Hey, everybody, welcome. Thanks for joining. My name is Koji Ikeda. I am one of the software analysts here at Bank of America on the software team. I am super thrilled, as always, to have JFrog CEO, Shlomi Ben Haim. Thank you so much for doing this. I appreciate it.
Thank you for having me.
Yeah, of course.
Thank you.
Of course, just to start off the conversation, I always like to level set. you know, JFrog, just for everyone in the room that might not be, you know, might not super well knowledgeable on JFrog, and for those on the webcast, too, just very quick overview, what is JFrog? What do you guys do? What is the opportunity you're trying to disrupt?
Yeah, sure. JFrog is a software supply chain platform provider. When we look at software supply chain, we are looking at three different cores. We're looking at the DevOps core, providing the universal binary or software package repository. On the security core, we are providing a full software supply chain coverage. On the IoT side, since binaries are also deployed on our iPhone and connected devices, we are the one that connect the edge devices to the software supply chain platform. We call that Liquid Software. This is our vision. The company serves now over 7,000 customers worldwide, 1,400 employees, and I'm thrilled to be here again.
Thank you. Thank you. I've been asking every management team kind of two boilerplate questions, you know, one on the macro and then one on everyone's favorite topic, AI. On the macro front, you know, the way I've been asking the question is: How does the demand environment feel for JFrog today, June 2023, versus January 2023, versus a year ago, June 2022?
Mm-hmm.
Does it feel the same? Different? I mean, just walk us through, what does it feel like?
Yes, it's a very good question that, you know, from one quarter to another I hope that the answer will be improved. JFrog is a provider of a hybrid solution. We have a cloud business, multi-cloud business, and self-hosted solution. What we have seen at the end of 2022 was almost felt like a panic. All the CFOs of our customers sent their engineers to cut costs on hosting, and we saw these breaks being pushed at the end of 2022 to optimize the hosting consumption. Since then, six months into 2023, and mainly because of the fact that JFrog is an infrastructure piece, you cannot optimize infrastructure forever. It's not an application. It's not a service.
It's something that, if you don't maintain, if you don't grow, you just block development and software release. We started to see it climbing back again. Longer sales cycles, if in 2021 and 2022, a VP of engineering would approve a PO of $100,000-$200,000 a year, now it requires some C-level approvals and so on. It start to climb back again. Mainly around the cloud, the low-hanging fruit was optimizing on storage, and data transfer was a bit more disciplined. It start to climb back again. We projected mid 40% for 2023, and we still see that it's in line with our projection.
Regarding the self-hosted this is interesting because a lot of companies took a strategic decision to move to the cloud, to migrate DevOps workload to the cloud. The recession, kind of accelerated, hit, and they stopped it. The strategic decision is still valid but the economic decision is delaying a bit, the migration to the cloud. What happened on the self-hosted and how it's impacting us, is that on one hand, they will not invest a lot, only the must-have investment on the on-prem, and the migration to the cloud is taking a bit longer. To summarize that optimization on the cloud usage and slower migration to the cloud from self-hosted.
Got it. Got it. Okay, AI.
AI.
Here we go.
We need a full conference.
Yeah, we need...
Well, you know, Koji, you know us, but I think that what I see now that every CEO want to say five times AI in a sentence, so I'll be a bit more authentic about it. AI, for JFrog, is by definition, a great opportunity, and the main reason is that the more AI you have, the more binaries you have. Okay? AI replaces humans. AI is not about automation. Automation is something that we built 10 years ago. We boosted developers' efficiency 10 years ago with automation. AI replace human. This is why the code management is kind of being disrupted with AI. What happened the moment after you compile your source code? You create a binary.
For JFrog, we don't care if the binary was created by a machine or by a human being, and therefore, we are very excited about the opportunity. On the second core of JFrog, which is security, the majority of the security event are being still managed by humans with human decisions. If machines will replace that what I think that we will see is a smarter and faster scanners available forever. Like, they will align themselves with the hacker. The hacker is always there. Scanning is by the policy of the company, so we will start to see more scanning and we will start to see automated remediation. Think about Log4j. Log4j, an episode that everybody in the room probably heard about. It's a binary vulnerability.
You have to find it, you have to replace it, and you have to distribute it according to the dependencies that you have in production. What will happen probably, would be scanning, finding patient zero, replacing it in Artifactory, and automatically remediate. We see the opportunity coming, but even more authentic, what is an AI model? An AI model is a binary. Some of our customers are already asking us: Can I use Artifactory as the AI repository, as the AI local repository? You have the public repository, like some of you probably heard about Hugging Face and public repositories for AI models. The local repository for AI models will be Artifactory. We see a great opportunity there, but we also want to be very responsible. We hear about Copilot, we hear about other solutions.
It still requires a lot of regulation, it still requires a lot of ethics, rules, and policies in the company. We have 7,000 customers, the majority of the Fortune 100, the majority of 500, they are not rushing into AI with everything. They want to see a bit more, study adoption of AI. For sure, it will be at the magnitude of the cloud, it will be at the magnitude of internet, and we are excited about it.
When you say an AI model is a binary, let's go into that a little bit more, because I think a lot of the focus right now is on OpenAI-
Yep.
You know, ChatGPT, you know, LaMDA, et cetera, et cetera, et cetera. I think a lot of the discussions out there is that, hey, these are gonna become more democratized, maybe even commoditized in the future, but that means that enterprises are going to be making a lot of LLMs or whatever the next version might be.
Right
for generative AI in the future. You're saying that you might be a beneficiary of hosting the binaries for that. Is that right?
Yes.
Is that the right way to think about that?
Yes. AI model, an algorithm, the machine learning out of it, create the binary.
Mm-hmm.
They need to be hosted somewhere, especially if your organization created it. OpenAI, we love them, and we are working with some of their tools, but it's not that open. The the name is misleading. OpenAI means that you have to host it where they tell you.
Mm-hmm.
OpenAI means that you have to use their models, you cannot contribute your model. OpenAI is not open. What happened now, if you, as an enterprise, want to use one of the models, you need to manage your own repository. What is this repository? A binary repository. I believe that Artifactory today is the standard maker, so we have a great opportunity to leverage the business there.
Okay. Okay. you sell to a lot of enterprises out there. You sell to developers too, and you sell to CIOs, head of DevOps, lots of different people. with the proliferation of generative AI, and minds going wild with the buyers out there, how have the conversations maybe changed over the past six months? Are they thinking about things differently? Are they coming to you with different pain points? You know, walk me through what the customers are thinking right now.
Yes. The first interaction that they have... Well, I don't know about AI overall. I know about AI in the landscape of DevOps, security-
Yep
... software distribution, software deployment, observability. I think that Gary spoke about it as well here, the CEO of Splunk. The first thing that they ask themselves: Can we trust AI to build software for us, to code for us? Why is that? Because no one, including your developers, whatever organization you are working at, even if it's a five developer shop organization, no one is building from scratch. No one is building from scratch. You bring artifacts, you bring binaries from outside, and you start to build your code. You compile it, and it's a binary. If I don't know where the machine is going and what it brings, maybe an open source license that is not legal in my company, maybe an IP violation can happen.
If I can have the full trust in what is this machine d oing, I will start to look at it, but still not adopt it in production level. The second thing that we see is that there are immediate action on taking policies into action in the organization. For example, GitHub Copilot, there is no question whether the machine can help us build faster and maybe even more high-quality code. I don't know what was shared from what I wrote outside because I shared it with the machine. Think about ChatGPT, okay? You don't have to be a coder to understand that. ChatGPT, you just ask, you run a query in ChatGPT.
You don't know where your question went to when you ask ChatGPT, because the whole idea of AI is that the machine teaching itself. Before this will be regulated, before this will be completely clear with how we use AI it would be probably mandate by the C-level down. This is what I hear from our customers. This is what we also did in JFrog. We have almost 700 engineers b efore they go and use ChatGPT, they will have to follow some policy and rules of what can be done. We also enforce some security tools on top of it to make sure that they didn't bring any GPL license or something that I don't want to see in my production, or to violate someone else's IP.
Mainly what we hear now is a lot of questions around AI and how it's being implemented and some proof of concept that being made with a very supervised, highly regulated environment.
Got it. Got it. JFrog already has AI within the platform, but I wanted to ask you about future opportunities, specifically on monetization. I mean, we're in a room full of investors here. Tell about how is it gonna drive growth, right? When we think about AI within the JFrog platform for the future, does it mean it's gonna be embedded within the platform, and you just get it with the price that you pay? Do you have to pay more for, you know, product A, it's product A plus, or are you coming out with new products altogether that are featuring either AI embedded tools or even generative AI tools?
Yeah. Well, currently, our monetization plans and the model we shared doesn't include the AI leverage of our tools. The main reason for that is that whoever tells you that they know how AI will look like is either illusionizing or lying. That's the bottom line. We look at it as more like an infrastructure tool. I want to see how it's improving my DevOps solution. I want to see how it's improving my security solution. I want to make sure that we are not being disrupted by a security solution that is powered by AI and our security solution is being adopted in different tiers. I think that it's too early to answer that.
I'm sure that the improvements of the technology will raise the adoption of our platform. It goes from expansion among our customers and new customers that will fit in. My observation of the market is that in the next two to three years, AI decisions will be a top-down decisions and not a bottom-up decisions. The adoption will be a bottom-up from the developers up. The decision whether you bring in AI tool to the organization, yes or no, would be a top-down decision. It will be a longer cycles of approvals and so on. With specific with our customers that will upgrade to new versions of JFrog that will include AI, I think that it will go on a slower pace of upgrading. It's not just upgrading from Artifactory 1.0 to 2.0.
It will be, what is changed? W hat have you done? Prior to the release, what have you done to make sure that we are not violating any kind of rule?
Got it. Switching a little bit to the supply chain of software, you work with a lot of enterprises, you see a lot of supply chains of software. How well prepared are enterprises out there for what presumably would be a higher velocity of applications being built? Are they ready? Are they not ready? What and how does JFrog help alleviate those pains?
Well, it really depends. I think that, we see differences between geographies.
Okay.
I believe that DevOps and DevSecOps in North America is mainstream now, unlike in APAC, which are at the earlier phase of adopting DevOps, CICD, what we saw here maybe 10 years ago. In terms of security, that's very interesting. In the past two, three years, binaries, software packages, call it whatever name you want to choose, containers, artifacts, became the primary asset, mainly because of the fact that the hacker, the attacker can reach out to your software supply chain through your production environment. That's the only asset that you have in your production environment, and therefore the developers became the target. This is why you hear about Log4j, you hear about SolarWinds, you hear about PyPI, you hear about SpringShell, you hear about npm. These are all binaries.
Whether it's a malicious code or some secrets that were left in your binaries or whatever went out with your containers, and it's going out not once a quarter, it's going out 1,000 times a day, companies are getting more and more nervous about the software supply chain security. If that was not enough, the White House is issuing a report, like, I'm sitting here feeling very comfortable with Biden administration speaking about Log4j because it's a binary. But for my customers, the government is starting to kind of apply all type of rules of how you manage your software supply chain security.
I think that, to go back to your question, it's not just a matter of velocity, it's not just a matter of scale and the volume of the amount of binaries, it's the enforcement of new rules that are automated in the software supply chain flow.
Got it. I think this is actually a really good segue into the competitive question.
Mm-hmm.
You know every software company has competitors out there. We do our checks, we hear. I'm gonna ask you this in two different parts. First, on the binary side, and then on the security side.
Okay.
Starting on the binary side, we hear Artifactory is one of the best out there. We've heard this over and over and over again. What are, you know, how do you think about the competition within, for Artifactory? You don't have to give any names, but just how do we think about the competitive aspect there?
On the DevOps side, which is, where we have Artifactory as the centerpiece, there are 2 type of competition. The first competition is some point solutions.
Mm-hmm.
Sonatype Nexus is one of them, Cloudsmith is one of them. GitLab claim to have a package management, but these are point solutions that what we usually see is that where you get to a scale, to a specific level of scale, you will upgrade to Artifactory. That's probably the minor side of the competition. What I'm opening my big fog's eye on is the hypergrowth, because AWS with ECR and Google with GCR and Azure with ACR are providing container security, container registry. Container registries is one technology that is supported in Artifactory, the Docker registry.
Today, Artifactory sells the biggest, the most, I think, scalable Docker repositories of the world. The clouds are the clouds, you know, they are doing a lot of things, and they will commoditize you in order to generate more traffic. Although we are working very close with them on the cloud, they are co-selling with us and co-marketing with us, we have to build some authentic differentiators when it comes to the cloud. This is why we came up with multi-cloud solution because I don't know about even one enterprise that will just be an Amazon shop or just be a Microsoft shop or just be a Google shop. This is why we came up with the hybrid model.
When we first started four years ago with a hybrid model, with our platform on a hybrid model it was an internal joke because we are frogs. We said that we are amphibian, we have cloud and we have on-prem, we have water and land. Nobody got the joke, but the hybrid became a standard. What the hybrid enables is not just a differentiator, but also taking the migration to the cloud at your own pace. Nobody just moved to the cloud in one year or two years. It's a strategic migration, and the hybrid became a very important differentiator. You would be surprised how excited the clouds are to work with us on migrating companies at the size of 50,000 developers, 30,000 developers, that are trusting Artifactory. On the hypergrowth, we have to build strong, authentic differentiators.
On the point solution, we have to be better in the technology. Obviously, better in the technology is mandatory, but there, like, you win by feature, and in the cloud, you have to come with something more stronger than just, "I have a better technology.
Yep, that makes sense. On the security side, advanced security platform, you guys have a security platform. I think security as a terminology within DevSecOps and just the broader security land in general, gets thrown out there a lot, and we've had this conversation many times.
Yeah.
I wanted to dig into it a little bit more. Let's talk about the products, I guess, within your security platform that are differentiated. How do you think about it? You know, I think you've mentioned there's at least five different products or so.
Yes
within the platform, you know, static analysis.
The JFrog Advanced Security.
Right, right. The static analysis being something like that.
Right.
So how does that competitive environment feel like? You know, what is this platform? Who broadly, how do we think about the competition there, point solutions, platforms, et cetera?
Yeah.
Yeah.
Well, of course, in two years before we went public in 2018, we took a strategic decision to go full platform, not integrated tools, but full platform. Second thing was doubling down on the cloud. This is why our cloud business is growing faster than the software office. The third one was security. In 2021, few months after the IPO, we acquired Vdoo. Vdoo is a mature security company from Israel. The team was trained by the best intelligence forces in the army, in the Israeli army. Some of them are attackers and some of them are defensors. We started to build JFrog Advanced Security, which is Tier two a fter Xray. Xray was the first composition analysis tool sitting natively on top of Artifactory. Then Tier two was JFrog Advanced Security.
That's the first fruit of the acquisition, almost two years after. We announced that a quarter ago. It comes with five different capabilities. Each one of this capability is a company beta. Static analysis, you know, companies like Veracode, like Checkmarx, like Snyk, like WhiteSource, those are the static, the code scanners. Container security, you know, companies like Aqua, like Twistlock, and so on. When it comes to secret detection you have a set of companies that are doing secret detection. When it comes to open source compliance, open source license compliance, you know, companies like Black Duck and Qualys and others. What we thought about is not, we will do it all.
You know me, I'm actually against those guys that are saying, "I will have it all." How can we be focused on one primary asset and to be the best in this asset and to provide you with a 360 coverage? When it comes to binaries, there is no better company than JFrog. Guess what? All the vulnerabilities that lately were found in software supply chain, were binaries. All of these tools that I just mentioned, 100% of them are integrating with Artifactory in order to provide you with the scanning that you need to protect your software supply chain. If that was not enough...
I'm not happy about the recession but I start to have more and more consultation with CIO, CTO, CISO, that are telling me, "We are not going to replace it now, but if we will find out that you can actually cover the full software supply chain then displacement and consolidation is also part of our decision process." We are very excited about it. It's too early to celebrate. My team knows that 2023 and 2024 is all about execution. If it's not going to be executed, then someone from them will be executed.
Okay.
Oh, you want.
Lost my train of thought there for a second. Earlier, I asked you about the monetization of AI, how to think about it. I wanna ask you about the go-to-market strategy now, and thinking about a couple different ways, because you sell Artifactory, you are bottoms up and top-down type approach, and then you also sell Advanced Security. Who are you selling to? Does it eventually become one buyer? Is it gonna be different buyers? I mean, how does that sales strategy work? You know, is it just a top-down sale at some point in time? Just walk me through that type of strategy.
Yes. I'm just coming back from New York, Atlanta, and Chicago, when we had our first security roadshow, and it was, for me, after 14 years in JFrog, it was, for me a completely different experience because suddenly, you don't speak with the community, you speak with the CISO, with the director of securities, with the AppSec leaders, with the InfoSec leaders, and it's a, security is mostly around top-down. Even if the adoption will come from the bottom up, the decision will come from the top. That's about security. Now, you know JFrog, we build the business of over, we cost the $200 million in 2022, almost with no salespeople.
It was all inbound, inside sales, we started to build our strategic team, that goes after our strategic customers and expands with the platform. We build the partners and the channels team that goes through channels and third party to expand among territories and customers. What we see now is a hybrid funnel. Some of it is still coming from the bottom up, more adoptions of small development organization and scaling as it used to work in the past. Big deals are coming, over a $1 million deal, over half a million dollar deal are coming from the top down.
Expansion to different silos in the organizations are coming from the top down, and especially when everybody is now looking at the dollar, consolidation is something that you want to look at, you know, oversee the whole organization and not just the group that you're working with. What we are now seeing is a transition from a full bottom up, full inside, full inbound, to a mix of top down and bottom up, mainly because of the security focus that we are now on.
Got it. We got about two minutes left. I do wanna open it up to the audience, if there's any questions out there, you know, please raise your hand and we can get the mic over to you. Squeeze in a question from the audience?
It said that I was very boring or very clear, so I don't know.
Very scared. Okay, last question for you, Shlomi.
Yeah.
Thank you very much for doing this again.
Thank you.
You know, long-term targets. On the last quarter call, you introduced some long-term targets, five-year targets.
Yes.
You know, why now? What is giving you the confidence? I mean, first time you gave out, you know, long-term targets.
Yes.
Yeah, walk us through that, please.
Well, it's not that, the street didn't have the model or the management didn't share the model. We actually updated or shared more-.
Right
... about what they saw. Jeff, Jacob, myself, we were sitting together. I don't want to say frustrated, but trying to understand what the market doesn't get about JFrog. I remember that in 2021, 2022, money was free p eople didn't reward us for being profitable. I got it. What now? When we started to ask, like, "What do you see in 2027 when you look at JFrog?" We heard that they project around $70 million-$90 million free cash flow, and we are targeting $200 million-$240 million. That blow our mind. Therefore, we felt like we have to upgrade the model and share it with the street.
Especially after we delivered 2022 according to what we said in 2023 first quarter again. We felt comfortable enough and we wanted the street to know what is the management position and the management commitment to the street. Same thing goes to the CAGR, 22%-24%. The street looked at around 20%. We wanted to kind of fine-tune the model and to make sure that the street is very aligned with the management commitment. This is why I said it's on us to execute. If you look at the model, it's mainly built. When you look at the 22%-24% growth basically, if we deliver on the expansion, which is our model, expansion and lending and expanding, if we deliver there, it would be subject to three conditions, right?
Adoption of our platform. We are already very transparent about that. We are checking this box. Every quarter, we share more and more customers that are not just saying, "JFrog is saying that there is a platform, but nobody's paying for it." Enterprise Plus subscription is growing every quarter. The second thing is the cloud. We finished 2022 with mid-50% in terms of growth. We said that we would grow this year again with the mid-40%. We deliver on that. Security is the third thing. This is on us to pull.
Got it. We're all out of time. Shlomi, this has been great. Thank you so much for doing this.
Thank you.
Really appreciate it.
Thank you.