Thanks for joining us. David and I, we've got a shoe game. I have those, some Jordan 4s. We both just got the Wu-Tang Dunks or highs, so we could spend a half an hour talking about shoes, but we'll talk about GitLab instead.
We should probably do that.
Yeah. So thanks for joining us, everybody. We'll save some time at the end for questions. David DeSanto, Chief Product Officer of GitLab. And as a reminder, GitLab is in their quiet period. We appreciate them coming. We're not going to be talking about financials or anything forward-looking. And so don't ask a question around that. Or if you do, David knows the answer. So we'll talk. We're going to be talking about products and maybe shoes at the end.
We can talk about this.
So thanks again for joining us. You were here last year. I thought it was a fascinating conversation. And we've got a lot to talk about as the platform has continued to evolve. And so maybe just for those that aren't as familiar or maybe didn't meet you last year, just a quick introduction of yourself and what are you passionate about at GitLab?
Yeah. So as mentioned, CPO for GitLab. I joined GitLab in 2019. I joined to help add security and compliance into GitLab, and that became the Ultimate tier. Over my time at GitLab, I think the thing that's made me the most excited is the partnership with our customers. I've worked lots of places where we say, "Oh, no, we're your partner," but that partnership is really there. And so what made it unique for me to come to GitLab is my background is actually security and vulnerability research. I did that for about 10-ish years before moving into product. And when GitLab reached out, I talked to the then CPO, who's no longer here, and then Sid, the conversation with Sid Sijbrandij.
It feels like in the last five years, the platform has really evolved, and it's just great to see the traction of Ultimate, even more recently here. Let's just level set. You guys have been focused on, well, your passion on security and governance. GenAI has been a bit of a driver here, but just talk about the evolution and the importance within the developer community of a DevSecOps platform and why that is so critical, and I think about things like the CrowdStrike outage and all of the potential risks with pushing bad code into production even. Talk about how that's resonating among the developer community these days.
Yeah. So maybe to kind of start with the first part, for GitLab, we are a true platform. We're a single product with a single unified data store. Why that's important is that unlike point solutions that can be in the market that you stitch together, there's a single source of truth that everyone's working from. And so when you look at it from that point of view, you can begin to see why customers report the efficiencies they get, especially adopting Ultimate. But for us, it's really about making sure you can plan, build, train, secure, deploy, monitor code, and AI models from GitLab. And that power of it being that single platform has allowed customers to see great benefits. A good example is we recommissioned a study with Forrester. We had done one three years prior, and we wanted to see what customers were seeing with Ultimate.
They shared that they were getting a 482% ROI over three years and a full payback in less than six months. That boost of their efficiency leads to companies like Lockheed Martin talking about they now ship code 80 times faster than they did before.
Yeah. Yeah. I mean, and I think in today's selling environment, when it's an ROI-based sale, that even accelerates the conversation. Can you talk—I mean, I guess let's start with Ultimate because that's what's been really standing out to me. Why do you think that's been resonating so well with customers over the last several quarters? Because the percentage of ARR continues to tick up noticeably.
Yeah. I think what it is is that GitLab might be an open-core source-available company, but we're trusted by more than 50% of the Fortune 100 to secure their intellectual property. And so they're choosing to use a product that can help them from beginning to end and make sure they're being secure. And so the reason why Ultimate continues to grow is that unlike a security scan or a compliance control, it's just built right into the platform. And that allows them to know that everyone's working from the same single source of truth. They're able to track things much better. Customers will use GitLab as part of getting through their audits because they can point to something in the UI and be like, "Oh, yeah, that's logged. It's right here in the audit event." Or, "No, here's the control.
You can see it's turned on," and you can't do that if you are a bunch of tools stitched together. We had our annual, and it's actually the eighth year of it, DevSecOps Global Survey. Companies are sharing that they're moving to a platform for that reason. They're also trying to de-consolidate, get rid of more tools. One customer had about 100 tools stitched together to ship software. That's obviously going to be very fragile, whereas now they can just be on one tool and that platform gets that benefit.
So one of the questions that I, Kelsey, you get all the time, even from customers, is like, "Well, GitHub's great, and it can be free for a lot of folks." And I asked you this last year, but I continue to get the question, "Can you level set the group on?" Organizations will use both for different purposes. But what are some of the most important primary differences when customers are looking at GitLab versus GitHub?
Yeah. I mean, I'll just take us to both our marketing messaging because it's a good way to answer the question. So GitLab is a DevSecOps platform. We're focused on organizational efficiency. It's about making sure developers are effective, security teams are effective, platform engineering, operations, compliance are all effective. GitHub, by their very nature, they're a development platform for developers. And so their focus is on making the developers more important and more efficient. That is important to us too. But we realized early on that if you made your developers, say, 100 times more effective, if you didn't help everyone else around them, everything would break. And so the big differentiator there is we're focused on the entire SDLC. They're focused on developers.
Okay. And I think the reality is also, I think I still consider GitHub more of a DevOps platform too. And I think because there really is no good alternative to Ultimate within the GitHub platform, correct?
Yeah. The way that you would do the similar thing is you'd have to use the GitHub Marketplace and then choose to buy tools through that to add into your environment. Now you're not using a single platform. You're using a bunch of different solutions that you're trying to stitch back into the workflow.
Okay, so there's a way around it, but it's not as straightforward as just my old.
It's not straightforward. There's a lot of operational overhead then. The thing that I always find interesting when talking to customers, they'll have, say, 10,000 developers, but they'll have 500 security people, and they'll have like 20 people in the platform engineering team, and going that route through an ecosystem trying to bolt everything in, those 20 people have a lot of things that it causes another impact. But yeah, we're probably the last two main running in that DevOps space. But I was very proud of it as Gartner just did their second Magic Quadrant for DevOps platforms, and we were the best on execution and vision, and that's just showing that what we've been doing is now resonating, and customers are getting the benefit.
Well, and I think one of the questions that I also get too is DevOps is a complicated, there's lots of components of DevOps. And you said one customer stitched together 100 different products. One of the questions that I get is like, "Well, GitLab might be good at this, but not as great as that." How do you think about raising the bar for all aspects of sort of DevSecOps so that you can take out a product and be considered best of breed here, but also a platform play?
Yeah. So the one thing I always like to make sure everyone understands is you can be best of breed (we call best in class) and still be a platform. We look at that from really five key pillars of what DevSecOps is. That's planning, coding, building, securing, and deploying. And all of that together are areas in which GitLab is identified as a leader in the space. And so it could be our enterprise agile planning, which I think we talked about a little bit last year because we just launched the add-on for that. The security scanning, CACI, public sector customer, shared that GitLab is helping them run security scans 13 times in their environment. And that's because they're now using security tools that are meant for developers that are within the developer workflow, as opposed to those stitched-on, bolted-on security scanners that are more for security professionals.
Okay. So what I'm hearing is that you sort of—and this could be with CrowdStrike or it could be with any other players that have a true platform—is that you're not sacrificing functionality when you go with a consolidator in this case. And that's what you're, from a product perspective, you're focused on.
Correct. Yeah. We truly believe that those five key areas are best in class, best in breed. Then the other things benefit from the rising tide lifts all boats. Areas that we're still holding in, whether it's monitoring and continuing to improve business-style metrics with GitLab, those things are already better because they're new, those great things, but they just continue to get better, and then they'll be the.
Observability feels like it's a close cousin, and I know you guys have made some investments there. How do you think about that? Because I always think if you're in the business of developing and securing code, you can certainly help with observability.
Yeah, so a couple of years ago, we acquired OpsTrace. They were an open-source observability platform that is now fully integrated into GitLab. But for us, it's not just about observability. It's about analytics and product analytics. We believe that you should be able to close the DevOps loop or the SDLC with feedback from your applications you deployed using GitLab, so observability gives you the infrastructure analytics sort of view to know the application's healthy. There's not an incident. Product analytics helps you understand the usage of that application you built using GitLab. The way I look at it is we are very data-driven. A lot of you here are all data-driven. You need to have correct and accurate data to be able to do what you need to do.
You can't decide what you need to build next if you don't know how the thing you built and deployed is actually operating.
Yeah. Okay. Okay. That makes sense. I don't remember the exact statistic, but when you look at, I don't know how many, from a TAM perspective, what do you think about in terms of the total number of seats out there? And I guess ultimately what I'm trying to get at is getting customers to get over the free-to-pay conversion. What are you doing specifically on a product side to encourage folks that, like, "Hey, free is good, and there's a lot of functionality, but it's probably the compliance and the security piece." But just sort of curious in your thoughts there.
Yeah. I mean, so we do have Free, Premium, and Ultimate. When we decide what features go where, it predominantly is driven by a model of like, "Hey, if it benefits an individual, that's probably a free feature. That benefits a team is probably a premium feature. And if it benefits the organization, it's an ultimate feature." And so if you look at it from that point of view, things like just our standard issue tracker, free. But if you now want to start using epics and reporting, hey, now you're in premium, right? And then same thing with security as you highlighted. We do have some security that's available in free. You can run our scanner and secret detection scanner. Don't get all the UI and all the controls.
And so that then encourages you to go up to Ultimate where you can now put all those things in place and have that auditability you need.
Do you ever, and I've asked you this before, do you ever envision a time when there's a platinum version out there where there's another tier? Is the market big enough to support something like that in the future?
Yeah. I would just say I think the market's more than big enough for everything that you and I've talked about before here, now or last year. It's an untapped market. It's calculated around $40 billion. If you out of GitHub, GitLab, and Atlassian as another player, you don't get to half of that. And so I think what you're going to see is that as there's more tool consolidation, that same survey that we ran, and if you've not seen it, you can just Google GitLab Global DevSecOps Survey. It's well worth the read. Over 5,000 people responded to it this year. You begin to see that tool consolidation needs to happen. Over 60% of respondents want to standardize on a platform. And as that happens, sure, maybe it changes pricing packaging. But today, we're just focused on what we have in the product.
Yeah. And from a tool consolidation perspective, how often do you see large enterprise running both GitLab and GitHub? And it feels like Atlassian's with Bitbucket's kind of shrinking. But any thoughts on kind of how you sit in the enterprise space?
Yeah, so I think there's really a couple of components to that. The first is you're correct. We continue to displace Bitbucket out of accounts. I think for Atlassian, they're very much focused on the ITSM space now, and so it becomes a natural thing for enterprises to switch off of. Our enterprise agile planning is beginning to be able to displace Jira.
You mentioned that last year.
Yeah. I think I told you last year I was going to make it happen, and I can tell you it's now happening.
Okay. Is there any customer examples that you'd just kind of highlight?
Yeah. I mean, probably the biggest one name-wise is UBS. They mentioned on their earnings call a couple of quarters ago that they've now moved all their planning into GitLab. For them, they say that's giving them an even larger ROI because now everything is all in one place. We can associate something that's being planned with code that's actually been written to code that's been deployed to events that are happening. And that gives them that efficiency. But when you talk about the others around it, I think we look at the market as the individual pillars that the market sees them as: planning, development, and so forth. But we see them platform, and that gives even more value. And so if you're looking at the market, it's $40 billion. There's plenty of room for everyone to grow.
And I think that's going to grow not just because of that tool consolidation, but more companies have to build software today. When I started, Sid said to me, "Everyone is going to have to become a software company." At our IPO, he brought that up again. It became more of a security company. And that's why Ultimate is so popular because you now need to do a lot more security and compliance. But I think it's going to drive people to need to be an AI company and all these other things that GitLab can help with, and that'll expand that too.
Yeah. Well, I wanted to go back to the agile or the Jira piece. Thanks for the customer example there. I mean, what sort of momentum do you see in that? Because it feels like, I mean, that's obviously a market that they do extremely well at and for quite some time. But how ripe for disruption could that be?
Yeah. I think the people, and I'll tell you another customer example. I always put a weight for everyone. I look at our success through the eyes of our customers and individual users and the benefit they're getting. That's why I tell a lot of customer stories. The way I've looked at it is that customers have said to us, "Products like Jira they've had for 15, 20 years are no longer a product. They're a process," and sometimes that process is slowing down their conversion that they want to do, whether that's digital transformation, cloud migration, all the buzzwords that people say they're doing, and so when they take that step back and they look, there's not just GitLab in the market. There's other startups that have come up in the planning space.
But they can go, "I can redo my workflow now because now I'm not dependent on the tool that's been doing it." Focus on disruption, not replacement with our planned functionality. So it doesn't do everything Jira does, but there's a lot of things that are very important. And that's helped customers complete.
Okay. Helpful. I wanted to touch on the premium price increase. It wasn't price increase just because you added a lot of functionality that warranted that. What's been the customer feedback? Because I think there's been probably a little bit of churn at the low end, but you've obviously seen some good conversion too. What's been your perspective on the receptivity of that?
Yeah, so this probably comes as no surprise. We run pricing studies to make sure we're making the right call, and both talking to customers and some of the blind cohorts we worked with, we identified that there was a lot more value in premium than what the price was, so what we ended up doing is, to your point, roll it out. When we announced it, actually, I can give you the right number. We had already released 400+ improvements to premium, and it's four years of life, and so that right there makes it a whole different product than it was when we launched it, and so reception's been good from everyone who we've talked about it, and yes, there might be some pricing pressure later on. Brian talked about it in earnings calls, but realistically, the value's all there, and it's worth the price.
Have you seen people just say, "This is going to be an incentive to move to Ultimate"? I know you kind of just sell to what the customer is sort of asking you for. But have you seen some customers do that and just say, "I'll just move to sort of that tier"?
Yeah. Part of the reason why that number is growing that you highlighted is because of that. When I started, people land on source code management and then maybe eventually adopt CI, and then a year or so after I started, we had security they could adopt, and now customers are just actually starting on Ultimate, and there's really two reasons for that. The first is the capability that's in there, the benefits they see. If they're going to make a change, they want to do it all at once. The other thing is that things like GitLab Dedicated is only Ultimate, and that's our single-tenant SaaS offering, and that allows customers who are self-managed to now have a cloud offering that meets their regulatory compliance without having to trade off and go to a multi-tenant environment like GitLab.com.
Yeah. And so those two things are really driving people going to Ultimate to start. If you're an existing customer, we shared that Southwest just moved from self-managed to Dedicated. That was for those controls that are in Ultimate and the ability to have data residency, data isolation, all the things they needed for compliance purposes.
So, I guess I forgot. So, Dedicated, there's a hosting cost as well. But is that the Ultimate tier from a pricing perspective?
Yeah, it is. So for everyone who's not as familiar with GitLab, I am.
Okay.
There's really three deployment options. There is self-managed GitLab.com. It's multi-tenant SaaS. And then GitLab Dedicated, single-tenant SaaS. And the thing that's allowed us to do that and be successful with it and help customers like that migrate between them, it's all the same code base. So GitLab.com is running the same code base someone would upload in self-host. Obviously, we've increased memory, disk space, all the things you need to do to run that large of a multi-tenant environment. But it allows us to ship the same feature to all three simultaneously. And it gives customers the benefit of if you're self-managed, you get in this weird stuck point where you don't always upgrade when you should. Now you're just getting automatically upgraded transparently too.
Yeah. I'm going to ask one more, this is a big crowd, so I'm going to ask one question, and then we'll see if there's any from the audience. Duo has been a real talker for the last, I don't remember when it was named or when we started talking about it.
We announced it June of last year, released it December, and we've been putting it out ever since.
So, I know at the time, I think you and I talked, there's a lot of questions about code efficacy coming out of GitLab versus GitHub and Copilot. And I believe you guys worked with some commissions, some studies to try to show that efficacy coming out of GitLab was superior. Could you talk a little bit about that code suggestion model and how it relates competitively?
Yeah. I mean, I think first is make sure everyone, because we do stuff so quickly, there's some things that have been improved. So there's GitLab Duo Pro. That's where code suggestions, which is AI code creation, chat, which can let them explain code, fix code, refactor code, generate test cases. And when we talked last year, that was a couple of weeks from going live. Since then, and this is back in August, we launched GitLab Duo Enterprise. And that includes AI across the entire SDLC, the software development lifecycle, helping in planning. The two most popular features give you a recommendation to fix it. And then Vulnerability Resolution, where you can actually go in and ask Duo to resolve the vulnerability for you on your behalf.
And so the studies and things we talk about are because it's across the entire software development lifecycle. Our customers are sharing they're getting an improvement in efficiency. And sometimes efficiency can just be the quality of the code. It could be fixing a failed pipeline faster. But it's also the collaboration it drives. The story that I was told at their own event a couple of weeks ago was that Vulnerability resolution brought their security team members and developers back together and talking to each other. Whereas before, and I can speak of this as being a former developer and security person, there's a lot of pointing fingers between the two groups like, "No, this is your fault." But because they're getting better quality code, less vulnerabilities, they're now collaborating really closely together. So it's both the technology and then what the technology unlocks from a team perspective.
Can you remind us about the pricing then for that?
Yeah. So Duo.
Various tiers.
Yeah. Duo Pro add-on is $19 a user a month. GitLab Duo Enterprise is $39 a month per user.
Okay. Yeah. In addition to, and there's been some varying discussions about how productive developers can be. The number that we've talked about is 30%. And that's obviously probably true for maybe some entry-level developers versus more seasoned professionals. What are you seeing? Can you talk through some of the efficiencies?
Yeah, absolutely. This is actually the most fascinating part. I think of Duo as what it's done for people. And so to your point, we've seen trends that our customers, if they're an associate or intermediate-level developer, they're going to prefer code completion. And everyone just like in a Word app, your cursor recommends a couple of lines after it. And they spend some time looking at it, but then they start to learn why it chose it and what it does for them. And then they become a better developer. And they start operating more like a senior-level developer.
Interesting.
But then the more experienced developers, say the staff or principal level, they find code completion very noisy because they know exactly what they want to do. And they're gravitating towards code generation. And for us, that is writing a comment and describing what you want, letting it generate the code. And the best way to think about it is that the thing that's really very specific, you can write multi-line comments. I did this for a customer as a demo. We built a REST API application in Python and six prompts into it in comments. And we ended up with a connected database responding to requests. And that was just comments, right? And our customers are now saying that's allowing those principal-level, most senior-level developers to focus on a more strategic, harder problem.
A customer who adopted GitLab early around this time last year when it was in beta shared that a project was going to take three of their principal engineers a full week to complete. They did it with one developer in two days, and if you talk about that impact, you're now helping people upskill, and you're having your most experienced senior developers focusing on the harder problems and not doing a lot of code refactoring.
Yeah. Have you seen it also if a customer had 1,000 seats saying, "Wow, this is, I'm going to buy some more seats because I'm opening up this technology to folks that I wouldn't even consider developer level"?
Yeah. So there's three things that are happening that's around that. The first is when you buy Duo, you don't have to buy it for every user like you do with Premium and Ultimate. That's allowing them to be very specific. They'll buy Duo Pro maybe for developers who work on internal apps. And Duo Enterprise for those that are focused external applications that'll be exposed to the world. We did the same thing with Enterprise Agile Planning. And that's also bringing in team members who wouldn't traditionally be a GitLab user because now they can buy just the planning functionality, issue tracker, the reports, the wiki. And that's allowing them to accelerate their development as well.
A customer which I think we'll be referencing on the earnings call, so that's my plug to go listen to the customer stories, just shared that their net new customer went to 1,000 Ultimate seats, but that was driven by plan, and they bought 2,000 plan seats, and so that then unlocked Duo Enterprise for them, and so that slight change we talked about last year at this event is really helping customers continue to mature what they're doing.
Interesting. I'm going to pause here for a second to see if there's a question from the group. Give me a chance to ask David your burning tech question.
If you want to know about Matt's sneakers, you can ask him that too.
Yeah. We can do it. I got a pair of Travis Scott Aero Yellows. Does that do anything for you?
No, but I wanted the Philly long.
Oh, yeah. The Kobes?
No, no. They were Dunk Lows.
Oh, yeah, yeah.
Designed by a local shop in Philadelphia. They were gone in five minutes. And they're now going for five times the price.
All right. Well, there's a market for that.
Yeah. Yeah. Any questions?
If not, we can keep rolling. Code scanning, code scanning, nothing.
All right. Well. They're a lot quieter than last year.
Yeah. I don't know. Well, I think you preempted some of the questions around Atlassian. It was a question that we had last year that prompted some discussion. So I guess from a GenAI adoption, because that's the question that we get, is like, where are we in the adoption of GenAI? From your perspective, it feels like this is a 10-year trend. I mean, it feels like we're in the top of the first inning. I mean, where are we in that evolution?
Yeah. I think the chasm that was written about in business—you've got the trough of disillusionment. I think that's kind of where we've fallen into. The reason why I say that is initially it was like, "Oh my God, I'm never going to trust AI." My customers said it, and there were boards and C-suites saying, "If you're not using AI, we're going to fall behind." A bunch of people bought it, right? Then now it's kind of come back and said, "Well, what is it actually doing for me? And is it safe?" For everyone who's not aware, GitLab actually started with AI in 2021 before Duo was even a thing yet. That's because we saw that you could help people get through code review faster if you could help them find the right code reviewer.
And when we did that, we set three principles, which are still true today. And it's helping customers get out of that disillusionment. The first was we want AI across the SDLC. Talked about that with Duo Enterprise. We also wanted to be price transparency forward. It was very known for that. And we wanted to continue that. So we list every model we use and how it was trained in our docs and links out to a provider if it's not a model that GitLab has created. And the last one was choosing the right model for the right use case. When I hear a lot about things like hallucinations or confabulations, I think is the word they're trying to get to catch on. That's because you're trying to get an AI model to do something it wasn't designed to do.
And so that code completion I mentioned has its own model. There's models that are built to just do that. There's a model that we use for chat, a model we use for vulnerability resolution. And that allows us to test over 100,000 prompts across many models every week to make sure we have the right model for each case and we can swap them out transparently. And so as we come out of that disillusionment, I really see AI moving from reactive to proactive. And what I mean by that is today, Duo and all the solutions that are out there, you have to give it a prompt. You have to type something. You got to click a button. That's great. And it's helping with efficiency. But we see it becoming proactive where it can take decisions, make them on your behalf.
And so if everyone wants to kind of see where we're going next year, it's a great event. Actually get to meet Hillary from my team, who's an incredible security leader as part of the event. But we announced GitLab Duo Workflow at that event back in June. And again, it's available for replay. The Duo Workflow solution is really focused on being an autonomous AI agent for DevSecOps to do things like, "Hey, don't have low-hanging fruit bugs be fixed by a developer. They can work on something more difficult. Let Duo do that for you. Let Duo help you prioritize your backlog based on inputs that it's saying." Going back to the beginning of our conversation and GitLab being a single data store, Duo can see. It can make a lot of really smart, educated decisions because it knows about your project.
That means it can perform and allow things like Duo Workflow to be born.
A little bit more than I mentioned before, but with CrowdStrike outage back in July, did that raise awareness among the broader developer community that if it happened across the street, it could certainly happen to anybody? Did that help from a marketing perspective?
Yeah. I wouldn't say that we necessarily wanted to mark it off as a painful event for people. But what I'll say is it's not just CrowdStrike. There's events like that all year round. Every year, there's more data breaches happening. There's more data leakage happening. And I think that that's another reason why people come to GitLab. We can help them secure that. And it's in CACI scanning 13 times faster. CARFAX said they're detecting 30% vulnerabilities earlier. That's going to prevent something like a CrowdStrike incident or other incidents where people have deployed insecure code or there's a bug in the code and it was just missed because we're all humans, right? So I would say that we benefit from all that from a marketing and positioning standpoint, but it's not about a single event. It's about awareness, education, and how GitLab can help.
Cool. We're out of time. But thanks again, David and Kelsey, for coming. And best of luck.
Yeah. Thank you [audio distortion] chat for a little bit.