Okay, let's get started. Hey, everyone, I'm Pinjalim Bora software analyst at JP Morgan. Delighted to have here with me Jacob Shulman, CFO of JFrog. Jacob, welcome to the conference.
Hi, Pinjal, and thank you for having us at the conference.
Let's start with a little bit of an intro, maybe about yourself and you know, briefly about JFrog.
Absolutely. I joined JFrog about five years ago. Was really small company, but already efficient in generating cash flow, which was unusual back then in 2018. What attracted me to JFrog was I saw a significant business opportunity for DevOps adoption. Back then, they already were making significant adoption by large enterprises, and that market has just continued to develop nicely for JFrog. JFrog for kind of, maybe kind of step back, we're in a DevOps space. Our vision is to enable speed, and security when people release software. Our vision is Liquid Software to enable seamless flow of software from developer keystrokes all the way to devices.
Kind of stepping it down a bit, every company that releases software has to go through multiple steps and today, many of those steps are siloed, manual, and inefficient. Most of the people know software engineers writing the code and software running on machines. What in between is the huge industry full of those, manual and inefficient and vulnerable processes. JFrog built a platform to streamline all of that and automate. Main value of JFrog is automation. Every company that releases software has to go through the steps of converting the source code, which is people language, into machine language as binary. Machines don't understand English or any other language. Machines understand ones and zeros. Every company that goes and wants to release software has to build those and convert people language into machine language, into binaries.
To integrate open source, and today 80% to 90% of the applications comprise of open source. Even to test software, you need to build binaries. The next step would be to secure this application and physically deliver binaries to those machines that will be running the software. That's what our platform does. Basically, we're focusing on software supply chain, which is primarily flow of binaries, and we automate this flow.
Yeah. Thank you for explaining that. That helps. I get a lot of questions on.
Sure.
What is binary?
Yes.
To start off with. Your core product is artifact repository.
Right.
another words of saying repository for those binaries.
Mm-hmm.
Right? Help us understand what is kind of the alternative to it, right? Software development has existed for several decades now. What is the alternative to using artifact repository? Has DevOps been a catalyst for, you know, people to choose a platform, something like a JFrog?
Yes. Again, coming back, source code has been managed for like 40 years, and JFrog was a pioneer in binary management. What happened in the last 10 years that required people to adopt tools like ours? There are several things that happened. First of all, change in architecture. People used to build monolithic software. They would write millions lines of code, will take them about a year, will take them about another 6 months to do QA, and maybe they will release it once in 2 years. That's completely changed. No one builds those monolithic software anymore. People use microservices, so significantly increased velocity of software creation. Use of open source. Today, as I said, 80%-90% of your application is written by someone else.
Company that wants to use this open source, bring it in the form of binary packages. Docker, right? Another change in technology that use of containers and containers form of binaries. People used to write or developers used to write on their resume, "I'm a C++ developer. I'm a Java developer." No one does that anymore because today, developers call themselves, "I'm a full-stack developer." Multiple different technologies emerged to perform different development tasks. For all of these technologies, it's different forms of binary files with different forms of executable files that build. What historically has been done is that the company that would create this technology as a byproduct would also offer open hub or open source repository for this type of technology. Docker is a great example, right?
Docker invented container. Docker Hub was open source repository for this type of technology. Historically, what companies have been doing, they built homegrown solutions to kind of try and automate and build those connections between open source repositories. JFrog came to this world and said, "Instead of managing multiple open source repositories, let's create one repository that will support all of the technologies and will be your system of record for all of the software that was created internally or brought into your organization externally." For example, one of the large companies that standardized on JFrog replaced more than 1,800 repositories with one. That gave them significant control over what to build. Just think about it as like. If someone does not log into Salesforce, your interaction with the customer, you don't have visibility into what the pipeline and what's the engagement with the customer.
Same kind of idea for us. If your developers don't build against Artifactory, you lose control of what is built. The Artifactory basically became the only system of record. Because binary files, they also include a lot of metadata about how it was created, what kind of license it includes, what kind of tests it gone through, what kind of dependencies are there, it also became your database of DevOps, so you could automate a lot of processes based on this metadata. That's why we see people kind of use this as a central tool for the automation of all of their DevOps processes.
The value proposition is you're removing the need to manage a lot of different repositories, you're removing the lot of people that you would need to manage those different repositories.
You also automate different tasks that developers... They want to be creative and write the code, but today they need to do more technical stuff and the background and administrative stuff to manage the software release process. For example, developers use open source, and open source is kind of hosted in open source hub. None of the organizations want their developers to go to open source hub and search for different open source components. Who knows what kind of vulnerabilities they're gonna bring in. Artifactory would serve as a proxy for that. Organization would define a framework, what open source hubs could be approached, what kind of security framework could be built. Instead of thousands of your developers going to this, Artifactory does it automatically.
There are, if you have multiple teams in different geographies, you want all of your developers to work against same set of assets. Artifactory would do automatically replication and all that. There are a lot of things that today or maybe prior to Artifactory were done by manually by developers on administrative side, today is replaced by Artifactory automatically.
Clearly you have a kind of a critical position in the...
That's right.
DevOps, life cycle, right? We think you're saying system of records for binaries. There's a system of records for source code, which is the Git repository.
Mm-hmm.
Let's say. When we look at Artifactory, we don't really see much competition, right? You have Sonatype Nexus, but other than that's also pretty small. There is not much competition. Why is that? What is so difficult in creating this repository?
First of all, you're absolutely right that Artifactory became de facto standard. Today we really penetrated into largest organizations, 89% of Fortune 100, majority of Fortune 500, significant portion of Global 2,000 are customers. It's a combination of our first kind of mindset. We're strictly focusing on binary management and software supply chain, which is primarily flow of binaries. We were able to build a very strong and scalable technology. You know, competition, as we think of competition, it's comprised of several tiers. First one, we talked about it, homegrown solutions. Second, there are companies in DevOps space.
Sonatype is one of them, but we also know that some of the source code, kind of companies put on their roadmap, they want to build some sort of binary management capabilities. Finally, we look at large clouds. First of all, large clouds, they very good partners of ours. We have mutual go-to-market programs, et cetera. All of them have container registry. Container is form of binary. We believe that clouds have slightly different KPIs than ours. Their KPI is how much traffic or compute we generate on their system. Our KPI is how we enable our customers to release software quickly and securely. We generate a lot of traffic, they partner with us, but they also want to be close to developers.
They tend to focus on solutions that optimize for data transfer, and our technology stack is much wider. We support not just containers, but various variety of different technologies, above 30 different technologies. Even to build container, you need several technologies. We support in that regard. We also offer security. There are two major differentiators on the business side that will be, we believe, always in our favor. One is hybrid. None of the clouds can offer hybrid capabilities, and we believe that all enterprises, especially large enterprises that have significant on-prem capabilities, it will take them years to get fully to cloud. Many of them will remain hybrid for any foreseeable future. Second, differentiator is multi-cloud. None of enterprises want to be just, let's say, AWS shop or Azure shop.
All of them talking about multi-cloud capabilities and us serving as a kind of Switzerland in that space, and we believe it's a competitive advantage.
Let's talk about this critical position and how that helps you in the security side, right? Is there an inherent advantage to control that system of record for binaries that gives you an advantage to secure those binaries?
Yes. Our platform is focused on main asset of software supply chain, which is binary. If you think of all this flow from developer keystrokes all the way to the device, it's primarily flow of binaries. Therefore, hosting those binaries and controlling those binaries actually puts us in advantage to be able to secure those. Now, DevSecOps area is kind of new area that's evolving. A lot of endpoint solutions, many of them coming from different angles. Some of them focusing on static analysis, dynamic analysis, container security, runtime security, software composition analysis. What's common in all of them is that all of them integrate with Artifactory because they need this metadata, this data about the binaries, about the software that organization creates and uses to build application.
We believe that native integration with our security solution, with Artifactory, and the fact that we have visibility across the entire supply chain, not just one kind of area, but the entire flow of binaries, also those that even running in production, that gives us much better visibility and superior capabilities in that regard.
Interesting. You entered the security space with Xray initially.
Correct.
now you have launched the Advanced Security-
Yes
... which is further leaning you into the security space. Maybe talk about that difference, right? What does Xray provides and what does Advanced Security provide?
Absolutely. You're absolutely right. Our Xray was the kind of first step in the security space. If we own the repository and all kind of binaries, control them, then it would be natural for us to secure them. Xray was our tool in software composition analysis. What basically it does, if your organization uses open source and Artifactory, we talked about it serves as a proxy of this open source repositories. When you bring your open source component into organization, Xray would scan it and will be able to identify whether the component is vulnerable or not. It also has capabilities of breaking even containers into different components and say not just this container vulnerable, but containers many times comprise of different layers of different packages.
It will be able to tell you what package in the container is vulnerable, and you could apply different policies, whether you could alert that or you could block Artifactory from bringing this component to your organization, et cetera. That was first step in this security, for the security core. Over time, I think the practice became that all of the steps throughout the software creation process needs to be secure. It's if you release hundreds times a day, and one of our customers, Broadcom, presented at our analyst day in February of last year. They said publicly that they release more than 6,800 times a day. No one, no CISO in the world can support this cadence of releases manually.
Security practitioners understand that all of the security steps need to shift left and be introduced at earlier stages. There is no way a CISO could be with the switch off and push down on developers at the end of the process. That's what brings the entire industry to the software supply chain, where every step in the process needs to be released. Our JFrog Advanced Security was our attempt to move, kind of, and create capabilities across this entire software supply chain. We created capabilities more toward source code, static analysis and secret detection, et cetera, and more toward runtime with contextual analysis, et cetera. It's our first product that is was released.
It was released on SaaS back in Q4 of last year, made available for on-prem customers in Q1 of this year. We have rich roadmap and few additional products will be released this year. We'll continue to evolve this. Again, I think everyone understands that all of the steps needs to be secured from for the entire software supply chain. No one today has this full end-to-end capabilities. That's why we believe JFrog is well positioned to capture this market.
Yeah. Before I go further, is there a way to understand kind of the mix of the business between-
Mm-hmm
... your binary repository and security?
Yes. Xray today sold as part of our kind of DevOps subscriptions because it's essential DevOps capabilities and therefore, vast majority of our business comes from DevOps component. Our, again, our platform comprise of three cores: DevOps, Security, and IoT. We haven't spoke about IoT yet, but it's like a smaller component. Maybe we'll touch about it later. Almost all our revenues coming today from DevOps and including Xray. JFrog Advanced Security, just because it was launched just recently, it's very minor. We have over 15 customers in production. But we believe that contribution from JFrog Advanced Security and from Security Core will be meaningful in 2024. 2023 is year of first adoption, kind of, seeding the planting the seeds in the ground.
In 2024, when time comes for renewals and kind of decision-making on standardization, that's where I believe JFrog Advanced Security will become material.
within that DevOps, what's the Xray mix? It's like 25% is like a good guess?
Again, just because it's not sold separately, it's hard for me to put the dollar number. I could tell you that about half of our customers have access or have access to subscriptions that include Xray. About two-thirds of those customers actually using Xray in some form, or they're using some policies or some running some scans, et cetera. Not everyone uses that, but a majority of customers who have access to Xray uses Xray. Adoption of Xray continues to increase.
That's great. Now on Advanced Security, that seems like an interesting product that's coming out. It's a product cycle. You launched it in cloud initially-
Right.
late last year. You said you launched in on-premise or self-managed recently. First of all, what is the applicability of Advanced Security across your customer base? Would you say, you know, it's applicable 100%, 50%? You know, how should we think about that? The other part is you're basically saying that it will be a tailwind in 2024. Is that correct?
Yeah. First of all, Advanced Security requires Xray capabilities.
Mm.
Therefore, it's only applicable today to customers who have Xray in their subscription. Obviously, because JFrog Advanced Security has significant capability, we also see customers adopting more Xray because they want to have JFrog Advanced Security capabilities. Second, no CISO in the world will replace their tech stack in 1 year, right? Therefore, what we're seeing right now is that those customers who went in production went with the base starting package of JFrog Advanced Security because they want to try it in live production on a small subset of the team to compare it to existing results, to make sure that, you know, the, the flow is comfortable and all that, and then they will be making decision on standardization. Therefore, we believe it's more 2024 story.
Yep. Okay. Got it. I want to switch gears a little bit, and maybe talk about macro. you know, that has been a consistent theme across software nowadays. you kind of saw a little bit of a better cloud consumption trend, it seems like in Q1.
Yes.
Q1 results were really good. How do you kind of characterize macro or the cloud consumption trends going into May, into, you know, at this point when you're talking to customers?
Yeah. Our expansion for SaaS customers kind of comprised of two components. One is actual usage and transactional, and that's cloud optimization and all that, the kind of headwinds that we faced initially in the kind of second half of last year. Those subside. We talked about that the quarter started kind of very similar to December, but then in March, we did see that the actual usage of our customers across broad base increased. Second component of expansion for our SaaS customers is migration of on-prem to SaaS. That's where the judgment involved and the budget constraints and we continue to see some headwinds in that. Some deals pushed out, even one customer got through POC and then they needed CFO approval or someone from kind of higher level, that got pushed out.
On the other hand, we had deals that were pushed out maybe two quarters ago, did go in production. We gave this example of, one of the large wins in Q1, Wix, which will transition from on-prem to SaaS just because they realized that the business should be supported by much more robust infrastructure, and they decided to actually move in production despite the project being delayed for a quarter or so.
Yep. Yep. Understood. Okay. One common topic again is obviously this two-letter word called AI. It is kind of taking software development by storm, starting with Copilot. We're hearing more and more of CodeWhisperer. ServiceNow has its own LLMs nowadays. We're hearing more and more of this, right? There's no doubt for everybody, I think, are thinking that, okay, this will increase productivity-
Correct.
for software developers, which likely means they will develop more software as well. The pace of software development will increase. How do you see kind of generative AI, is that, you know, is it right to think it could be a big tailwind for JFrog as that pace of software development increases, pace of binary increases, you know, you need more usage of JFrog?
Yeah. Generative AI is more kind of language models, right? Again, we start this discussion that developers create or write code in people's language, and what we manage is machine language.
Yeah.
Right? Definitely is the fact that developers will be more productive in creating code, which eventually translated to more software being built, and that means more binaries, right? We believe it's a tailwind for us. Someone who will be using generative AI and will not have robust infrastructure for binaries management, so that will be their next bottleneck, and they will have to adopt product like ours. On our own product set, again, we're managing machine language and generative AI is less applicable. What it is applicable to is to provide more. In general, AI is applicable to provide more insight in terms of security, analyzing different trends and data sets, maybe insight into what open source components better to use.
Those kind of ideas that potentially will be implemented in our product.
Yeah. Understood. You. Again, switching gears, you recently talked about a long-term model.
Yes.
Which was very interesting to see in Q1. It's, it's a ambitious model. I think you're talking about a 23% CAGR over a five-year period. I'm curious why now? Like, why now? Why the, you know, the timing? The macro environment is still uncertain. We don't really know. What are you kind of embedding, you know, some of the assumptions as you build that.
Yeah
multi-year model?
The model itself is not new. There are two new pieces of information that we added. One is what revenue levels required to achieve this model, and what's the timing. Anyway, we'll ask these questions, and we actually never provided our own stance on that. What we realized, it led to a variety of different views, how JFrog would look like five years from now. We understood that we need to provide our own view, how we see this business developing, what we target. Some may agree, some will not, may disagree, but at least we thought that we need to provide our view, how we think about it. Macro is cyclical, right? I don't think if I provided it in 2021, I would have been in better position today, right?
That's why when we think about it, we think about long-term trends and what kind of secular trends that we see will continue for five years and will be catalyst for growth. The trends that we thought about was, one is the platform adoption. We continue to execute well in moving customers and customers adopting our platform. About 10% of our customers transition to the platform, and the platform generates 44% of our revenues. It's growing over 50% year-over-year. We believe there's going to be a long-term trend of customers adopting our platform, and therefore it should support our growth in this 5-year period. Second long-term trend that we consider was SaaS adoption. SaaS adoption is beneficial for us. Our SaaS customers expand faster. Typically when customer migrate...
Still majority of our customers on-prem customers. When on-prem customers migrate to SaaS, we see significant upsells. On average, 50%-80% upsell. There are some exceptions where gave few examples where entry-level into the platform customers, $120,000 on-prem transition to even over a $1 million customers for SaaS, because they typically use this opportunity to adopt new capabilities across multiple regions. SaaS adoption trend will be long-term trend. If two years ago, none of the big banks thought about cloud, they now making their first steps to transition to cloud. It's going to be long-term secular trend that will last for this period. Lastly is security. We established ourselves as leader in binary management and DevOps side.
We launched security capabilities, we see that the adoption and platform play in security resonates with our customers. They cannot manage sprawl of these point solutions that provide multiple false positives, unmanageable, inactionable alerts, et cetera. That security piece should also be material component for us to achieve this long-term targets.
Does that also include any kind of new products, as you're thinking through that five years?
Yes. Over this 5-year period, we will add more capabilities on the security core. Absolutely. Some of these capabilities will be introduced this year, and some of them over the course of this 5-year period.
And, and-
Finally, maybe this is the appropriate time to talk about our IoT, which is small component today. If you think about those billions of devices that needs to be updated, and just think of driving cars and manufacturing robots and medical devices, right? Today is completely a siloed process. Will this industry evolve to more automated updates and over-the-air updates of the cars over the next five years? Absolutely, yes. That's another component which we planted seeds two years ago with acquisition of Upswift. We believe that this trend will expand in the next five years.
Understood. That was a great plug on IoT.
Yeah.
Yeah. Any questions, out there?
Sorry. Within security, who do you see as the competitors you're looking to either displace or-
Yeah. Security comprise of several kind of areas of focus. Static code analysis, dynamic code analysis, software composition analysis, container security, runtime security. There are a lot of different point solutions that address those capabilities. Typically, we would see customers deploy multiple point solutions next to each other, up to 10 different solutions. The vendors that we'll typically see would be Snyk and Black Duck and Veracode and Mandiant and Aqua and Twistlock and Sonatype, those kind of vendors that we typically see in this environment.
Thank you. How would you describe your gross margins for the DevOps piece and then versus security then IoT? Can you talk about the growth rates with all three of those different groups, if you would, please?
Yes. Our gross margin, again, today, primarily, vast majority of our revenues comes from DevOps core, right? Security was just launched, too soon to talk about security gross margins. On DevOps core, our gross margin's really dependent on type of deployment, whether it's SaaS or on-prem. For on-prem deployment, we have very high gross margins, like in 90% range. For SaaS, we have kind of margins comparable with SaaS companies, let's say mid-70s, something like that. The mix of SaaS versus on-prem, that what impacts our corporate gross margins. So far we've been like in low 80s, around 83%. In the long term, we believe that cloud revenue will continue to grow as a percent of total revenue, and therefore will be converging toward 80% gross margin overall.
Can you remind the group what % Like, how many salespeople do you currently have, and how do you think about sales in the next 12 months?
Yeah. Historically, we've been growing through insight and inbound. That's how our product, Artifactory, got adopted into even largest organizations by just developers adopting the tool. Over the course of my life, we evolved our product and added security capabilities and build a platform. Today it touches multiple persona within enterprise. That's why in addition to inbound, we started building kind of inbound and bottom up, we started building top-down capabilities. About, I wanna say just before the COVID, we started building strategic team and then COVID happened, we paused it, but we now have a strategic team that touches C-level because selling platform is more holistic approach to the digital transformation of the enterprise, and it's more C-level decision rather than just developer decision.
This team, already several tens of people, but it's not just quota carriers, but also high touch support. It's also product marketing and kind of field marketing. We also started investing into partner programs and partnerships. Again, economics different for partners when you sell full platform versus just $3,000 Artifactory. Finally, we invest into our co-partnership with clouds. We've seen great success in that. We work with all three of them. Today our marketplace business is roughly quarter of overall SaaS business.
Okay.
The gross margins on the security and IoT pieces, are they materially different at all? Would you expect them down the road to be materially different?
This is again, the IoT is just a very small piece in security. It will be more driven by the type of deployment rather than what core is used.
Okay. I guess we are out of time here.
All right. Thank you very much again.
Thank you so much for the time.
Thank you. Thank you. Thank you.