My name is Billy Mandl. I'm a senior associate on the Enterprise Software research team here at KeyBanc. I'm here with Jacob Shulman, who's the CFO of JFrog. Jacob, great to have you here.
Thank you, Billy, for having us.
Yeah, let's start high level. If you just wanted to start off with a brief introduction to JFrog, for maybe those who aren't familiar with the business. Where does JFrog sit in that, you know, DevSecOps landscape?
Yes, absolutely. JFrog is a company in DevOps space. Our vision is Liquid Software. We aim to enable quick, automated software releases, secure software releases from developer all the way to any edge. People know primarily software engineers writing the code and then software running on machines. What's in between? It's a huge industry full of manual, siloed, inefficient, vulnerable processes. JFrog built a platform to automate, to streamline, and secure the software release process. Our mission is to enable our customers to automatically release software from developer keystrokes to any edge.
Great. And I kinda wanna keep it at an industry level for a second and think about how, you know, the adaptation and adoption of cloud-native architectures and microservices, containers, how that's kind of changed the way we think about application development, and, and kind of how that creates more of a need for JFrog. Is there anything you could speak to there?
Yes, you're absolutely right. The changes in the developing methodologies actually was a catalyst for JFrog. Just going down a bit to a technical level, JFrog provides automated binary flow. What is binary? Binary is the machine language. Software engineers writing the code, code is a people language, but then it's get translated into machine language because machines don't speak English, or German, or Hebrew to that extent. They speak one and zero. JFrog built a platform that manages binaries. The change in software development methodologies increased significantly the use of binaries and the number of binaries managed by the companies, and that's what created the need for JFrog. Just to give you an example, containers, right? Significant improvements in how people release software. Container is a binary.
People no longer write these monolithic applications. They split it into microservices.
Mm-hmm.
That creates increase in binaries. Even now, talking to AI, I'm sure that we'll touch this, this topic for sure. Generative AI will create more code, which means more binaries will be created, which means positive for JFrog. Open source use, that another example. No one's writes from scratch today. Today, 80%-90% of your application is coming from open source, and open source primarily comes in the form of binary. All of that creates positive secular trends for JFrog.
Great. Yeah, that, that's helpful to get kind of the delay of where JFrog sits in this landscape, and, and, you know, hopefully, everyone's a little bit more familiar with the business now, for those who weren't. You know, you just reported earnings, 2Q earnings last week. It was a, it was a solid report, and, you know, the macro is still challenging, and, and you called out some of those things, but, and correct me if I'm wrong, it, it seemed like we could characterize it as some of the macro trends were, were stabilizing a bit. Kind of maybe talk about how the macro has trended over the past few quarters and what happened in 2Q, and, and kind of some of those headwinds that you are seeing?
Yes, you're absolutely right. We are seeing that macro is stabilizing. We started to first seeing the macro impact about a year ago. Late Q2 of last year, more pronounced in Q3, and even more pronounced in Q4. We entered Q1, same trend. Back in March, we started seeing better, better trends. We kind of look at our cloud consumption, which is measured by data transfer and storage. We started seeing that those trends improving in March, and they continued to improve in the second quarter. We are seeing that, for example, for our SaaS business, the usage trends continue to improve. However, the pace of migrations... economics trends, still longer sales cycle than usual, still pace of migration is slower, but usage is improving.
The customers that have their budgets allocated to projects, we're seeing them executing on that, and that gives us confidence in, in what we predict next kind of for the rest of the year in the guidance that we provided to the same.
That was great to see kinda usage coming back and some signs-
That's right.
... of stabilization. Maybe wanna dig a bit more into the migration side of things.
Mm-hmm.
This is migrations to your cloud product.
That's correct, yeah.
Kind of what are you seeing from customers that's holding them up now in this stage, and what might need to change for us to see that start to come back at a, at a more rapid pace?
Yes. We have over 7,200 of customers, still majority of them on-prem customers. It's clear that secular trend of hybrid and cloud will continue. We are seeing that customers who made these decisions, strategic decisions to move to SaaS don't reverse those decisions. They execute just really expected on this, on this pace of migration. If think of, think of large bank, multinational bank. Two years ago, they didn't want to hear about SaaS. Now, they gradually transitioning to that. It's gonna be a long, long process-... and but it's inevitable, and this is what we're seeing. Yes, pace a bit slower than last year, but customers continue to execute on those projects. Obviously, we're helping them to do that. We're building some migration tools.
We're helping them with some additional services that we could provide, but many times it dependent on their budget constraints. Many times it's dependent also on their headcount constraints as well.
Yeah, I mean, you're not alone in, in seeing some of these, these pressures from the macro environment and, and customers, you know, with tighter IT budget constraints right now.
Yes.
What do you think customers think of as the relative priority of DevOps solutions and maybe more specifically, JFrog within that?
First of all, it's a critical infrastructure, right? We see that customers continue to expand. We're still we report our net dollar retention rates at 120%. Bit down from, from prior levels, we continue to see our customers expanding. We continue to see that JFrog is a critical piece, especially when we talk to our larger customers, it's DevOps is very fragmented environment. All of them thinking about tool rationalization or platform play, and that's where JFrog is, we believe we're, we're gonna shine, right? Because we're clearly leaders on the DevOps space. We also launched our Security Core with different capabilities, and some of these capabilities really can replace point solutions along the way.
definitely we see, especially on dev, DevSecOps, side, that enterprises today have 5, 10 different point solutions, and all of them want to make rationalization of those, and, this is where JFrog will, will come in, into play.
Okay. you ready to talk about AI?
Absolutely.
How are you thinking about, you know, the impact of AI and generative AI on application development and within that, JFrog solutions? I'm specifically thinking about, you know, AI-assisted coding tools. Think of, you know, GitHub Copilot or ChatGPT. How does that change the pace of application development and how JFrog supports that?
Yes. first, just to set the stage, we see ourselves complementary to code repositories. We integrate with all of the code repositories, we integrate with all CICD tools and testing tools. generative AI is probably more relevant for the developer tool category.
Mm-hmm.
We are seeing that some of our customers already started using Copilot or some generative AI, but it's still the framework around that needs to be, needs to be established because when those tools pull out open source components, people want to know that they don't infringe the IP rights, they don't bring vulnerabilities, et cetera, so legal framework. In general, these tools will definitely make developers more efficient.
Mm-hmm.
The time to commit will decline, which means more code will be created, which means more binaries will be built. Therefore, we believe that that will be yet another kind of secular driver for tools like ours that manage binaries across the software supply chain. Another thing that we see is that AI models, that's yet another form of binary.
Mm-hmm.
We started seeing our customers hosting AI models in the Artifactory. As you know, Artifactory is the single source of truth for all binaries within the organization, and we started seeing our customers hosting AI models, and sometime also, kind of, the training data as well, that they want to host close to the model. We're also seeing that some customers started using proxying. Artifactory is also proxy of open source hubs, and there are multiple open source hubs exist for AI models, Hugging Face and a few others. That's definitely an opportunity for us to enable our customer, kind of, native support for some of these capabilities.
We want to enable our customers to be able to use Artifactory and our platform as enabler for their in-house AI initiatives. Lastly, we're also improving our own solutions and platform with AI-enabling capabilities on security side, on DevOps side, and we have our user conference in September, on September 13th in San Jose, and we'll be making announcements around, around that.
Right
... as well.
Have you shared anything about, you know, capabilities, gen AI capabilities within the JFrog platform? How that would maybe look from a monetization standpoint?
We haven't yet.
Mm-hmm.
some of that will be announced at the, at the, our user conference. keep in mind that, JFrog monetizes by data transfer and storage, our SaaS, SaaS components, the more code created...
Yeah
... the more binaries, that means that it's better for JFrog from the monetization perspective as well.
Great. Well, we'll stay tuned, for swampUp to hear some of those announcements.
Absolutely.
jumping over to kind of more of the product-
There might be a question there.
Oh, yes, please. No, not at all.
The persona is changing. When we first came into market with our flagship product, Artifactory, that became de facto standard in binary repository manager, that was more oriented toward developers, developer teams. That's how we got into even largest enterprises through bottom-up by adoption of the developers. Over time, we added more capabilities to our products and we built a platform. Now, the platform touches multiple personas, not just developers or DevOps managers. It's also security engineers and CISOs, CIOs. It's also product managers, those who are responsible for the software updates at the customer side. It's also operations, IT operations. It's became more strategical value for the enterprise, and therefore, we started adding top-down capabilities because that's more about the digital transformation of the enterprise. The ASPs increased significantly.
If previously, the entry-level into Artifactory, is about $3,500, now we have 24 customers over $1 million, and that's not-- none of the developers have this type of budget. Typically, top-down approach, and therefore, our persona also changed, and our go-to-market capabilities also changed. Yeah, we believe this entire DevOps loop gonna be split in three categories. One category, which clearly is monitoring tools. Another category is developer tool ecosystem, and we kind of reside in between. We call it software supply chain category, and we believe we are leaders in this space. Definitely, we're one of the largest vendors in this space, adding more and more capabilities. The primary notion of using our, our platform is automation, and that's clearly pronounced at scale.
That's why we've entrenched all our customers, majority of Fortune 100, majority of Fortune 500, significant portion of Global 2000, using us because we provide this automation and scale. You're absolutely right that many of our enterprise customers want to do less, and we believe this is an opportunity for us to consolidate more on the platform. We divide our competition in kind of several different layers. Today, the largest competitor is still homegrown solutions. Historically, people have been using open source hubs and building homegrown solutions to automate some of the development processes. Second tier is the DevOps companies. Specifically in our category, number 2 player is a company called Sonatype, which is owned by Vista. It's a private company. In security, it's very fragmented players.
They're focusing on specific areas of focus, static code analysis, dynamic analysis, software composition analysis, container security, runtime security. We introduced our capabilities that cross multiple areas of focus, and we're building end-to-end, and we talked about it. There are a lot of opportunities for us to consolidate on the platform and replace those point solutions. I would also like to know that some companies from developer tool categories, specifically GitHub and GitLab, expressed their views that they want to develop capabilities in our domain, but we currently don't see that happening. The third layer is big clouds. First of all, they great partners of ours. Their KPIs are different. Cloud KPIs are how much traffic you generate on my system. Our KPI is how I enable our customers to release software quickly and securely.
We generate a lot of traffic. That's why they partner with us. They offer us on their marketplaces, 1/4 of our business today on SaaS going through these marketplaces. They understand that developers generate a lot of traffic, and they want to offer kind of overlapping solutions that optimized for data transfer. For example, all of the clouds have container registries. Container registry is the repository for containers for one technology only. Our, our stack is much deeper. We support 30 different technologies. None of the enterprises can build software with just containers. Even to code, to build contain- container, you need several technologies. There are differentiators from clouds in that regard, that our stack is much deeper, both on, on DevOps side, but also security. Finally, there are business differentiators such as hybrid and multi-cloud.
What we're hearing from our enterprises, that hybrid is here to stay, that multi-cloud is the area of their focus, and none of the cloud providers can offer hybrid or multi-cloud. Therefore, we believe that being Switzerland in this space is in our favor.
I think, you know, this is a good, good segue into the security part of your business 'cause that's kind of opening up you into broadening the platform.
Right.
Some of those new personas we talked about. You announced Advanced Security back in, in October, I believe it was. What are some of the new capabilities that the Advanced Security package brings to the JFrog platform, and how does that complement existing capabilities that you had with Xray? Then, kind of maybe even fold into that your, your newest announcement, which was Curation, JFrog Curation.
Yes, absolutely. Again, DevSecOps is very fragmented. There are companies focused on different areas of expertise. We started with Xray as a player in software composition analysis, and then we clearly recognized the need from the market to provide full end-to-end capabilities. Cause we're seeing customers today deploy five, 10 different solutions, and they want to rationalize this spend... the data many times come with a lot of false positives, a lot of inactionable data, and customers want to do more with, with less. That's where we introduced our JFrog Advanced Security, which has six different capabilities. One of these capabilities, each one of them, actually, it's a separate company. It was introduced for SaaS deployments in Q4 for on-prem deployments in Q1. It's been four months since hybrid capability is available.
We already have tens of customers, majority of them on-prem customers, because majority of our customer base is on-prem, but also majority of security tools, they're also on-prem. It's kind of more replacement for those tools. What we're seeing is that several capabilities that we offer are very unique and resonate and provide a lot of value for customers. For example, contextual analysis is one of the capabilities. Typically, security solutions would scan the product and provide laundry list of vulnerabilities. Security teams would require developers to fix all of those. Basically, not all vulnerabilities are exploitable. Some of them may not be exploitable because of the environment in which application is running, and some of them may not be exploitable because of firewalls.
Some, some of them may not be exploitable because of the different versions of different components that you use. Artifactory provides you this view of all the software that's running in production. Therefore, we have the data of the application that's running in production, and we can prioritize for developers and tell you, "Please focus on these first 10, which are urgent and critical. All others, you can fix when you, when you have time, because they're not currently exploitable in, in, in production." That saves a lot of time and, and increases significantly reduces time to market for solutions. Another thing is secret detection. Historically, security companies will focus on secret detection on the source code. We do it uniquely on the binary.
What's happening is that we have much bigger, much better picture, because when you compile code, you're building some, some secrets into the binary, and, and those secrets cannot be recognized on the source code, but only on the binary. There are a lot of differentiators.