight. This is part of what we did three years ago with going towards the enterprise, bringing in the right sales personnel to be able to execute on that, but also being driven by those enterprise customers and the demand to have multi-year contracts.
When they're making a commitment to JFrog, and if you look at the gross retention rate that we have, 97% gross retention rate, once they make a commitment to JFrog, they do not churn. Therefore, they want to increase their commitment over time through either a larger commitment with Artifactory and the platform, adding security on top of that, and they don't wanna go back to procurement. They certainly don't wanna come back to the office of the CFO and ask for more budget, they prefer that the negotiation be a multi-year negotiation with step-up functions, securing pricing to eliminate any inflationary changes, and make a bold commitment to JFrog. This is their way of securing the value for multiple years, and it's reflected in our RPO.
Of course.
I just wanna add one thing, Mark, that I was thinking about, that you're talking about the impact from AI and how has that been impacting our business. I don't think that you're really seeing that type of impact come down in terms of JFrog because of the fact that while JFrog has remained the infrastructure player at a lot of companies, we've seen what happened. The plumbing stays the same because you don't wanna rip it out of the wall. The sink might change, and the sink's been changed in the last 16 months three times, if I think about it. It's easier to move the sink than it is to rip the plumbing out of your wall.
I think that that's one way that I try to help people think about things as well.
Yeah
is that, you know, that's also something that maybe impeded us earlier on, that the growth was slow and incremental because I didn't want to make the wrong decision about my plumbing and then have to rip it out.
Yeah.
We're very sticky, and we're sticky because of the fact that we're at that infrastructure layer, the plumbing of your organization.
All right. I'm gonna ask one more, then maybe open up for audience questions. I guess there was a report last night that OpenAI might be developing an alternative to GitHub-
Yeah
... who is one of your close partners, but you've also done well with making inroads with the, you know, AI natives. I guess could you talk about what a new code repository from the likes of OpenAI could mean for JFrog?
Well, It's source code.
I think what it would mean for JFrog is just someone else to work with, another too integrated to fail partner. It's not lost on me, Mark, that we have currently the two companies that everyone wants to talk about. You have one that has now had a kerfuffle with the government, and another now having a kerfuffle with their owner, the person granting them free cloud. I think this is more of an impact of what would happen in the source code world, and Does the sink change is more of this type of an impact. I think it's really, again, related to something that's been done since the beginning of software, the creation of source code.
That's where the most human interaction has occurred, and thus, I think that's where the disruption is happening the most of what machines are really doing, learning our language, writing it better.
... doing the job better.
Yeah.
Before we go to the questions, I think Jeff said one thing that was very, very smart, is that JFrog has universality and that anything can integrate with the system of record. We are the heart of the software supply chain, if it's GitHub, if it's Atlassian, Bitbucket, if it ends up being Claude or OpenAI, they all have to integrate with JFrog, and this is what's important. The market shifts and who becomes the application that's being used for the source code, they will have to integrate with JFrog. That was the value proposition, and this is the moat that we create, the technology, the number of languages we support, the universality, the multi-cloud capabilities, the hybrid.
All of this is what creates the value for JFrog, and this is why we feel very much like we're defendable against AI.
Yeah. Well said. Are there any questions from the audience? Okay, go ahead.
Just on trying to understand Xray and Curation, can you maybe just describe what exactly do they do in terms of how they verify, how the rules involve, like, is somebody at the company writing the rules, or are you writing the rules, or how does that kinda work?
I can take that for you. You're comparing... The question was, can you compare software composition analysis and what Xray does and compare Curation? I think with the recent npm event that we saw, it kinda can give you an idea of what happened, because we had customers that had Curation deployed, and some of those customers, I could quote one that said, "You saved my Thanksgiving." We had some that had Curation deployed, but the policies, as you noted, I'm the CISO writing the policies of what repository I will allow Curation to point to and what packages you should be examining in those outside repositories, outside my organization, before you bring them in.
If I didn't have my policy set up during an npm hack, even though I had Curation, I might have then had to use Xray, and we still think you should, as a good practice, use Xray, even if you've said, "I'm only allowing these four packages into my organization." What was done before Curation will probably answer this question for you. Curation was product driven by our customers. Why was that? Before Curation, you did it 1 of 2 ways. You either brought in every package and scanned it with Xray and then felt you were covered in that sense, or you brought in 0 packages, did the build, and had to request an approval and hope that that package was approved by the time you completed the application build.
Our customers came to us and said, "It would be great if you could create some type of centralized policy, a firewall, that would allow me to control centrally what my developers are even able to access." That's why Curation is a tier above what SCA and Xray really is doing. There's many people that do SCA at Xray, okay? Curation was one of a kind.
What exactly does Xray do? Just how do they verify?
It's a decomposes. It like, What's that called from the package? It's opening the package, it's looking at the package for its contents. It's looking at what version is it? What's included? Is this the latest version that I'm supposed to be using? It's trying to examine and kind of, you know, take apart the package, then reconstruct the package to make sure that is in fact the package that I am trying to use, and that it's not a, have a known vulnerability that has been documented.
All right. I think that's all we'll take, but we will have a breakout in Cordova six downstairs to keep the conversation going. Before that, Ed and Jeff, if there's anything you wanna use in this last, few seconds here.
Yeah
... as to kind of bring it home.
Yeah. We've got a few seconds left here. I'll say a lot of distractions right now. The whole landscape of DevOps is changing, DevSecOps. We remain very focused. The situation with what's taking place and this chaos outside, we remain consistent and focused on our objectives. We'll deliver durable growth. We're gonna continue to focus on the fundamentals. We talked about the rule of, this is a guiding principle for us, and the balance between the profitability and the growth will certainly be something that we look at. Again, we'll remain very focused on delivering and executing during 2026.
Thank you, Ed. Thank you, Jeff.
Thank you, Mark.
All right. Thank you.
Thank you, everyone.