JFrog Ltd. (FROG) Earnings Call Transcript & Summary

Hi, everyone. Thanks for joining us today, and welcome to the 25th Annual Credit Suisse Technology Conference. My name is Rich Hilliker, and I'm a software analyst here at the bank. We're excited today to have JFrog with us. Jacob Shulman, CFO, thank you so much for being with us.

Thank you, Rich, for having me. It's really my first in-person conference since COVID. So I'm really excited to be here.

Yes, it's exciting to see everyone back together.

yes. Sounds good.

We're excited you're all here and looking forward to a good conference together.

So maybe for those new to the story, you guys are kind of up and coming in a lot of peoples' radars. But for those who are kind of just digging into the story, could you maybe share your vision for the company and walk us through how you're creating value for customers?

Yes. So our vision is to power all software updates all the way from developer to device. As you know, software becoming competitive advantage of multiple companies. How fast you release your software? That's what defines you in the market. And today, it's manual, inefficient, vulnerable process. So we came to this world to standardize this process to help companies to build their software supply chain, and we became critical component, a critical platform and the bridge between the developer environment and the production environment for many companies. We're uniquely focusing on binary management because binary is the primary asset that company needs to manage throughout this entire process. Devices, they don't speak languages. They don't speak English, Spanish or any other language, they speak 1s and 0s. That's what runs on devices. Therefore, every company that releases software has to go through the process of building binaries, securing them, physically distributing them to the place where they want their software to run and moving into production. That's what our platform does. And that's why we're very critical for every company that wants to release software fast and secure.

So you mentioned that the agility of which companies are releasing software kind of defines their success. I thought that was a cool line. How is that investment intensity and that development intensity changed over the last 18 months as we've kind of hopefully worked our way through COVID, we'll see, right, recent news. But as we've kind of worked our way through that, how have CIO strategies and company product management strategies how they've changed? And how has that impacted your relationship with them?

Yes. Obviously, COVID had tremendous impact on how people think about their software supply chain. Our environment that forced us to work from home, we cannot have any manual process anymore. People have to go and automate a lot of them. And that's what our platform does. You cannot automate source code. You can only automate binaries, binaries, the asset that -- executable assets and that's why people increasingly think about adoption of our products because that's the way the future environment will support that.

Got it. That makes sense. So as we kind of -- that's a helpful overview and how the landscape has changed and where you sit in it. As we think about the next 3 to 5 years, how do you envision package management evolving within the DevOps life cycle? And how do you plan to capitalize on that?

Yes. So first of all, there are several steps that you have to have in order to release software fast. And some of our customers release 10 times a day. You don't even think about this version. So that's why it becomes liquid flow of software. So first of all, first step is to have everything in 1 place, second step is to secure that and third step to distribute that. So this is how we started and developed our platform. We started with Artifactory, which is our primary flagship product and became de facto standard in binary management. That became your single source of truth or a system of record for all of the software that is created within the organization. As you know, software is not just created by -- from source code. It's also brought into organization from open source. And today, about 80% of your software application is written by someone else. So we really need to have one source of truth for entire software whether created in-house or outside of the organization. And Artifactory became the de facto standard in binary management. Today, it's largest installed base of the entire package managers. Then the next natural step for us was to secure that. No one wants to distribute vulnerable products. So we developed a product called Xray, which basically automates a lot of security tasks for developers, make them very efficient and also addresses [ decisions ] of the organization. And then we developed next product called distribution, basically taken all of your software and delivering that to multiple customers to multiple locations or to your IoT devices. All of that is powered by automation, CI/CD automation. And on top of that is the dashboard that shows the C level, how fast you release, what are the vulnerabilities you're dealing with, et cetera. So as we build a platform, we see a lot of opportunities for us to continue and expand these capabilities. So our strategy. If you think of Artifactory as a center, to the left of Artifactory will be the developer world, Git repositories, your CI tools and every tools that make developers very efficient. And to the right of Artifactory will be the production space. Again, we critical bridge between developers and production. So our strategy is, first, to make your developers very efficient by integrating with whatever tools they want to have. And today, we integrate with over 40 different tools within the ecosystem that make developers freedom of choice. They have freedom of choice to use whatever tools they want to become efficient. But then once the binary is created, we take over and take it all the way to the deployment environment. So that's where we see our future product road map we'll be focused on, making the developers efficient but also adding more capabilities to enterprises to make the software release process very efficient.

Got it. Okay. As we think about -- you mentioned the Xray offering. As we think about like the increase in ransomware attacks over the last 2 years and the importance of just making sure you're -- what you're producing is safe and secure. How do you see developers kind of in organizations, how are they evolving their DevOps life cycle towards more of like a DevSecOps life cycle? Like what are the changes that they're making and what does that look like?

Yes. Today, this is a very fragmented environment. And there is no one vendor that could offer the entire security all the way from developers to device. This is our aspiration to do, and we're working toward that. But today, there are several tools that exist that address certain components of this entire life cycle. There are tools that address static code analysis, dynamic code analysis, software composition analysis, container security, on-time security. There's -- it's a very, very fragmented space, but no one today has this. And with our acquisition of Vdoo, we have the technologies and capabilities to build this one platform for security. So it's not just important to secure a source code securing a source code is your security dev environment. Life in the device management, it's not your development environment and devices and your software with customers subject to other risks as well. So therefore, it's really important to analyze the packages, the security of packages to ensure that packages that leave the organization are secured in device. Solar wind hack happened not because of the source code was not secure. It happened because the component that you brought from outside of the organization was vulnerable. So Xray is a tool that helps you to secure your entire software by adding these tasks, whether it's breaking the build, if you bring vulnerable component from outside of the organization or you build yourself vulnerable component or helping you to comply with certain policies. For example, if the organization does not allow GPL license from open source, Xray will not allow your developers to bring that component into the organization. But it's not -- this is not enough. You also have to ensure that all of the steps within software supply chain is secure. So that's why with Vdoo acquisition that we completed in July of early this year, just about 4 months ago, we're building capabilities to secure all steps within the supply chain.

Got it. Okay. Well, this has been a great kind of dive into the business and the overview here. If we kind of turn over to the competitive landscape, given the acquisition and given your kind of your 3-phased approach here, where are you seeing competitors -- where are you seeing the most distance between yourself and competitors? Where do you think you have the biggest advantage? And maybe where do you see the most the most competitive bake-offs?

Yes. So first of all, when we think about competition in the market, we kind of divide it into 4 different tiers. The largest tier is homegrown tools. And today, a majority of customers that join us, we replace homegrown solutions. There are tons of different open source technologies that build together and kind of tied together with some homegrown solutions. Obviously, this is not scalable. This is not cloud native. It requires significant maintenance, et cetera. So all organizations that today use this combination of homegrown solutions and homegrown tools think about vendors who can provide these capabilities. So today, this is the large component of the market. We really just the beginning of replacing these homegrown solutions with the op stores. Second component is companies within DevOps market and each tool within our platform has certain competitors. For example, Artifactory, our flagship product binder management, the second largest installed base is a product called Nexus by Sonatype. For Xray, our security solution, there are tons of and security tools that we talked about. For distribution, there's no commercial vendor who can offer distribution capabilities. It's today, primarily people distribute with some homegrown solution on top of CDN. So each of the products within our platform has their own competitors. What are differentiators. First of all, it's end-to-end platform focusing on binary management and software supply management. It's depth of the technology that we can offer. We've been doing that for over 10 years, 12 years. And we, by far, the leader in this space and the standard maker. The third level of competition is cloud. So first of all, I have to say that cloud is a great partner of ours. And they offer us in all marketplaces and we have go-to-market together. Their KPI is different from ours. Their KPI is traffic on their systems. Our KPI is to help organization to release software fast and secure. But we generate a lot of traffic, and that's why they partner with us, but they also want to partner with and offer some tools to developers, and that's where the overlap is. So there are 3 major differentiators in this ecosystem. One is depth of solutions. Obviously, we standard -- we became the standard in this space, and we help in largest organizations today to release software fast. Second is multi-cloud. None of the organizations want to be just one cloud shop, right? Multi-cloud is increasingly on top of mind of the C level, and that's we're the only ones who can offer a multi-cloud solution. And third, is hybrid. Majority of our customers today have significant self-managed installations. Everyone understands that the NorthStar is to the cloud, but it will take many years for them to get there. And therefore, offering hybrid capabilities. That's a very significant value for them. And multi-cloud and hybrid that those business differentiators will always be in our favor this competition. And the last year is a diversified software companies, such as IBM, VMware, Frankly, these companies relate to this market. And try to plan it through acquisition of some companies like VMware acquired pivotal, IBM acquired Red Hat, they had some small presence. But frankly, they kind of late to the market and don't offer a lot of value.

Okay. Understood. We're big believers that platforms win. And so I think that kind of aligns with what you're describing.

Absolutely. What we're seeing is that People today kind of identified several areas of expertise in DevOp space where they will use platforms. For example, in monitoring, there will be people using some platform in binary management, people using the platform, and we believe that it will be us. And Source Code, there are 3 major players that people kind of -- we see our customers using, whether it's GitHub, GitLab or at Bitbucket.

Got it. Okay. That's really helpful. As we think about the platform and how you're leveraging it, where are we in the multiproduct adoption life cycle? And in terms of penetration, how -- I mean, can you give us any sense of geo vertical size, where are you having success with multiproduct adoption? And how penetrated is the current customer base?

Yes. So first of all, today, if we look at our customer base, we have over 6,000 customers. More than half of them already use multiple products. Second largest product in terms of adoption is Xray. Obviously, the DevSecOps is on top of mind of people and Xray provides a lot of value in this space. And that's why we see people adopting Xray increasingly. We also see people -- when people transition to the platform, the major reason for that is for them to adopt our distribution capabilities. So about 5% of our customers adopted the platform they represent 34% of revenue. It's a significant growth opportunity even within our installed base. But we're seeing that distribution capabilities becoming more of interest to our customers. And as we expand our use cases covered by distribution that we will see more and more customers adopting that. Until recently, we were able only to distribute packages to data centers, to update your data centers or remote locations. In the second quarter of this year, we offered -- or we introduced private distribution network. This is the capability that does not require any hardware components for the distribution and can cover customers with thousands of different locations, for example, retail stores of food supply chain stores or customers with different regions. And with Upswift acquisition that we concluded in Q3, we'll be able to reach all the way to the device. So if you think about the distribution capabilities to data center, and distribution capabilities to the device, they're somewhat different, right? In IoT space, you don't have access to your devices. So you have to have remote capabilities to see what kind of software is running on device. You have to have remote capabilities of roll back, what happens if update goes wrong, right? So all of those as we continue to expand our distribution capabilities we'll cover more use cases, and we'll see more and more customers adopting those costs.

Got it. I think you mentioned that 5% of the customers have adopted the whole platform, and that represents about 1/3 of revenue. How are you structuring the sales force to kind of drive that total product -- or the total platform adoption higher beyond that 5%?

Yes. So first of all, we've grown through insight and bound. And today, our customer base includes more than 75% of Fortune 100, majority of Fortune 500, a significant portion of Global 2000. And we landed in these customers through bottom-up through adoption by developers. The way to incentivize customers to adopt more capabilities through a combination of products product capabilities and the right subscription structure. So we built our subscription structure in a way that allows this multiproduct adoption and kind of mirrors the natural evolution of customers adopting DevOps practices. Today, a majority of customers land with Artifactory and that's the entry level in the subscription. Then we talked about adoption Xray capabilities and security capabilities, and that's when we see that customers transition from Pro package to Pro X, That's the package that includes both Artifactory and Xray. Then when different teams within enterprise have adopted this Artifactory with Xray, it makes sense for enterprises to transition to the next level, which is Enterprise X subscription that offers not just benefits for developers, but also benefits for enterprise. If you think about it, developers benefits for developers and benefits for enterprise are different. Developers love cool features easy integration with other ecosystem tools, ease of use, et cetera. What enterprises care about is disaster recovery, multi-cloud, user management. So that Enterprise X capabilities will allow you have -- will allow you to have access to these enterprise features. And then we see customers growing and standardizing on Enterprise X solution. And once they want to ready kind of to distribute them when they transition to the platform. Obviously, going to market with a platform versus Artifactory are 2 different things, right? You don't go to developers with the platform. It's more strategically. And that's why we started building top-down and go-to-market approach just about a year ago. Again, majority of the land happens bottom up, inside inbound, but to help largest enterprises to standardize on the platform to adopt more capabilities of the platform, that's more C-level play. And that's when we started about a year ago, we started building the strategic team.

Got it. Okay. So that makes sense. You kind of like you kind of tailor the offerings and the packages to the customers as they grow with you and that makes more sense for them to adopt.

That mirror the natural evolution of these customers.

Yes, make sense. Well, it sounds like customers have been really growing with the platform. I think you announced this recent quarter that customers with over $100,000 in ARR group, I think, over 50% this year ,50% exactly there. What were some of the drivers that led such strong momentum there?

Yes. So first of all, the distribution capabilities become the primary driver as we offer more use cases covered by distribution that what -- when people feel comfortable to transition to the platform, increased security that another factor. It's not just important for you to -- again, to secure your developer environment. It's important for you to secure all the steps during this software supply chain, and we introduced a lot of value in this area, and that's why people feel more comfortable to transition to the platform and automate this entire process.

Got it. On the Enterprise Plus side, you're continuing to see some strong growth on that front as well. And I think that, that counts for increasingly, I think it's over 30% of revenue now. And there's a considerable uplift relative to Pro. So I guess how are you planning to kind of not improve, but grow that sort of customer cohort? Is it like how do you kind of -- we talked about how your product tiers are kind of oriented towards customers as they grow and they grow with you. But how do you kind of push more customers up that sort of life cycle to increase the value of the customer for JFrog?

Yes. Today, customers looking not just at the tool set, but also thought leadership and workflow management, right? And that's what we're trying to -- in addition to offering the platform as a product tool set, we also offer our customers ideas and best practices, how to adopt these products, how to increase their velocity in software deliveries. And that's what drives the platform adoption as well.

Got it. That makes sense. In terms of your investments, why don't we spend a second there, particularly on R&D. I think that you're hanging out around 30% of revenue, but your long-term targets are closer to 20% or 21%. And there's clearly a massive opportunity ahead of you. How are you investing today? And how do you feel about your current pace of investment?

Yes. So first of all, we play in a very large market. And you're absolutely right, we're just the first innings of the adoption of DevOps practices. And again, we discussed previously that majority of the market is greenfield. So it's a great opportunity for us to come and grab that market. We cater to developers. And you don't sell to developers through standard salespeople. We're a product-led company. Developers don't want to hear from salespeople. They want to try product and if they love product, then they will adopt it. So that's why our R&D today is at elevated levels because we want to make our product, on one hand, appealing to developers, on the other hand, to provide these additional capabilities on the Ops side as we talked about security and distribution. So we're also growing not just organically. We're also growing inorganically. Some of that R&D portion of revenue is because of the acquisitions that we made. So today, we're focusing on integration of these acquisitions in Q3, we made 2 acquisitions Vdoo and Upswift. Vdoo is a leader in DevSecOps space and Upswift is a leader in DevOps for IoT. So as we integrate this products into our platform and offer more capabilities, we'll see obviously additional potential for us to expand our customer base. And over time, we believe that we'll start seeing this gradual reduction of R&D as a percent of revenue toward our long-term targets of 21%.

Got it. In terms of the ROI you see on investment dollars, how does that vary across the different product areas?

So first of all, Artifactory is the de facto standard and the tool that is very well known to developers and loved by developers. We still invest a lot into Artifactory. In terms of scalability, in terms of ease of use, in terms of adoption, that still requires investment into Artifactory, but it's well-known product. Significant effort goes into DevSecOps. This is a growing market. And we see a lot of opportunities for us to excel in this market. And the third change goes to distribution.

Got it. Okay. We going to ask a couple more here, but I'll open it up to the floor shortly in case anyone has a question in the audience. Why don't we talk a bit on M&A? You've mentioned Upswift and Vdoo. Can you talk about the integration efforts that you've been -- that you've kind of been putting in place here? And how do you feel about the progress so far? And have there been any surprises along the way that you've encountered?

Yes. So far, it's been going very well. Vdoo is a more mature company than Upswift. There's a significant team of security experts. And even during this 4 months period, they already made shocking news in security space where we develop discovered multiple zero-day vulnerabilities in different open-source repositories, for example, pipeline technologies, et cetera. So the integration going very well. And really, we've seen even the JFrog brand in security kind of growing as a result of that specifically because of this acquisition. Upswift is a smaller team, products still needs to be more scalable in order to reach out to millions of IoT devices. So it's more kind of right now in more development phase and scalability phase right now. In general, in terms of M&A, as you know, DevOps market is very fragmented. So far, we made 8 different acquisitions. Most of them were technology-based. So we'll see. There are opportunities may arise from time to time for us to add more technologies, but we have very rich in-house internal road map as well.

That's great. Okay. Maybe I'll just pull the audience here and see if anyone has any questions they'd like to ask, Jacob. Sure. Go ahead.

[indiscernible] question repository source code of facts. Why do I need to keep us repository binaries especially assuming we compile that generating binary codes. It's just [indiscernible] market? That's the reason why we buy code.

There are several aspects to that. One of that is velocity. Second is efficiency of doing that. Your source code repository never goes out of the organization, about 80% of your software built by someone else. So you have to have a tool that goes out to different open-source hubs and automate all of this in process. You don't want your developers to search Internet in different places and bring those open-source components into the organization. You want to have some formal policies around that and security. That's what Artifactory and Xray allow you to do that. It's also a matter of scalability. Source code depositories text very small in size. Binaries, they're very large files in size. CI tools build these binary files by millions every day. So if you don't have scalable repository, you'll just explode in storage. Another component is cleanup mechanisms. You never delete anything from source code repository, you delete almost 99% from binaries because if your binary didn't pass test I have nothing to do with that. They have to clean. So there are a lot of automation that happens on -- with Artifactory that is not allowed through source-code repositories.

Any other questions? Okay. In the last minute here, kind of a forward-looking question. Hopefully, in 5 years, we'll be sitting up here again together. What technology at JFrog do you think will be more transformative than investors are appreciating today when we look back?

That's a very good question. I think this is distribution capabilities because, again, people know today more kind of security and is growing, but I think people today under appreciate this need to connect your distribution to the CICD process. It will be same experience as electric vehicles for 10 years ago, right? No one paid a lot of attention to that, but -- and 10 years from now, binaries will be a primary asset all the way to the device and distribution capabilities will be the technology that will transform the world.

It's going to be exciting to watch. Yes. Well, that's all the time we have. Jacob, thank you so much.

Thank you very much.

And thank you, everyone, for joining us. Enjoy the conference.

Thank you.