GitLab Inc. (GTLB) Earnings Call Transcript & Summary

I'm excited for this one. I'm spending a lot of my time talking to CEOs and CFOs over the next 2 days, but I get to talk product here in this presentation. And so it's -- I'm really looking forward to this. It's a name that we've -- we -- for those that don't know GitLab, we've known them for a long time. And I have been big fan of the technology. So I'm going to start off with some questions. If there are some in the audience, and it's a bigger group. So I will certainly leave some time at the end for folks. These guys are in the quiet period, so there's going to be nothing about any forward-looking comments of any nature on that side. So with that as a disclaimer.

Great disclaimer.

David DeSanto, Chief Product Officer, GitLab. Maybe for those that don't know, David, could you maybe tell us sort of about yourself your journey. I think you've been at GitLab for a little over 4 years now. But yes maybe just a little bit about your background.

Yes, absolutely. So I started off my career in software development, cybersecurity and IT. And I have been across both product and engineering organizations for the majority of my career. In 2019, I did join GitLab. I actually joined to add security and compliance into DevOps, which I think you all now know is Ultimate. And over the course of my time at GitLab, I took over products. And as GitLab's Chief Product Officer, my primary focus is on setting vision and strategy for the company and then making sure we can bring that to a reality.

Excellent. All right. Well, we've got a lot to talk about here. So maybe before we get into -- you mentioned your focus on security. Maybe before we get into that and gen AI, which you and I have been talking about outside here. Can you talk about the importance of a DevOps platform? And why in modern software development that is so critical? And I'll caveat this, I used to be a software developer in my days prior to doing this. And I can tell you, it was -- I wish I had GitLab back then. But maybe talk about the importance of DevOps and the real value of the DevOps platform.

Yes, absolutely. So onewcastlemax of the things that companies are struggling with is doing their digital transformations, and that's because it's tied to very brittle tool chains that they've built. And so when talking to customers and as a former engineering leader, I can say this, you end up with dozens of tools that are needing to be stitched together to deliver software. Whether it ends up doing is it drives artificial sizes in the organization, you get concerned about upgrading a component. From my own career, there was a point where I'd ask myself, I have to release software next month, do I upgrade Jenkins now? Because last time I did that, it broke a bunch of my other things that are attached to it. And those are the tradeoffs that organizations are trying to make. So if DevOps platform comes in and I'll say a DevSecOps platform because what GitLab is, is a way to essentially give yourself better visibility, better collaboration and honestly, better control over how you deliver software. The best way I can put it is in the words of our own customers. About 2 years ago, we did a survey through Forrester of GitLab Ultimate customers. And what came out of that survey was a couple of interesting data points. The first was on average, those customers are saying they were 7x more effective at delivering software. They got an ROI of 427%, and it paid itself back in 6 months. And the reason why that's important is all those things are about delivering software more effectively and also delivering it more securely, and that gives them an edge up in the market. And so when you look at traditional DevOps, which is developers pick the tools, you try to stitch together and you compare it to a DevOps platform, you get a better acceleration and you deliver a secure software.

So one of the things that always intrigued me about what you guys are doing is you mentioned that, David, you're taking a real fragmented historical market, you're bringing a platform approach. The question I get from investors a lot of times is, is there a trade-off between best-of-breed functionality and more of a platform approach? And are your customers actually using the entire feature set within the platform versus maybe a particular module, particularly use case.

Yes. So I kind of look at it from this point of view. I get asked the question a lot, well, what's the value of a best-in-breed versus platform? And I always say, a platform can be the best of breed. And so for us, we've really focused on 5 key areas of investment. Obviously, source code management code review, that's the original GitLab. CICD, helping people ship software, enterprise agile planning, which you and I were just talking about before we started, and our ability to bring all planning into GitLab and then security and governance. And those are the bets that we've made that give GitLab value. And then those other areas we consider them better together. They're not maybe best of breed, best in the market, but because they're attached to the platform and you get that additional visibility, they end up being good enough for a lot of customers.

So are you seeing the customers maybe come to GitLab initially for a use case? Or is it -- and then, hey, this is -- it's great for CICD or code promotion, but then start to expand into some other things? And ultimately, does that then cause them to then look at their tech stack and say, "Well, hey, like I'm actually using more of these features, I can eliminate XYZ?"

Yes, absolutely. And so typically, depending on the customer and the industry they're in, I'll talk about enterprise customers primarily today, but they land usually with source code management, CICD and security and compliance. Because if you're going to change how you deliver software, you're going to modernize it, you might as well grab the 3 most important things in the portfolio. To your point from there, over the course of their first initial contract us their first year, they see other tools that they're now using that feel obsolete in comparison to the platform. And that's when they move into things like planning, artifact registry and the other components that are around those key areas.

Yes. Yes. The other thing that -- and I'm going to get to the kind of the SecOps piece or the full DevSecops piece. But when you think about what makes it into the paid version, either the enterprise or the Ultimate -- the Premium or the Ultimate version. How do you think about what gets -- what stays in Free and what sort of that trade-off because you give a lot of functionality at Free?

We give a fair amount of features for free. So the way I look at it and how I lead the product organization is we ask ourselves, who is that future for? What is the benefit? And so if it's a future that is going to enable teams to be more effective, we put it in Premium. If it is something that's going to benefit organizations, we put that in Ultimate. That's kind of how those 2 tiers work. When going back to look at Free, we have become very strategic as to what we put in Free. Two examples would be we want to do free-to-paid conversion plays. And so about 2 years ago, we put some of our security scanners in Free. That's not the whole UI, that's not the enforced workflows, it's just the scanner. And what we found out is that customers would enable that. And then within 3, 4 months, they're reaching out asking how they can get to a paid version. And so we're very strategic in what we can put down there to drive that. The other thing is that, one of the things that I loved about GitLab, and I was a GitLab user before coming to GitLab is that community that's been built around it. And that community contributes software into GitLab itself. One of my favorite features was contributed by an enterprise customer for customers in the Ultimate tier. And so by having those free features, it enables them to do their own software development that would contribute back to GitLab. And so I always have to look at that, those trade-offs, but I think we've kind of made the goal with Premium and Ultimate being team and organization related.

Yes, that's interesting. So like when you're thinking about then these features that are sort of like considered maybe more table stakes and part of the free version, is that kind of -- like when you think about new feature development, is it like who is it trying to resonate with?

Yes, we follow the buyer base persona for how to build the product. And so yes, if we're saying, "Oh, that just helps on an individual developer or will drive more community contribution." There's a tendency then to put that in Free, but if it's something that organizations will pay for and will drive value and specifically drive up tiering from Free to Premium to Ultimate, then we'd make that strategic decision to put it in Free.

And I guess from a product development standpoint, how do you think about the self-managed product development versus the cloud?

Yes. So actually, I love this question. This is one of the things that brought me to get lab and differentiates GitLab. Our SaaS offerings, whether that's GitLab dedicated or single-tenant SaaS, our gitlab.com, which is multi-tenant and self-managed, it's all the exact same code base. And so when we're looking at how to provide features, we don't have to ask ourselves, "Well, how do we provide that to our SaaS customer versus how I would provide that to a self-managed customer?" A lot of companies end up with 2 separate code bases because of how they built their product and that now limits them from having a good user experience, developer experience with the product. So we have that benefit that literally at gitlab.com is running the same code you can download. We just have scaled reconfiguration of it to be able to handle the millions of monthly active users.

Are there things that the customers are doing with the [ dot-com ] -- the cloud version and maybe this will get into this more gen AI perspective that are not maybe as scalable as from a self-managed perspective?

Yes. So we do -- starting earlier this year, we released a thing called GitLab Cloud Connector. So for something like AI, the self-managed customer can connect and use GitLab's cloud infrastructure to run the AI for their team. And so we're doing that to kind of come over that gap because, to your point, it would be very expensive to build some of the infrastructure. But what I would say is that what we're seeing is if you're a heavily regulated industry, you're in fintech, financial services, you're in health care, your government, you're definitely gravitating towards self-managed or you're gravitating towards GitLab dedicated because we can provide that to our customer, give them data residency, data isolation and we'll be the only person on that deployment.

Okay. That's -- you mentioned a couple of important things that I just took when I hear -- what I -- you talk about financial services or government, these are highly regulated industries.

They are.

Can you talk about how GitLab supports customers with some of these more complex regulatory requirements?

Yes, absolutely. So one of the things that's unique about GitLab is that security and compliance is built in from day 1 in the product. So if you are in one of those regulated industries, you automatically get the benefits of our compliance. That compliance functionality includes who can merge, what code, the visibility to know there's been a compliance violation. You can set global-wide security scanning and execution policies. And that then allows them to have the visibility they need to go into an audit. One of our customers who is a call them a voice SaaS platform, recording, dictating and so forth. They shared with us that they were able to get through their last SOC 2 audit very quickly. Every time they were asked a question, hey, how did you handle this? Or where does this configured, they can just point a GitLab and say, here are all those logs. It's captured here. Oh, I can filter by that for you. Oh, yes, we have this enforcement here. It can't be turned off. And so that's how we're supporting them. What I can't stress enough, though, is that GitLab a lot of dedicated part of it. When we launched it a year ago, about 18 months ago, we knew we had something based off our initial demand. But as time has gone on and we brought that to general availability, we're now extending what regions in the world can be running. We're seeing a lot more demand for it. Regulated customers don't want to manage their environment themselves. They want someone to manage it, and they can't go on to a multi-tenant environment, especially if they're a government agency. And so that gives them the ability to have the benefit of everything you could do self-manage but not have to manage it yourself.

It's sort of the best of both worlds.

Yes. I mean, honestly, when I was a GitLab customer 5 years ago, I would have looked at it, right? Because we had the same thing. I worked for a company who sold into government agencies around the world, and we always had to show them we were being secure and the things were stored [indiscernible].

And so for GitLab Dedicated, is it 1,000 seats?

It's a minimum of 1,000 Ultimate seats.

And from a -- there's an infrastructure cost in addition to the seat count.

Correct. So it's kind of built as 1 SKU for the customer, but it ends up including GitLab Ultimate seats, they select their cloud region, then there's costs associated to that. And then yes, there's infrastructure storage, compute that go with that.

Are you seeing nonregulated industries look at Dedicated as well?

We are. Predominantly, it's mostly been regulated. But no, we do have some customers who are just in, we call them, high tech software, who are wanting to have their source code better secured. One of the things about GitLab is it's not just that we sell security and compliance, but -- so here is actually baked into the product. You have more securities in GitLab's source code management than you would be with another product. And so we're seeing some of those customers go, "I really want that because now I don't have to manage it myself, and I know the source code is secure."

Interesting. I have a few more questions. I want to talk about the Ultimate tier and then ultimately, we're going to talk about some of gen AI capabilities we've got. And then we'll open it up to questions here in a second. But let's talk about Ultimate. Let's talk about DevSecOps because when you guys went public, you were a DevOps company, and now you're a DevSecOps company. It seems like that was a big part of your initiative 4 years ago. Talk about a little bit more about that progress towards really driving this Ultimate focus, the focus on security and why customers are resonating moving to that?

Yes. So maybe to give a little context about myself, I mentioned formally in cybersecurity. I worked for a company where we were saying we were shifting security left. And in my conversations with GitLab, and I'll say predominantly my long interview with Sid, our Co-Founder and CEO, I realized we're actually -- we weren't shifting security left. And so that brought me to GitLab because I was like, "I can actually help organizations [indiscernible] like before." And so then we asked ourselves, if you're going to truly do that, what does it mean? And I can't stress it up as a former security person, you don't realize how much your terminology is confusing to a developer. And so we focused on moving our security scanners to run at code commit time. That means that we're scanning that delta code change. It means the developer doesn't have to wait hours. Sometimes, and I'll say this is my last security company I worked for, our scanner could take 24 hours around. So we could scan smaller codes -- or chunks of code. And we made it developer-friendly. We added in training. We added in prompts to help them understand it. We get to AI and we can talk about how we're now using AI to help with that as well. When that was successful, and I would say that was mid-2020 into 2020, we realized we had something. And to the question about highly regulated customers, that's when we start asking ourselves, if you're a compliance person, your compliance manager, compliance director. Like what do you actually need to know that you have a secure software supply chain. And so that's when we started building out what we call govern, which is our governance controls across the entire organization. And so that, combined with the security scanning makes Ultimate the value that it is today. A developer once, who's working on GitLab Ultimate, said, GitLab secure and protect, in this case, govern make GitLab Ultimate and their plan words of saying they're providing this value that organizations can really take advantage of. What I will say is that as we start to look at what does it mean, and I know you want to talk a little bit about the future for security at GitLab. What I would say is that if you end up becoming a GitLab customer, you're always working towards that Ultimate because you might land with Premium, you're focused on source code management CICD. And then you realize there's requirements you have to meet. And those requirements is that visibility in those controls, which Ultimate offers.

So let's talk about that. And maybe almost like a day in a life because historically, you might sell a seat to a developer or maybe a business ops folks, person, are you now selling them to -- like are -- who's the -- like I use the word Ultimate, but who's like the Ultimate landing spot then?

We did a good job with that word, right? You can't talk about GitLab without saying...

Yes. Without saying Ultimate.

So it depends on the industry they're in. If it's technology, if it's fintech, we have a tendency to see the CTO or CISO be the 1 who starts that conversation. And the reason why they're asking that is they say, "Hey, look, we have to meet all these requirements. I've got 100 tools, and that's not a joke." Like I actually talked to customers that had 120 tools that made up their ability to try to deliver software. And like I have no clue where it is, things are broken. I need to be able to talk to auditors. And so that ends up pulling them towards that. Now as we talk about like who inside that organization gets the most excited. It's been very interesting. GitLab used to be a very bottoms-up opportunity. It landed with a single team. That was usually a developer, the developer -- the other developers and the team and the EM to start using it, engineering manager. And it's actually shifted to almost a tops down. It's the -- I see what that customer did and it could be the T-Mobile use case on the website, where they shipped software every 7 minutes now using GitLab. I've heard you've all heard the UBS story a bunch. So we won't play with that. That's another great example. And they say, "I need to do that, too." And I think that's where our customers are great. I see our customers as partners. They see themselves as partners. Everyone says that. Everybody at work would say that, but this is actually truly the case. Some of our customers do become the best salesperson because they'll say, "Hey, I was talking to my coworker, our friend, a confidante or whoever it is. That works with this other company that has a similar problem that I had." and he's like, let me introduce you to GitLab. And so I think that's where it is.

Top-down bottom-up now, and it's the SecOps piece that may be driving a big part of that.

That's driving a lot of the tops down for sure.

Yes. Yes. Interesting. Let's pick -- we can sit here and talk old day on just this. But for the sake of time, let's move on to some of the generative AI capabilities. I guess from a high level -- from a product perspective, do you see a difference between -- I mean, we've been talking about AI forever. You see -- do you see -- I mean, and I know the answer partially, so it's leading the witness, but the real difference between AI and generative AI and what that means from a GitLab perspective?

Yes. We are primarily using generative AI at GitLab. What I would say is instead of really talking about the differences between those, I think what would be great is to talk about how GitLabs doing it differently. Because everyone is saying they're including AI. And that's true. I was just at CUBE con last week, it's big ops conference, and you couldn't walk 5 people out someone telling you that AI in their product. So GitLab, even though we're source available, we talked about Free. We're an open [ core ] company. We're very transparent. We end up in a situation where these are heavily regulated customers. These are people who have intellectual property, they can't have to go public and they come to GitLab to help them secure that. And so when we were looking at AI, we had to ask ourselves what would make GitLab the best usage of AI and do it the GitLab way. And so we defined 3 tenants. The first was apply AI to the entire software development life cycle. When we recently just did our DevSecOps survey. If you've not read them, then they're amazing, there are full -- lots of great detail, we had over 5,000 respondents. What we found out that survey is that only 25% of the time that is on writing software. And if that's the case, then if you just accelerate that one part, the developer part, you're not really helping your organization get better. The second was we want to be privacy and transparency first. What that means is that from a privacy standpoint, your code stays your code, we don't use it to train or fine-tune our models. And the transparency part is that you could literally go to get lab documentation at [email protected]. And you'll see every model we're using and how it was trained. And so that has allowed customers to feel more comfortable adopting it. GitLab is trusted by more than 50% of the Fortune 100 to secure their intellectual property. That's an outstanding number, right? You talked about security started essentially 4 years ago in the product, and now we're the trusted provider. And then the final one was we really wanted to focus on best-in-class AI. And what that means is picking the right model for the right use case. And so we currently have between 12 and 16 models we use to Power GitLab for our AI features. And so if you combine those all together, that's how GitLab is doing AI differently. And it's really helping people adopt the GitLab Duo, which is our suite of AI-powered DevSecOps workflows.

So today, it manifests itself also in code suggestion on module. Do you see multiple sort of add-on features in the future that are kind of AI-based? I mean how do you think -- and I guess there's a question of how do you think again about what makes it into the base an Ultimate tier versus an add-on?

It's a great question. So just an update for everyone, no one saw the press release last week, we actually announced code suggestions will be GA in December. Very excited about that. We've had a lot of customers turn it on and use and give us feedback. And also last week, we announced this week on the 16th, which I think is Thursday. I know honestly, I've been all over the world at the week it is. The Duo chat function will go into beta, which means we'll be available to a lot more customers and be monetizable. And so...

Is that an additional add-on?

It's part of the existing add-on we announced, which has the introductory price of the $9, but it'll also be available to customers in Ultimate. So to answer your question, we're looking at where the AI future fits and who it benefits, and that's driving where it goes into the product. Today, we have nothing that's going to be in the Free tier related to AI but things like our vulnerability summary, which I mentioned a couple of minutes ago, a customer share how that allowed them to drop some of their training material. That feature will explain the vulnerability in natural language, given an example of the code being exploited, given an example of that code being fixed in the developer's programming language. And so that feature is going to go in Ultimate because it's fall on top of GitLab Ultimate. And so that's how we're looking at it. It's like where is the future fit? What to build on top of and what's going to give our customers the best boost.

So then that's -- it's a great sort of like dichotomy of how you think about adding. Do you see a world in the future where there might be 2, 3, 4 different add-ons that are sort of very specific to a use case?

Yes. I mean it's a great question. Some of that's probably forward-facing stuff. I can't talk about in the quiet period here. But what I would say is that we're finding ways to monetize the product in a way that is best for our customers. That includes -- we shared with our customers, we have a planned add-on that's available this week. That's helping to bring in the nontechnical people and to GitLab Ultimate. And so we're always looking for ways to do that. We realize just Premium or just Ultimate can be very restricting.

I'm going to ask the competitive question, then we'll open it up for the group here. It's the question. I get all the time. And we and I were talking ahead of time, we wanted to focus on your functionality versus the competition. But let's talk about competition.

We absolutely can talk about competition.

Well, how do you think about -- because to me, I see competition with Free. I see competition with GitHub, and I see competition with fragmented providers. Is that kind of how you think about it?

It is. I'm less worried about the Free part. Maybe a couple of years ago, Free had a lot more value and functionality in it. I'm most worried about that. I can be honest like we've done a really good job making it a free-to-paid conversion play, and we're seeing the impact of that even through the recession here and the pandemic like we still were growing is because people are converting. The -- we do see GitHub, obviously. There's really 2 main people in this race for DevOps, and that's the 2 of us. We see them as a developer platform. And that's using their own words. They -- sure they want to focus very much on the developer, the developer only and then developer experience. We then separate ourselves is that, that enterprise platform that brings in everyone. And so that's kind of how we see that. But to the last part of your question, a lot of times, I see the point solution as the competitor and not so much another platform. And that's because we're going into these companies of fragmented tool chains, and they have, again, sometimes over 100 tools that they can get rid of using GitLab, and it's helping them understand that GitLabs just as good or better for that use case. And so playing is a great example of that. This is the year that we're seeing customers migrate off of Jira in favor of GitLab plan. And that's not just small start-ups or little companies. This is large enterprises who are saying, there's a better way to do plan and we're going do this with GitLab.

Interesting. So when you -- I guess, double clicking on the GitHub piece, the functionality is quite different, right? Maybe explain a little bit where -- because even just from an Ultimate tier perspective just level set kind of how -- when you see the competition with GitHub, why do you win then?

Yes. So it's purely on the DevSecOps platform component. What we're winning on is that GitLab provides a secure SCM, GitLab provides scalability that's not always there with competition. And because we're supporting everyone in the process, you get a much better visibility. The one thing that's been very surprising to me is that customers adopt our value stream analytics day 1. That's their ability to look at their entire tool chain and see where their bottlenecks are, and that's giving that visibility. And so if you are using GitHub, those things are add-on you buy through their marketplace -- our GitLab lot is included from day 1. And so for us, it's I need better CICD, I need scalable CICD. I need secure source code management. And I need those security scanners, the compliance controls all just built in. The one thing that I've been very impressed by with our customers is they're very vocal with us. So they may tell you something different about they may go, well, it's really this other thing that a decision on. But really, if you compare the 2, it's a developer platform versus a DevSecOps of platform.

Yes. And if you look at the number of paid seats I mean we don't know exactly what you guys are or even what GitHub is, but it's still -- we're scratching the surface on the total number of seats out there, right?

Okay. So one of the things that makes me excited about GitLab's future is that this is still very much a disjointed tool world, and there's a lot of upside for that. And so GitLab has had a lot of success in the 4 years I've been here, almost 4.5 years, a bunch before I was here, too, and it's because people need to transform how they deliver software. During the IPO, since everyone is going to have to become a software company to stay competitive, I think everyone's got to become a security aware and AI aware, company to stay competitive. And so you could do that by buying 100 tools or you could buy the leading platform. And the way I like to tell everyone, and this is -- you all may have seen this as well, but don't take my word for how great GitLab's DevSecOps platform is. Look at the Gartner Magic Quadrant for DevOps platforms. We were a leader. Look at the Forrester integrated software development platform, we were the only leader. And so that is our customers telling you through that survey. It's the industry telling us that. There is a better way to deliver software. And that's very much a lot left to go.

I'm going to pause here. Are there questions from the group out here? Yes. It's coming right up there.

A question for you on the planning opportunity. When you look at the per seat price, Jira tends to be less expensive for the nontechnical individuals, which at least when we talk to some customers seems to be obstacle to adoption. How do you think about that as a way to unlock potential competitive wins?

That's a great question. So when we've been looking at how to position GitLabs planned again something like Jira, we have to look at it from a future-by-future standpoint. And I think the great example of that is the cheaper Jira license you're mentioning is really focused just on team planning. GitLab has okay our functionality, business objective tracking, that you'd have to go buy Jira online or another tool on top of that. And so when you start looking at the organizational-wide visibility, GitLab even in Ultimate becomes a very good selling point for customers. Now I mentioned 1 second ago that we announced the plan add-on. That's also going to help to your question as that becomes available this month that's going to give customers an option to bring in, say, their program managers or people who they don't want to buy a full Ultimate license for.

Thanks for the question. Any others out here?

Someone has raised their hand. I don't remember who that was.

Okay. Well, we'll keep going here. We only have a couple of minutes left anyway. The one thing that I -- it always strikes me that observability should be hand in glove with DevSecOps as well. How do you think about that opportunity as well, right? If you're helping to build, deploy, manage, shouldn't you be observing it as well?

Yes. So how I look at it is that if you're going to be successful delivering software, you need to have the loop close, which is observability, analytics and so forth. And so not much of a [indiscernible] we acquired Opstrace, the bring up or building to get lab. We've now shipped both error tracking and tracing inside the GitLab. We also looked at it is that that's part of getting the feedback, and we need to be able to close that loop with actual user feedback. And our customers asked us for a way to essentially measure that. Their proposition was if we build secure and deploy the application using GitLab, should we not be able to get the analytics of that application back in to GitLab. And so we built a unified analytics stack that observability or value stream analytics product, analytics are on top of, and it's allowed us to then continue to expand what we can do. But absolutely, I think you have to close the loop with that information, whether it's incident tracking with observability or user feedback. If not, you don't know what to build right in your next release.

So I think there's a lot of things to be excited about. When I think about the opportunity for GitLab, I think of multiple drivers. I think of free to pay, I think of Ultimate, I think, code suggestion, I think, Dedicated. If I ask you, what is the single -- or just under penetrated market opportunity, what's the single biggest thing that you're excited about?

It's that last one. So as a former engineering leader and seeing what's needed to securely deliver software, is truly an untapped market. We put it at $40 billion. If you add up us and GitHub, we're untapped $40 billion. So there's a lot of untapped potential there. And I think it gets unlocked with questions like how do you bring in plan better? How do you bring in the observability better? I think that's going to low GitLab continue to grow. That's why I'm excited about the future of the company. And I think that over the course of however long you're going to see us mature those areas and bring in more into GitLab.

Excellent. Well, David, from all of us at RBC, thank you for your time. And we're excited about the future product road map here with GitLab. Thank you.

Thank you very much. Thank you all.