JFrog Ltd. (FROG) Earnings Call Transcript & Summary

Good afternoon, and thanks for joining us today. I'm Jack Andrews, and I cover the data analytics and infrastructure software space at Needham. We're very pleased to have Shlomi Ben Haim, the CEO of JFrog, which we think is a very exciting company. It's arguably the first pure-play publicly-traded company in the dev ops space. So welcome, Shlomi. Thanks for joining us today. And just to sort of set the stage for everybody, given that you are a fairly new public company, your IPO took place in September. Could you just provide an overview of JFrog and summarize, what is the value proposition? What is the key problem that you're trying to solve for customers?

Thank you for having me, Jack. It's great to see you again. Yes. Well, we all hear phrases like software is hitting the world and so on. The speed of delivering software fast and secure continue to be a competitive advantage for every organization. And being the leader in the dev ops world means that you support organizations as they embrace digital transformation and make the developers the champions of big change. We at JFrog envision a world that is powered by continued software release process. From the developers' keyboard all the way to any edge, we call it liquid software, and we are very honored to lead this vision within the dev ops world, and now starting from September as a public company.

No, that's great. Could you maybe just provide an example of maybe a recent customer win in terms of just maybe the benefits that they are now achieving from utilizing JFrog's platform?

Absolutely. Well, we know that the developers that are building software and releasing software, there is nothing new about that. 20 years ago, 30 years ago, 50 years ago, developers build software and release it. The only change that we've seen in the market happening like extremely fast, is how fast this software should end up on the end users end. We all interact with our providers via application. I don't know, Jack, when was your last time at the bank branch going to see a clerk. I know that I will move from one bank to another because I don't like the application. And I guess 80% of the population would do the same now. They walk from your iPhone, our kids are learning from home, and it means that software needs to be updated behind the scene fast and secure. So one use case that jump into my mind as you asked the question, it's a big telecom customer that has to push software rapidly to the end users, to the edges. They build the software housed within JFrog Artifactory, which is the repository, then seamlessly distribute it after it was scanned by JFrog Xray all the way to 200 edges continuously. Software developments in building, access, securing, JFrog distribution automatically push it to the edge. One of the use cases.

Sure. Appreciate that. So just want to segue slightly into sort of the topic of today's discussions with a lot of people is just -- can you just provide some perspective on how the COVID-19 pandemic impacted JFrog in terms of just what shifts do you think are going to be permanent changes in your business? And maybe what's happened that is temporary today that you think is going to go back to some sort of normalization over time?

I'll start by saying that I'm super happy that 2020 is over. It felt exciting to turn the page on 2020 and to 2021, though we -- it's the same reality. I just hope that it will be behind us for our certain our family. In terms of the business, COVID actually magnified and crystallized the need of companies like JFrog. The need for dev ops. The need to move fast to a cloud-native environment. What it means, it means that if you stay out of the party, if you cannot provide software fast to your customers, then your businesses [ do ]. So we saw a huge acceleration in the cloud. Our cloud business, as you know, Jack, JFrog is the hybrid provider. So we have a self-hosted solution and a cloud solution. Our cloud business grew significantly. We also saw customers, that if they had any kind of plan to move to dev ops and cloud native, they accelerated this plan. And the one very important thing that I'm very honored to say, we didn't just see new logos coming in and using the JFrog end-to-end dev ops platform, we also saw a very high retention of our customers. And in a world of COVID when you have your budget concerns and your procurement and legal is far away from you, a lot of other companies lost business. I think that we managed to retain the very vast majority of our customers, and that was a great [ people ] to trust, but I think that it's also say something about COVID. That's the external impact on JFrog. Internally, I have to tell you, I missed my team a lot. I missed the white board, and I missed the interaction, and I want to meet people. But JFrog, in 10 different offices with 700 employees, moved quite fast to remote mode. And the amount of releases we have, the new logos, the sales growth, everything that we perform in 2020 kind of signaling that we managed to do this conformation. But I would be happy to come back to the office. I will be the first one to open the door.

Same here, I appreciate that. So shifting gears a little bit. In our conversations with investors, I think a lot of people find this whole dev ops space just very confusing in general. It's complicated. There's many players. Very fragmented. So could you just maybe provide a broader narrative about what's been happening broadly in dev ops and where JFrog fits in terms of just the leverage points that you provide from a broader industry perspective?

Of course. We could start with asking also what is the end in mind? What are we trying to achieve? Dev ops is a vehicle to achieve something. What is it? What is this something? And I think that it's clear now that this need of speed is what organizations like JFrog are trying to bring. This is the advantage. This is the value proposition we're trying to bring to a to every customer. You have to be fast. Now think about organization that you and I know, just 5 years ago, 3 years ago, it was okay that they will release software update once a quarter, maybe twice a year. It's not okay anymore. You lose your competitive advantage and your competitors are flying fast alongside you. And what we have built is a full platform that goes all the way to the left, to the developers and take software packages. It's the incremental -- just the incremental updates, take it from one gate to another, all the way to the edge. The way it work is that we provide developers with a repository that it's also the first common ground that they meet the ops. The dev and the ops meet on the software package depository. Artifactory is a universal repository for all software packages. Then on top of it, we developed the tool because -- JFrog Xray, because you want to make sure that this repository is blessed, and the same software packages and move fast from one gate to another without the hassle of having the [ CECL ] spending it every time that you build, that you build thousands of times a day. NetApp was distributing those software packages all the way to the edge. So once you have a release bundle ready, it's automatically pushed to the edge, and an edge that provide a full circular [ cross ] for your [indiscernible]. Now the big question in the dev ops world, to be honest with you, Jack, is where this is stopping. What is the primary asset? What is the first level -- the first -- the first level fit that we have to be focused on? And if you look at what is the package that moves from the developer hands from the moment it was created all the way to the run time, it's the binaries, the artifact, the images, the containers, the software packages. All different names for the same thing. This is the binaries. And JFrog is the binary company. Artifactory was named by the community "the database of dev ops" because of it. And this is how we accelerate the process of dev ops adoption in the world. Now companies are moving from agile and waterfall, and the majority of the market is still embracing dev ops. But that's, in a nutshell, what dev ops is here to solve. The world of ops and developers -- and development comes together.

Right. That's really helpful, and appreciate that overview. You touched on a couple of things I wanted to address a little bit more, which is just, again, your vision of liquid software, continuous software delivery practices. Just where is the market for that -- market acceptance and awareness and adoption for that today? Do you still need to evangelize the value proposition of JFrog? Or do people understand this? Because we hear about software being a competitive advantage, but some companies are still using literally the waterfall approach. So what does it take to nudge people more towards your vision? Are you actively doing that? Or do you expect there's -- they're doing it themselves?

Yes. The market already adopted the idea of automation and development acceleration process. CI/CD is not new to the market. It's been 10 years that organization started to adopt continuous integration tools. Managing binaries and bringing open source to your organization is something that you see in over 95% of the enterprise we know. The biggest banks of the world, the biggest retail of the world, the biggest tech of the world, they are all using open source and using the cloud. So there is nothing new about that, and we don't have to educate the market on how to adopt those tools. One thing that we start to see that takes place very, very fast but still in the very early beginning of it is the world of DevSecOps, means that security also need to be embedded into the process and automated and not just managed by developers and engineers, but also by tools. And the second thing that I'm very honored to say that JFrog is the only company that provide that is software packaging distribution. What it means is that once this software package is ready, you brought it from outside, you build with it, you secured it. Once it's ready to be deployed, you want a tool that automatically will push this incremental update. This is liquid software. Before all that, it's just developer tools. Liquid software is the A to Z solution that we provide. Now since JFrog is also a universal solution, we see all types of customers. We see developers that are using C++. We see developers that are using Java. We see those that move to the cloud. We see those that are still walking on-prem, and I'm happy that we can provide them all with a solution. But to answer your question, Jack, the majority of the market is still using, for this A to Z solution, is still using some homegrown solution, in-house development when it comes to managing the full release life cycle. Repositories, source code, CI/CD, this is something that the market is already educated and just maybe replacing tools and adopting new tools.

Sure. No, thanks for delineating the functionality that way. So you talked about JFrog as being a platform that you've developed. It feels to me like more broadly, there's a broader battle in the dev ops space between, I would say, best-of-breed vendors such as yourselves, and other companies that are trying to effectively consolidate this massive dev ops ecosystem very broadly. So can you just talk about that dynamic? How do you think this market is going to be going to be evolving? And do you think that you've positioned your platform well within other people maybe even trying to cobble together an even larger platform than what JFrog offers today. The platform -- it's -- anyway, I'll let you...

Yes. Well, we are looking at a very big market. Analysts are saying that the dev ops market is over $20 billion market. It's a big market. Every organization wants to have a piece of it now. And in order to have piece of it the organization want or claim that they have a platform. But a platform is not an expanded product. A platform is actually a solution that covers different phases of the [indiscernible] life cycle. What we have decided is that when it comes to binaries, when it comes to software packages, JFrog will be the #1 provider. And the main reason for that was that we own the database. We own the repository. So think about Salesforce. In the world of CRM, Salesforce is number one. Once they have this, they can buy Slack and provide you with the value that you didn't have before. It's only because they have the database of it. This is what JFrog owns. Now from that point, to add security to it, to add distribution, CI/CD and analytics dashboard, this is something that we can do because we own the database. Now if you remember, I started my conversation saying we must balance the need of the enterprise with the need, with making the developer the champion. And this is where it goes to your question, Jack, about best of breed versus end-to-end solution. If we want the developers to embrace and adopt our products, we have to give them the freedom of choice. This is what they call the Switzerland of dev ops. Don't try to educate me what tools or technology I should use. I want to work with Java or .NET or in the cloud or on-prem or with this tool or with another. Give me the flexibility, and once I integrated your solution and it's clear to me what is the value you bring, then I will expand it. And this is how we work. This is what we did for the past 12 years. We gave the developers the freedom to choose, and they did an awesome job adopting more, integrating more, become faster and deliver faster for the organization. So if you know how to find the balance between the enterprise needs and the developers' need, and you provide an open environment, then I think that your platform will be better adopted. Now there are a lot of other companies that claim that they have a platform. Some of them are saying that they are going to replace the old life cycle. I'm not a big fan of these visions.

Got you. Yes. Well, it just feels to me, anecdotally, every software company in any sort of whether it's applications, infrastructure, you name it. Everyone's calling themselves a platform these days. So it's -- anyway, it's -- we'll move on to -- because you touched on...

You know that analysts, just one last comment. They are far more sophisticated than that. And when you look at the adoption of different products in your portfolio, then you understand what company have one product and just adding fit here and call it platform versus companies that have multiple products in different deployment environment and actually provide a full [ implem ] solution. Now we are very focused on the world of binaries. This is why JFrog is the #1 platform in this world.

Oh, sure. No, I appreciate that. So you touched on something that I wanted to ask you about, which is just from our research on JFrog, you really have incredible mind share and amazing loyalty with the developer community. And again, these people are notoriously picky, I would say, about their tools. So what has really been the secret to building this loyalty and critical mass of adoption with the developer community that you've achieved?

That's a very good question. And I think that the source of it is the source of the company. And it's not just JFrog. There are a lot of companies that are focusing on developers and developers' life cycle. But from day 1, our DNA was built around developers and the community. We said when we founded JFrog, Fred Simon, Yoav Landman, myself, we said that we will build tools by the community for the community. It means that you are actually starting with listening to what is the pain of the developers, and then you provide not just the solution but also the innovation. I'll give you some examples to make it a bit more clear. When open source started to be a big thing in 2006, 2007, Artifactory was just in the very first steps as an open source tool that Yoav Landman, our CTO, developed. And the main reason was I will make your lives easier when you need to bring open source from outside. Fast forward 6 years, containers started 2014. JFrog became the first docker registry in the world. And it was just by listening to the community saying, "It's great that they have a Java repository, but they have to ship it and pack it and put it to the container. So why should they have another repository?" And this universal solution of Artifactory expanded by listening to the developers. Now they, at the end of the day, want to use tools that make their life easier and smoother. And I think that JFrog knows how to combine that with what is the value that it brings to the enterprise, like highly available solution, like a hybrid solution, like multi-zone topology and so on.

Right. No, that's really helpful. And that sort of touches on another question I had for you more broadly, which is just, you talked about binary management. But then how do you think about the broader rise of containers and the potential impact on JFrog? Because I also hear these days about the container registry market. If the containers become more standardized, what are the positive -- is that a positive for you? How do you think about the implications of containers as it relates to sort of your core offering?

Yes. We are very excited about the rise of containers from 5 and 6 years ago. And the main reason for that is that I have to explain nothing. Containers are images and binaries themselves. When you need to host your containers somewhere, you would put it in Artifactory. So obviously, as many more containers that we can get, our business will explode. So I'm very excited about that. Kubernetes cloud-native and containers are there to stay. Software delivery is now built differently than what it used to be 5 years ago and 10 years ago. And it's powered by binaries. And this is why I keep saying that the primary asset of the dev ops life cycle is not your source code. It's your binaries. This is what you bring from outside. This is what you develop inside. This is what you pack into the container, and this is what you ship and deploy in the...

Got it. No, that's helpful. I wanted to incorporate an investor question here into the conversation, which is just the recent news regarding the SolarWinds hack. You've introduced, obviously, a security product, Xray. So how can JFrog help companies in situations like that?

That's a very good question, and we get a lot of it from our customers. 85% of our customers are using more than a single product. And 85% of our revenue is coming from companies that are using more than a single product, and they are asking for this value exactly. JFrog Xray sits on top of Artifactory. And then your repository. Artifactory goes out and brings software packages for you. Now if there is a vulnerability of securities, risk in the binaries that you bring from outside your organization, you want to know about it while building. Now Jack, we are releasing, in today's world, 7 times a day, 8 times a day. Some companies are releasing and pushing software to the cloud more than 10 times a day. There is no security organization on the planet that will manage to keep up with this pace and not become a bottleneck. This is why the world of DevSecOps is mandatory. What happened there is that you have a tool that sends all the binaries that you bring from outside. All the software binaries that you bring from outside, this is what you build inside your organization. Once your repository is blessed, you know that you are vulnerability-free, then you can start build with this white-label repository. Now let's say that you find something in the repository that looks like a vulnerability or security risk. You want the machine to break the build, not to wait for the developer because this is what happened in SolarWinds. It was missed. If someone would know about it, if someone would notice it, they would stop it. But you want the machine to keep standing continuously and break the build if this is happening and not letting it move to the next stage. This is exactly what Xray is doing. The combination of Xray with your CI/CD [ tool chain ] and Artifactory is too powerful to secure the company from open source [indiscernible] compliance issues and security venerability. And it's all about automation and the power of the machine with the developer and not just the developers' own decision.

Right. No, that's really helpful. But you touched on something else that -- again, dev ops feels like it's complicated enough, and then when we think about DevSecOps, we're adding this new complexity on top. And so I just wanted to get your broader perspective on again, everyone's -- it seems like there's a common theme out there of people shifting left. Meaning, to my understanding is that security is getting embedded earlier in the development process, which would be -- it sounds like a real positive for JFrog. However, you have, call it, the stand-alone security companies. You've got other observability monitoring companies that have also introduced security as offerings, I should say. So how do we think about whose security offering may take precedence? Or is it -- how do you sort it out? People are approaching security from these different lenses, but they're all trying to incorporate it earlier in the development processes, which is where you play. How do we make sense of all that?

This is a very challenging new world. Everybody is shifting left and shifting right and sometimes you look at the value proposition of the company that says that they are all there for developers and you look at what they do, and it's only for one time and you ask yourself, how do you have the developer? And putting [ plats ] aside, we have to ask ourselves, what are we focusing on? What is the experience that we want to provide to the developers when we say we are going to shift left? And there will be tools that need to send your source code repository, your [indiscernible] repository. And it doesn't mean that it's completely changed the world of dev ops. It's not even DevSecOps. 20 years ago, you had companies that [ stand ] your source code repositories, whether it was [indiscernible] or whatever. The idea of embedding security scanning into the world of software release lag cycle became the DevSecOps. That's the real thing. It's not a matter of finding vulnerabilities. It was there 20 and 30 years ago. What -- how can I actually embed this solution, this scanning, into an action? How can I make sure that this [indiscernible] very fast going release process? So in the world of security, I think that what you will see would be more tools that are integrated with products like Artifactory. Artifactory became the control point of every organization. All of these companies that you mentioned in the world of security and DevSecOps integrates with Artifactory or repositories like Artifactory because they need to secure the binaries. That's the only thing that you push forward. If they want to scan the Git repository, that's fine. But it will not help you with the world of open source and building in-house binaries and, of course, not in the world of deployment. The second phase of it is what happened right to Artifactory, in the world of front time. And this is still container security. What -- how can I open this fashion door, the container, and look inside and find the binaries and make sure that they have no vulnerability hidden there? This is what Xray is developing. Not just the composition analysis on the repository, but also as we think about JFrog vision of DevSecOps, we look at the world of container security and onetime security...

Got it. No, that's really helpful framework to think about it. I want to shift gears a little bit, just talk about your customer base. You have a mix of customers that are both running in the cloud and on-premise. So maybe just talk about the dynamics there. Are most of your new customers landing in the cloud? Do you expect some of your on-premise customers to move to the cloud eventually? How do you see what the mix shift may look like playing out over time?

Yes. JFrog platform is offered in multiple deployment environment. You can have it on-prem, you can self-host it, and you can have it as a service coming from JFrog. That makes our offer very unique. We work with all the cloud -- with the major cloud providers. So you can have it on Google Cloud, Amazon or Azure on more than 26 different regions. That's a real hybrid, multi-environment, multi-cloud solution that is provide by JFrog. Currently, what we see is that the majority of our customers are self-hosting Artifactory and the JFrog platform on the cloud. Some of them have their own public -- sorry, their own private cloud, and some of them are using Amazon, Azure and GCP for it. We have thousands of customers that are using JFrog as a service on our cloud. And again, on the cloud of their choice, AWS, GCP or Azure. But what we see at the trend is that the cloud movement is happening. Organization, especially under COVID, understand that they don't really need to maintain this platform. They would prefer that someone else will. The big organization, the big financing industry, the big health care insurance industry, they still want to own their own world of dev ops, CI/CD and binaries, and they manage it in-house. So I think that we will see more and more adoption of the cloud. And slowly movement to a cloud deployment or a hybrid solution coming from the big organization. Hybrid is a very big thing in the world of dev ops these days.

Sure. Sure. I appreciate that. So just to follow up on that, then. How should we think about JFrog in relation to the public cloud vendors? I would imagine there's certainly partnership opportunity and some symbiotic relationship there. But I'm also wondering, there are some -- like Azure as their dev ops capability, for example, do you consider them -- is it a -- do you think it's going to be a coopetition situation? Are they proverbial frenemies? How do you see this relationship playing out with the public cloud vendors?

Well, first of all, they are, all 3 of them, and you should expect more coming to the JFrog portfolio, not just in the U.S., but also in APAC. All clouds are very good partners of JFrog. And the main reason for that is that it's a win-win situation. If I'm bringing millions of developers to use your cloud, whether it's via my system or your system, I guess that you would be happy. So there is a partnership there. But the world of dev ops, as we mentioned before, is growing rapidly. The addressable market is not just attractive to companies like JFrog. The cloud see that. They see that developers became the rainmaker, and they want to go closer to the developers' habitat. So they also offer those solutions like JFrog offer, like other companies offer. I think that my role as a CEO is to bring to you the authentic differentiators that will make you choose whether you go with the cloud or go with JFrog on a business prospective level. For example, if you need a hybrid solution, then JFrog will be able to provide it and the cloud will not. If you don't want to become a one-cloud shop, but you want a multi-cloud deployment environment because you are a billions of dollars business and you cannot put all of the eggs in one basket, JFrog is the only provider in the world of dev ops that will provide you with a multi-cloud solution. Now if you don't think that Microsoft and Google are going to merge soon, then you will bet on JFrog. And this is why we see the adoption of our cloud based on what they need. They can put their mother ship in Azure and edges in GCP, and it will still be a hybrid multi-cloud solution. This is something that the cloud cannot provide. And the last thing is that I'm taking advantage of a very strong team. I'm always saying it's a team of frogs with a heart of a lion that work very hard and faster than this organization. For example, distribution is something that JFrog introduced to the world a bit more than a year ago, and none of those providers have. Before that, we were the first binary repository manager when people thought that it's nonsense and then Xray with securing binaries and then insight to provide your analytics around binaries. So I think that the combination of a fast-delivering, focused road map, multi-cloud solution, freedom of choice, multi-deployment environment, I think that these are very solid differentiators that will keep the relationship as good partners, but also some overlaps. And you know what Jack, the fact that they are stepping in our road map just means that this is a very big market. It's a great [indiscernible] and pat on the shoulder for the frog.

Sure, sure. So I wanted to incorporate another investor question here, which is, I think, a good one. So just to clarify on the dev ops -- sorry, DevSecOps discussion. The question is, is the binary repository the most vulnerable piece of the liquid software life cycle because of the open source being pulled in at this step?

That's a great question. I think that it's already clear through any organization that open source is everywhere. You don't see today -- in today's world, you don't see organizations that are saying we are going to create everything by ourselves, no open source. Even if they don't know, the developers are already using open source. The second thing that we see is that the best practice around binaries are happening from your days at MIT, Harvard and Stanford. Actually, some of the universities are using JFrog in year 3 of computer science to build these practices with the next-generation of developers, which we are very honored about it. So there is nothing new about managing binaries now, and there is nothing new about open source. Now the combination of that means that you also bring a very big risk to your organization. Developers have the freedom to go outside the organization and bring open source in. What we developed in order to protect big organizations or any organizations that want to be protected is air gap solution that they can have siloed environment for the developers. And only after you bless Artifactory, these binaries are getting into the process of [ untimely ] deployment. This also answer your question before about SolarWinds' issues and more. Now you need to think about consolidation of all the repositories. You need a universal solution to support all of the technology so you will not have 5 different repositories or 8 different repositories to secure because it's impossible. And you also need to make sure that your DevSecOps is well automated within the full software release life cycle because you cannot trust human beings to review 1,000 artifacts an hour. You need some other capabilities. So to answer the question, yes, binaries are both from outside and inside the organization. Yes, they are being built and shipped every day, several times a day. And yes, you need to secure your repository in order to make sure that you don't push any vulnerabilities to onetime.

Got it. No, that's really helpful. So maybe 1 or 2 more questions here. One is just a common question that we get is just who do you think is the biggest potential competitive threat over time and specifically, should we be thinking about a company like GitHub moving into your space?

The best answer is, yes, GitHub is moving to our space. And again, a company that came from source code that building capabilities only in the world of binaries means a lot to us. It's kind of showing us that we had the right [indiscernible]. But GitHub is also a great partner. Actually, we use GitHub internally at JFrog, and they use JFrog internally at GitHub. We have to ask ourselves what are the different peers when we look at competition because there is not just one card that shows you who is the competitor. At the cloud level, we spoke about that. There are some overlaps with the multi-cloud and the hybrid solution. This is how we address this competition. In the world of the smaller companies like GitHub, GitLab, Docker, some of that other companies, there is some overlaps in different tools. I think that the end-to-end solution, what we see is the adoption, the massive adoption of our platform. The end-to-end platform, that JFrog provides focusing on binaries will be the future, and we will see some competition over there, and we will have to address it with better technology, better onboarding, more focusing on the developers. And the most important thing, Jack, is that the majority of the market still didn't adopt dev ops massively. So what we see is that in-house development and homegrown solution are being replaced. Now I need to make sure that it's being replaced with JFrog, but this is our path into next few years when we speak about competition. So sometimes you compete something that was built 5 years ago in a big organization, and sometimes you compete with another player in the market. But we all build a greater market together, so I'm happy about it.

Right. No, that's great. I think we are just about out of time here. So we'll have to leave the conversation here, but really appreciate you joining us. This has been very educational and super helpful, I think, for a lot of folks. So thanks again, and happy new year and best wishes in 2021.

Thank you very much. May the frog be with us. Take care.

Take care.