JFrog Ltd. (FROG) Earnings Call Transcript & Summary

Good morning, everyone, and welcome to Day 1 of the Morgan Stanley TMT Conference. I'm Sanjit Singh part of the Morgan Stanley software research team. For this next presentation, we are extremely happy to welcome Chief Executive Officer, Shlomi Ben Haim, from JFrog; as well as Chief Financial Officer, Jacob Shulman. Shlomi and Jacob, thank you both for joining us this morning.

Thank you for having us. Great to see you, Sanjit.

Good morning.

Great to see you, too. So looking forward to an interesting discussion. Before I do that, let me quickly go through some disclosures. For important disclosures, please see the Morgan Stanley research disclosure website at www.morganstanley.com/researchdisclosures. If you have any questions, please reach out to your Morgan Stanley sales representative.

And with that, Shlomi, let's begin the conversation from a high level. You went public last fall in a very successful IPO. But if you sort of take us back to the founding of JFrog, what was sort of the thesis of the mission statement behind the company? And what problems were you looking to solve for customers?

Yes. Well, it all sounds like it was a long time ago, but in terms of the market development, it's just -- it looks like yesterday. JFrog is a pain-solver-driven company. First thing we saw was developers that are struggling to bring software packages from outside the world, from the open source community into the organization and manage a faster build in order to build software and release faster. That was the why. The main goal -- the primary goal is that we have to be faster. We need to automate it. In order to do that, we would bring something that someone already built, and we will use machines in order to build it faster. That was, as you remember, Sanjit, way before DevOps was a phrase. As the year went by, we built JFrog Artifactory as the universal repository for all software packages and then on top of it, Xray to secure the repository. So you don't just have the database of DevOps, but also the SecOps solution on top of it, JFrog Distribution to distribute software packages. We acquired a few companies, one of them, Shippable, that became JFrog Pipelines, the CI/CD solution; the other one, CloudMunch that became JFrog Insight for analytics. And all together, it's bundled to be what we have today, the JFrog Platform, which is a hybrid, multicloud, universal, end-to-end DevOps solution.

Great. That was great context. And then as we look back at 2020, which was obviously a crazy year on personal fronts, business fronts, a successful year for JFrog. Shlomi, in your view, how has the pandemic sort of changed your view of the market opportunity, if at all? And how has it sort of changed operations at JFrog as a result of the pandemic?

Yes. Well, first of all, 2020 was a great year for JFrog. We just had the earnings a few weeks ago, a very strong closing to the year that, to be honest, I think that every human being on the planet is very happy to turn the page on 2020 and move ahead. But for us, for the business, it was a very good year. During 2020, we saw very clearly that the DevOps story, the DevSecOps story, got crystallized by this new reality that was pushed on all of us, working remotely, distributing software faster, enabling all types of things that now is powered by software, including this conference. So obviously, that crystallized the need for companies like JFrog. On the other hand, JFrog had to move with 700 employees to work completely remotely from distributed places. We need to support our over 6,000 customers from all over the world remotely. We keep on -- kept on building our solution and products when the team is distributed and even managed to go public on the company's parking lots. So it was a very challenging year. Moving forward, I don't think that, during the pandemic, post the pandemic, our world will become again what it used to be. So software distribution and software enablement on the edge will still be the challenges if we move ahead. And this is why JFrog and the liquid software vision has a very significant [indiscernible]

Yes. That's great context. And to pick up on your point, Shlomi, I wanted to ask Jacob a couple of questions, have his view on 2020 and also sort of looking into 2021 guidance. Jacob, when we look back into 2020, were there any headwinds in 2020 that you think will turn to tailwinds, to potential accelerators for the business? That's the first question. And then the second question is as it relates to your 2021 guidance. Embedded with that and with that is about 130% expansion rate, which I certainly view as incredibly healthy to sustain expansion at that level. Can you sort of give us, why do you have sort of confidence in sort of sustaining expansion rates at those levels?

Yes, Sanjit. Obviously, the pandemic presented multiple challenges for us and for our customers. Customers saw a work-from-home environment. Majority of our customers still manage the infrastructure on-prem or self-manage it. And that's why it was very difficult for them to transition and to kick off new projects. Also, we saw some customers facing the budget scrutiny and the higher level of approvals required for even a regular spend. So as a result, we did see that it was harder for customers to kick off new projects and new customers to onboard to our platform. And that's why we saw the number of customers -- new customers added to JFrog solutions lower than to pre-pandemic levels. Obviously, we made some changes. The initial instruction that we gave to ourselves and support team was to retain our customers because obviously, the world was facing unknown. But on top of that, we did see acceleration of interest in products like our, as Shlomi noted, that the pandemic crystallized the need for products like ours. And that's why we launched the free tier, which we see thousands of users registering for this free tier, which will enable us a future -- in the future to convert those users into paid customers. Another thing that we noted is that it's not just about managing their packages, it's all -- what's important for customers is to build their workforce all the way to distribution and deployment. And that's why we saw, specifically in Q4, a significant number of customers kind of transitioning to the platform and the platform representing a higher percentage of revenues. That's what we will see going forward because the distribution, it's ultimate goal for customers, the organization could be very effective in creating software. But if it's not distributed to the customer, then it's meaningless. So going forward into 2021, we guided our revenues to the range between $196 million and $204 million, that in the midpoint, that represents about 33% growth. We target our net dollar retention of approximately 130 and above. And this is what we see. We believe that the land-and-expand notion that we kind of mastered over the past years will continue, especially with the new value of new additional products that we launched during this pandemic.

That's great context. And Jacob, you gave a couple of points on some questions that I was going to ask later, but let's hit on them now, which was really around customer base growth and the new freemium offering. And so I think the customer base group grew about 7% last year, obviously slower than it was in the previous year, obviously due to the pandemic. But Shlomi, I think one thing that you sort of said on the last earnings call was that the real focus was on retaining the existing customer base, which you did quite effectively, a very high retention rate. When I think about customer base growth going into 2021 and beyond, how much of a focus is that for you guys? And if you talk a little bit about the more robust freemium offering, how do you think that is going to translate into new paid customers over time?

Yes. That's actually a great 3 questions. So I'll start with the first one. Well, listen, not everything has to do with the pandemic. And I, for one, I would never accept an answer from my executive telling me, "That's due to the pandemic," and that's it. It's a full ecosystem. When we started to -- through the second quarter of last year, facing a worldwide pandemic that changes everything we knew, my team and I sat together and built a 3-scenarios playbook. The first scenario, based on what we thought will happen, was immediately executed by the team. And the first order was that the team, the support and the sales team, got instructed to do whatever it takes in order to protect our installed base and to make sure that our existing customers are paying JFrog customers. Now as we already shared in the earning, I was very pleased, I was very privileged to see that we demonstrated the same retention rate as it used to be before the pandemic. That's phenomenal for me. And it's more important when people understand how DevOps work. DevOps is not development tool industry. DevOps is [indiscernible] back-end solution, group serving solution, and it's very sticky. If you lose your customer to someone else, it will be very challenging for you to fight back and bring your -- the customers to your installed base. So that was the first thing that we wanted to follow. Obviously, it means, as everything else in JFrog, that we are very focused and very serious on delivery. And therefore, we demonstrated this retention rate. But on the other hand, new business was not the top of our priority during the pandemic. We demonstrate this phenomenal net dollar retention because we take seriously our installed base and the expansion, not just by revenues, but also by value. The second thing is that on February 2020, we had released the unified platform. The unified platform is the world's only end-to-end DevOps solution that is hybrid, universal, multicloud, focusing on a software packages platform and just a month after the pandemic happened. So obviously, our strategic team, our free tier that was released in Q3, a lot of changes happened because of the pandemic, that pushed a bit the adoption of our platform by new logos. And the third thing is that we saw, as Jacob mentioned and well said, we saw thousands of users, new users, jumping on the free tier when it was released in -- at the end of the Q -- the third quarter of 2020 and even a higher conversion during Q4, which signals for us a very good sign. But we also saw, and you know, Sanjit, we sell bottom-up, everything we do is bottom-up, we also saw thousands of developers telling us it's harder for us now working from home and find a procurement guy, a legal guy and my manager, and the life cycle of a new logo adoption is longer than what it used to be prior to the pandemic. Looking at 2021, we will balance that. Obviously, we will still be focused on our installed base, expanding our installed base in terms of revenues and ARR, but also accelerating the adoption of a JFrog solution by new accounts and new logos.

Great. You hit on another point that I was going to ask about, so you, I would say, might as well do it now, which is this put a bottoms-up model. And we see now in software a number of the modern software companies take the sort of product-led growth bottoms-up approach. What's interesting about JFrog is that you're taking that model, but at this early stage of the company, landing in the large enterprise, I think 75% of the Fortune 100, 30% of the Global 2000, how is that possible through a bottoms-up model? Like what's sort of the secret sauce or ingredient that you took the bottoms-up model and applied it to these large customers? Because it is frankly something that I haven't seen before yet, yet in software, at this stage of your growth curve.

First, thank you. Thank you for the kind feedback. I believe that what you see or what we call Enterprise+ DevOps is a software that is being sold not just to managers, but also to the user, to the end user. End users, developers became the rainmakers of the organization, understanding the need, understanding the business advantage that they need to create. And therefore, if you don't address your solution to them, you will fall behind your competitors. Just look, Sanjit, and you know the market very well, look at what happened in the security market. Legacy security solutions that are developers-nonfriendly solutions are being replaced by modern cloud-native security solutions that are embedded into the DevOps pipeline. And it's not just JFrog. All other companies that understand developers better are accelerating faster than the legacy enterprise software company. Now what's the secret sauce, to your question, it's not just selling bottom-up, it's coming with the right value and with [indiscernible] of everything. So when we started to see that Artifactory, the repository, became the control point of your DevOps pipeline, no matter what company you are coming from, no matter what segment, no matter what size, no matter what industry or vertical, Artifactory became your control point. Everything that happened left to Artifactory is the development arena. Everything that happened right to Artifactory is your on-time in deployment. But all of them have to check in and check out from Artifactory to get software packages, make the data [indiscernible]. Artifactory is the database of DevOps. Now think about it, when you hold something like that in your hand, it just makes sense to add more capabilities and values on top of it. Therefore, the security piece on top of Artifactory is a no-brainer for a lot of our enterprise customers. Why should we take a security solution from a third party that needs to integrate with Artifactory? Same thing with CI/CD. As we move forward to distribution, you will see that all of the values that we added on top of Artifactory are a completely logical step on top of the database. Think about it, it's like Salesforce having the CRM of the world. Nobody is asking why they acquired Slack. Of course, there would be a value there because they own your CRM. The same thing will happen with other companies that hold the repository of the primary asset. The second thing that we see is that most of the world already acknowledge the fact that software packages and binaries are the primary asset. And don't trust my word, just look at the other players in the market and what is their road map. It goes through, from software to software packages in CI/CD. And JFrog is the binary company, and we have this value. So I think we gained the trust that we needed from developers. We scaled with enterprise companies to levels that support 30,000 developers and more. And we are shifting right with that control point in our hand, and it will just grow.

That's great context. So we have about 15 minutes. I want to hit on 3 topics if we can. One, I want to start with Artifactory, and I want to talk a little bit about the multiproduct expansion story, and I want to hit on security. And so I'm going make it our mission to hit these 3 really important points before we have to end the conversation. So let's start with Artifactory. And the simple question is why do customers need a dedicated place to store their binaries and their software artifacts? And why is JFrog going to continue to maintain its leadership in terms of -- versus other sort of competitors in the space that are also trying to build a universal package manager?

Sure. So the first thing is why we need it. And binaries, Sanjit, was there forever. Every developer, 40 years ago, created binaries. But there were 2 things that demanded a fundamental change, and JFrog was the first company that introduced the world with the repository for your binaries for your software packages. The first thing is that no organization wants to build from scratch. And you can call it no code, low code, open source, whatever. You understand that you have to bring something that was built by someone else, and it's okay to adopt it in your organization. It used to be a question whether federal organizations or financials or the legacy organization will adopt open source and someone else's code, it's not a question anymore. That's being brought by the developers from different hubs, the Docker Hub, the Java hub, the Go hub, all of those huge reservoirs of software. Now Artifactory is the proxy machine. This is the importer. This is the automation of going outside the organization and bringing those software packages. Therefore, it became the best Java repository or Java software packages, the best Docker registry for containers, the best Go repository for your growing cloud-native solutions and 30 different package types that are supported, well supported and managed by JFrog technology. So bringing software from outside and building the organization around it, consolidating all the repository, organizing it in a way that the organization can have trust in this repository, what our customers call a blessed repository is very important when you have multiple teams and thousands of developers and even in a small company with multiple technologies. The second thing is that this whole automation happened not because of developers who wanted to automate things, but mainly because of the fact that you have to build and push software faster. If you don't, your competitor will be there before you. And therefore, automation requires binaries. There is no automated solution in the world that [indiscernible]. Binaries is 0 and 1. This is the machine language. And therefore, you go to Artifactory and you fetch the binaries, the dependencies, the metadata and you automate your flow. So all the CI servers, all the security, the test servers, deployment, all of it is an integration that requires an access to Artifactory. So Artifactory became a very authentic control point. And the third thing is that in a multicloud world, when you need to play in the cloud and on-prem, when you have the hybrid requirements and a multicloud requirement, you have to push and move binaries and software packages seamlessly, easily over the net, and this is a cheap asset. It's not the full version. It's just the software package that needed to be pushed. And today, with containers and Kubernetes, it's fast, it's cheap, it's simple, and it's secured. And it's all enabled because of tools like Artifactory. Artifactory is now the most popular and superior technology, and we are planning to keep it that way.

That's great context. And so as we think about the multiproduct platform story, one of the ways I sort of track your progress is with the adoption of Enterprise+, which gives customers access to all 6 of your paid products. And that mix last quarter rose to 26% of subscription revenue versus 13% in the prior year. So it's doubled versus the year ago period. When I look at some of the specific capabilities around Xray, Pipelines, Distribution, which of these pieces is about displacing incumbent versus maybe more of a greenfield opportunity? Because I think there's a -- there's this idea out in the market that a DevOps platform has to replace something else. What's sort of your views on that?

I think that it's obvious that source code and CI/CD is almost adopted by all companies. I don't want to say all, but the very, very vast majority of the industries already have any kind of a source code solution, maybe it's the Git, Subversion or Git, or maybe a different solution that was built by them. And CI/CD was something that the market was introduced to 10 years ago, 12 years ago and it's already commoditized. So there's nothing new about that. And now, the users and the organizations are looking to have a cloud-native modern technology and a consolidated solution. Therefore, the end-to-end solution that is based on cloud-native technology, universal, kind of answered this demand. But let's put this aside because your question actually had the point with the greenfield versus replacing other technology. The world of security, which is now phrased DevSecOps, also have been changed. And the main reason is that the security tools must hit less toward the developers. So things like SolarWinds will not happen again. You need to make sure that while building, while automating, while releasing software, if your security tools are identifying something that shouldn't be pushed, the build is being broke and now the developer would need to follow up and to manage it manually or the CISO or the security engineer. Therefore, a solution like JFrog Xray, that is natively sitting on top of Artifactory and very well integrated with your CI/CD, identifies a vulnerability, the dependency of the composition that leads you to the vulnerability and that build automatically with your CI/CD tool. So you will start to see more and more security solutions that are embedded into platforms, into solutions like JFrog. I claim that if you own the repository, why do you want to go and have a security from a third party, but this is also what we see by the rapid adoption of JFrog Xray. And also, we were very honored to be selected and voted by the community as the best DevSecOps solution in 2020. About the greenfield, JFrog Distribution is the only distribution solution for software packages in the world. Actually, Sanjit, a bank, an investment banking team that you know very, very well adopted this solution because they need to move software packages, not just in North America, but also in Europe and Asia. And they also need to push it from on-prem to multicloud and not just one cloud. So JFrog Distribution actually builds an in-house CDN solution for your binaries, for your software packages, cloud-native-ready, Kubernetes-ready. No other vendor provides that. On top of it, it's universal. So we are agnostic to the technology used. So obviously, this is a huge greenfield and another leap forward for us to the world of IoT edge devices, where the market is now called EdgeOps and the update on the edge.

That's great. I think, after today, I'll try and spend the next 6 hours trying to figure out who that investment banking customer is. It might take some work. On the -- sticking with the Enterprise+ piece, what are some of the common triggers for customers where they realize that they have to move from Pro X or Enterprise -- to Enterprise+ subscription? Is it about the scale of their software packages or their Artifactory size has grown to a certain amount? Like what are the trigger points for that Enterprise+ adoption?

Yes. Well, the -- something on the technology level, the usage journey level needs to justify 40x small than the entry point, right? So it cannot just be one dimension. So what we've built with the Enterprise+, the full platform, whether it's in the cloud or on-prem or both on a hybrid level, is the following. First of all, you get 6 sets of Artifactory highly available solution because we understand that the company of this size will need to go multisite and multiregion and it's not just a single repository. They need to get closer to the thing. The second thing, it comes with the security solution, the Xray solution and JFrog Distribution and JFrog Pipelines. So basically, you build, you secure, you distribute to multisite, to a multisite topology and a hybrid solution. When you get all of these values, plus the very, I would say, unbeatable support that comes with a JFrog solution, what we call the HTS, I think it makes a lot of sense for customers to adopt the end-to-end solution from JFrog. They feel safe. They feel secure. And as was demonstrated in the last quarter of 2020, we saw a rapid growth of our own customers, our own installed base, moving to the Enterprise+. We were also very happy to see that it started to be a landing point for some of our customers. We shared that one of the [ kosher ] deals we did with a cloud provider directed a new logo to the Enterprise+ directly.

That's great. And with just the last minute or 2 of the conversation, want to hit on my last topic, and you already sort of addressed a little bit on the security side and the DevSecOps. Two questions to sort of wrap up the conversation. First, to what extent has the SolarWinds compromised the SUNBURST attack? How much of a driver of growth has that been for the business that you've seen over the last couple of months? And then broadly, from a DevSecOps strategy perspective, what else -- what can we expect going forward from JFrog in terms of addressing these just sort of security threats? What role are you going to play going forward?

Yes. Well, I hope that nobody is celebrating SolarWinds, but it was another great reminder of why you need to embed a software security solution in your DevOps pipeline. So we got a lot of inquiry and demand from the market. A lot of our customers, starting their journey on the free tier in the cloud, with JFrog Xray, Artifactory and the Pipelines, and every few years, you get this kind of reminder that software vulnerabilities are hidden and can be pushed by the organization. So your repository, your DevOps pipeline would need to be secured. The second thing about that is that it is not just a matter of identifying it. It's the full orchestration of what happened. Okay. So I found out about it. What happens now? You need to know not just that you found it and you break the build. You also need to know that it comes in so many ways, in so many dependencies and maybe even released a week ago and you didn't even know about it. This is the beauty of managing binaries. This is why I claim that DevOps will be 100% relying on binaries. And you see that the other players are shifting forward to this road map as well. So security is one thing, but the integration with the CI/CD, the ability to configure it, to try and to prevent this kind of glitches by the development team is something that the organization will build. It's not a matter anymore of CISOs and security engineers. It's not a matter of pushing more responsibility to the DevOps pipeline.

Well, Shlomi and Jacob, we did strategy, products, financials in 30 minutes. That's not bad. Thank you so much for joining us at the Morgan Stanley TMT Conference. Looking forward to having you for many years to come, and best of luck in 2021.

Thank you very much. We hope to see you face-to-face in the next conference.