JFrog Ltd. (FROG) Earnings Call Transcript & Summary

Hello. Welcome to JFrog's Inaugural Investor Relations Day. I'm JoAnn Horne from JFrog's Investor Relations team. We're so glad you are able to join us today for a deep dive into the company's vision, market opportunity, technology innovation, go-to-market and financials presented by JFrog's senior executive team. We will also hear from 2 JFrog customers, Fidelity and Broadcom, who will provide a firsthand view of how JFrog's platform allows them to fully embrace the power of DevOps. Before we get started, let me review the safe harbor statement. During this presentation, we may make statements related to our business that are forward-looking under federal securities laws and are made pursuant to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995, including statements regarding matters such as our industry, business strategy, goals and expectations concerning our market position, future operations, margins, profitability, capital expenditures, liquidity and capital resources and other financial and operating information. The words anticipate, believe, continue, estimate, expect, intend, will and similar expressions are intended to identify forward-looking statements or similar indications of future expectations. You are cautioned not to place undue reliance on these forward-looking statements, which reflect our views only as of today and not as of any subsequent date. Please keep in mind that we are not obligating ourselves to revise or publicly release the results of any revision to these forward-looking statements in light of new information or future events. These statements are subject to a variety of risks and uncertainties that could cause actual results to differ materially from expectations. For a discussion of material risks and other important factors that could affect our actual results, please refer to our Form 10-K for the year ended December 31, 2021, filed with the SEC on February 11, 2022, and other filings and reports that we may file from time to time with the SEC, which are available on the Investor Relations section of our website. Additionally, non-GAAP financial measures will be discussed during this event. These non-GAAP financial measures, which are used as measures of JFrog's performance should be considered in addition to, not as a substitute for or in isolation from, GAAP measures. Please refer to the tables included in the appendix to the Investor Day materials available on our website for a reconciliation of those measures to their most directly comparable GAAP financial measures. And now just a few housekeeping items. At the end of each speaker's presentation, we'll have 5 minutes for questions. And after the customers speak, we'll have 10 minutes. At the end of the day, we've planned for Q&A with the whole team. The operator will share instructions for asking a question at the appropriate time. If you need to dial in to ask a question, please e-mail [email protected]. And now I'm excited to prevent -- to present a brief JFrog introductory video. [Presentation]

And now I'm proud to introduce Shlomi Ben Haim, JFrog's CEO, to kick off the day.

Hello, and thank you for joining our first Investor Day. We are insanely excited to be here at the center of the universe, at the center of New York at the NASDAQ building. And although virtual this time, we are happy to share with you our story, hoping the next time it will be in person. We are grateful for having you with us and we've built an amazing agenda to share with you today. Shortly after my opening, Yoav Landman, our CTO and Co-Founder, will share with you our product strategy, our differentiators, how the JFrog platform is taking the DevOps world and the DevSecOps world forward. Nati Davidi, former CEO of Vdoo and our Head of JFrog Security division will speak with you about securing the software supply chain. How security became the center of the DevOps and the DevSecOps flow. Then we are honored to have our customers with us. You will hear the story of Fidelity, the story of Broadcom. Each of them support more than 10,000 developers with the JFrog platform. The voice of the customer is the most authentic way to show you how JFrog support the digital transformation. The second half of the day will be focused on the go-to-market and the business side of the company. Micheline Nijmeh, our CMO, will share with you our plans about driving growth at scale, how we are planning to bring in more new customers and expanding our business with the JFrog platform into multiple technologies. Tali Notman, our CRO speak about the go-to-market strategy in a hybrid world, what it takes to grow business to the next scale. And Jacob Shulman, our CFO will wrap up the day with more financial detail details and outlook, some guidance for 2022 and beyond. After every session, we will have a short Q&A panel with the speaker. And at the end, we will all be able to take your questions and answer it as a group. We hope you will enjoy the day. And again, we thank you for joining us. So let's start from the beginning. Everyone wants a piece of DevOps. DevOps is everywhere. Everybody is speaking about DevOps, this market is booming. DevOps became the darling of the software supply chain and a modern organization cannot enable a fast release, a secure release without DevOps at the core. But what are the real key results the market is asking for? What is it that our customers expect to get at the end of the day? First, automation. Everything we do today have to be faster, must be more secure. This flow must be powered not only by developers and [ working hands ], but also machines and devices. Second, we want to trust our software. We want to have control over our software. If we cannot control and we cannot trust the software that we have in the organization, then every organization will fail to release and will become crippled. Third, we hear from our customers, from the industry, from the community that they are looking for one platform to consolidate expertise about domain. And while platform coexists one next to the other and while complementary solutions are playing together in the DevOps playground, our customers are seeking for more and more consolidation to make this process more automated and simple. And last, there is nothing new about software supply chain. 30 years ago, we sold supply chain but the modern software supply chain in very fast move requires a different look, requires a different technology, requires something that amplify what DevOps is here to solve. A bit over 18 months ago, prior to our IPO, I've shared with you this slide. We spoke about software update. We spoke about what happened when you fail to update software at the edge. We spoke about recalls, we spoke about aircraft crashes, banks failures, we spoke about the reality when software update fails. But in retrospect what should have been emphasized is what is this digital asset. What do we have in the center to enable software update? And while you are doing observability or if you are a developer that's moving to become more automated, if you do security in run time or development environment, if you're an enterprise or a start-up, if you runs automation, if you support devices or you just share your software with other developers, everything you do check in and check out from the binary repository. Artifactory became the database of DevOps because we host this information for all of these players. All of them will integrate with the binary repository. Binaries became the center of gravity, the center of gravity for the modern software supply chain. We will speak a bit more about it in Yoav's presentation, in Nati's presentation. But what is important for us to share here today is that the success of JFrog is not only because of the technology we provide, but also because of the fact that it became too integrated to fail due to the fact that every player in the DevOps landscape need to get an access to the binaries, to the meta data, to the dependencies to everything that you have in the containers and micro service world. This is how we build the business. JFrog was built based on this philosophy. And when we think about JFrog and when people ask us who you are and our answer, we are the binaries people. We are the people that sit in the center, we are the people behind the scene that make this show goes (sic) [go] on. We are the people that liquefying software for you and making sure that this flow runs through the DevOps pipelines as water. But we take it one leap at the time, and we are here after an amazing, impressive 2021. We delivered everything that we committed to. When you -- when we guide you through 2021 numbers, we said that we are going to invest more in R&D, 29% of our revenue were invested in our R&D, to go the team, to build the team, to have faster releases to support the market demand, to take more and more of what we've created in the market. Our sales and marketing grew significantly this year, and we invested a lot in building the machines and lay the foundation for the future growth. Despite the challenging labor market of 2021, we almost doubled the size of the team and hired over 400 new Frogs. We reached out to the community, although the pandemic reality was different for us. Whether it's in person or virtual, we never dropped the ball on the community in order to stay focused and to stay connected with the future needs and what we hear from the market. And in order to have a faster time to market and to boost our technology to bring more talents, we also grew inorganically and invested over $300 million in M&A. That's the result, this is how we open 2022. We open '22 strong with over 1,000 employees worldwide and annual revenue that grew beyond the $200 million, over 6,600 customers that are now enjoying the JFrog platform, the JFrog technology. We reported last week 39% growth, a very impressive net-dollar retention, a phenomenal retention of our customers and a very business-focused company with over 84% gross margin. How do we do that? Without the factory at the core, JFrog build a full platform to serve your binary life cycle. Artifactory, or as our customers call it, the single source of tools, the single source of record, the database of DevOps. Yoav will speak about the platform, will speak about the differentiators. Artifactory became the center of every development organization that we serve. Xray was the next logical leap following Artifactory success. And Xray natively sits on top of Artifactory and secure your repository so you can trust your software. Next step was JFrog Distribution, taking the binaries to the edge. And recently, JFrog Connect that takes them to devices. This is all automated by JFrog Pipeline for CI/CD and monitored with JFrog dashboard, Mission Control and Insight. But that was not enough. We needed a better technology. We needed security that comes from security engineers to developers and not from developers to developers. We needed to go faster on this opportunity of having the asset that the world is asking for, but also securing it all the way to the edge. And we acquired Vdoo, announced earlier on July 2021. Shortly after, we acquired Upswift, planting the seeds of the JFrog platform future. Upswift build a platform of connecting the devices to the world of CI/CD. And together with the JFrog platform gives us, for the first time, a full view of what liquid software look like. Now why this is growing fast? Why the market asks for more and more? And how this innovation come into practice? We look at the market. When we went public, as some of you might remember, the addressable market that we looked at was $22 billion. Today's researchers and other companies as one, are looking at over $40 billion by the end of 2028. DevOps is a fast, big, growing addressable market that we are after. If you add to it the DevSecOps market, it's getting even bigger. We need to secure not only the developers, but the organizations. And binaries are moving from the developer's keyboard all the way to your run-time environment. DevSecOps is a big challenge and a big market that is addressed. And last, when we look at our path, when we look at our future avenue of growth, we look at the world of devices. Devices are everywhere. They consume software without human interventions. Billions of devices are powered by software, billions of devices are being updated daily or even hourly. And I will leave you with a question of how many devices we have times how many updates you have to do per day times how many releases you have to do. That's a very big market ahead of us, and we are very serious about providing an end-to-end solution that will take it down. And how do we know that we are doing the right thing? This is how we know, almost 7,000 customers are telling it to us day-in, day-out. The top 10 on every vertical on the Fortune 100 is already powered by JFrog. And as you will hear today, the leading enterprise of the world is betting on JFrog to take the next leap forward. We are listening to the market and building our technology by developers for developers, focusing on binaries, making sure that liquid software become everyone's reality. But sometimes in order to fulfill your vision, you have to challenge the status quo. You have to challenge the way that everybody speaks about what needs to be done. You have all heard the phrase that was born in the Silicon Valley by VCs, telling you that software is eating the world, which is true. Actually, everybody spoke about the rainmakers, the developers. They have to be empowered. They have to be faster. They need to do more. They need to take more risk -- more responsibility. And why? Because we are digitalizing everything. We digitalize our organization. We want to have an electric car and a digital bank. We want our coffeemaker to run by software. We do that because everything is connected. Even this Investor Day is podcast, full software and powered by software. But when I take a step back and think about how JFrog builds the vision, I actually think that we challenge this way of thinking. Instead of building the product for the developers, helping the organizations to become digital and then serve the world, we started with the end in mind. We first played the destination and only then start building. So allow me to suggest something else, to flip the order and think about the world that is eating software. We have more devices today than developers. These devices demand fast, secured update. They are all connected to digital organizations that, if they will not deliver what the market asked for, next generation will not use them. They will fall behind their competitors. And only then, we think about who are the people, who are the persona that we have to go after. Sometimes, it will be the developer. Sometimes, it would be the security engineer. And Micheline Nijmeh, our CMO, will share with you more of what we see in the market. And Tali Notman, our CRO, will share with you how we are going to fulfill our liquid software in terms of growth, in terms of revenues. The world is eating software. "Software is eating the world" was a very right phrase for the previous decade. When we look at the future, we will have more devices than human beings that will demand more software updates. But we are not the only one that look at this market and this opportunity. There are a lot of other players in this market. And so most of what we replace today is in-house, homegrown solution, something that was built 10 years ago, even 5 years ago, is irrelevant in a cloud-native world. Something that was built by an enterprise need to scale to the next generation of software update. And while this is the big opportunity out there, consolidation of this process, making sure that we can take it to the next step, we also see other vendors that are focusing on another asset or another technology. And from the moment we complement them, everything become binaries. Whether it's security, whether it's built, whether it's deployed. The clouds, which are great partners of us, a lot of co-selling and co-marketing was reported during 2021. We built an amazing relationship with the major clouds in the world. They still provide solution to developers. Sometime, the solution might be an easy-going start but when you multi-cloud and this is what we hear from our market, when you go hybrid this is hear from our market, when you need a full end-to-end solution, this will not be enough. And obviously, other vendors that takes legacy software and update it, but not focusing on the end-to-end platform, pioneering, changing, innovating the market providing you with the next technology. This will not be enough in order to answer the demand and the appetite of having an end-to-end software solution software supply chain. DevOps is at the center. And before you suspect that I'm becoming too religious about binarism. I would like leave you with few questions. We all agree that speed is a must in today's world. Can speed be achieved without automation? Can automation be achieved without using binaries? Second question, do you know what you have in the organization, what your developers are bringing in? Or do you need another reminder like Log4j? Log4j is a binary and we are going to speak about it and cover the use case in Yoav's presentation, and Nati will double-click on the -- behind the scene of it. But do you really know what is being brought to your organization? Third question, even if you what is being brought to your organization, in the world of containers and software packages, it's all binaries. Do you know what you [ plan ] in your production environment? Or once something happens, you start to analyze and ask for fast remediation without knowing what do you have in your [ run time ]. And are we looking at the hybrid world or a single cloud world, a multi-cloud world? Or can you dare to think about 10 years from now, the cloud will be an edge in your pocket? These all questions have one thing in common, if we are looking at the same future, this future will be powered by software packages, by binaries. But this doesn't happen just because of a vision. A thousand frogs are walking day-in day-out to make this reality. Our vision and system of values, what we're calling JFrog [ Codecs ] is what drives us and fuels us to give the community and the industry the next technology and the full solution. We are investing in ESG. Our team is thinking about how JFrog can become a better company in terms of diversity, in terms of environmental responsibility, leading not only with technology. But technology is important, and the amount of innovation and pioneering that JFrog did and implemented in the past 12 years since we created this company is enormous. We disrupted the market with every piece of technology we released, whether it was the first binary repository or the first composition analysis that search for vulnerabilities within your binaries and software packages or the first distribution for your software packages. And last but not least, building a sustainable business, and Jacob will share with you our plans for the future. Jacob will share with you how we are not just implementing technology, but also built a solid business together with very loyal, great partners that we call customers. I will now open the session for a few questions from the crowd.

[Operator Instructions] Our first question comes from Jason Ader of William Blair.

Yes. My question is just on competition. The Git players argue that the Git repo is a center of gravity and DevOps, not the binaries because it's where most of the developer collaboration is happening. And they also argue that it's harder to move upstream than downstream if you're thinking about consolidating the DevOps tool chain. So I guess, I just wanted to throw that out at you and see what your counter argument to this is.

That's a wonderful question, actually. And we hear it in the market, obviously, from customers, from investors, from community players, but we only have to look at a few things. A, if it's all about Git, if you can Git-i-size, if I may say so, everything, then why the road map is talking about binary solution? Second, can you really implement software supply chain management with source code. And the answer is clear, and you don't have to ask me, ask every developer. The answer is no. You have to use binaries. Third, Git is important for developers not only in terms of development but also in terms of security but what happened after Git? Everything that happened after Git, all the way from the moment it was compiled and Yoav will touch it a bit more, to production, to deployment, is about binaries. Now my team, almost 500 engineers, are using Git as well. This is how we build source. But most of what you have in your organization coming from outside and coming in the form of binary. 90% of what you have in your organization coming from outside to Artifactory as your single source of record, and it's not being built by our team. Developers are using source code, it's very important. It will be a complement solution, maybe a complement platform next to a binary life cycle manager, a binary end-to-end platform.

Our question comes from Mike Cikos from Needham & Company. I apologize. Our question comes from Rob Owens of Piper Sandler.

I understand there's some debates around the center of gravity. Maybe you could help me understand the monetization opportunity because just looking at the relative players in the space, it does feel like the folks that are playing in the Git world are bigger, growing faster. And so maybe help us understand with binaries being the eventual center of gravity, is it more of a timing issue right now relative to the market opportunity? Or when should we see monetization really hit this area of the market?

Thank you for the question. Monetization and putting aside the success and the growth that JFrog performed since it was exist and especially in 2021 is a very important question. First, monetization is not just about developers. It start to be about the full life cycle, the end-to-end platform. When we went public, that was the only DevOps platform in the world or as far as I remember. And suddenly, we start to see the market getting mature, more and more mature with adopting consolidations of technologies under one platform. So when I'm looking at the opportunity, I know that the market has to take another step in matureness, but it will not just be your repository. It will also be your security, not just for the development environment, but through your software supply chain. It will be also the update to the edges, which is still not here, still not here. I think that monetization is a matter of matureness of the market, identifying the asset, the digital asset that you need to take care of and last, providing a business model, a subscription model that meet the customers' expectations. And what we see is that the seeds that we put in the ground 10 years ago, there was no binary management in the world before JFrog. So obviously, a lot of what we are replacing now is replacing something that someone built by himself. There was not security at the level of JFrog taking it. And the reminder we got last year from npm, from Python, from Log4j, from SolarWinds reminds us all that what's not going to be in Artifactory and secured by Xray will fail you at the run-time environment. And there is no, until today, an end-to-end distribution system for binaries. So we are taking one leap at the time. We are monetizing the market. We are paving the way while building the business and monetizing it and I think that the opportunity ahead of us is very, very big. I think we will take more question during the panel. Allow me to introduce the next speaker. A little over 12 years ago, he created Artifactory as an open-source project, but the solution that introduced the world with the first binary repository manager. So with that, I'm happy to introduce Yoav Landman, JFrog's CTO and Co-Founder, my friend and partner. Yoav?

Hi, everyone. So just before I dive into telling you all about the JFrog product and strategy, I'd like to clarify what binary is. Shlomi spoke a lot about binaries, and I want to set the stage and make sure that everyone sees the same thing. So as a developer, you write source code. And the source code is merely a text file, okay? It's not something that you can run. And this source code may be your own source code or it can be source code that is coming from the Internet, like open-source libraries that you pull down from the Internet. And then there's a phase called compilation in which you take the source and you convert it to another file format. And this is actually a binary. This is the file that you can run. Most applications are not about just a single binary. It's a collection of multitude of binaries, sometimes thousands of binaries, your own -- like inner source that is coming from other people in your own and things that are coming from public repositories. And you create an application, and this is the binary, this is the binary of binary. This is what you deploy to the run time. This is what is going to end up running on your iPhone, running in some sort of production data center, your desktop and so on. Now one very important thing that sometimes people tend to bypass is the fact that when you -- this compilation phase, the fact that you convert a file into a binary and also the collection of binaries, the aggregation of them to an application, it's a very expensive step. It takes a lot of compute power. It takes a lot of time. But worse, it's not reproducible, not 100% of the time. Why? Because your set of dependency is coming down from the Internet may change. There may be a newer version of a library that you're using of another binary that you're using. Your profile on your own system, your compiler may change, there is a lot of dynamicity in this process. And as an organization, you need to know what you put into the run time. You have to have a stable, immutable point of what you're actually deploying and what you give your customers. And taking the 10,000 feet of any software creation. So this pretty much covers 100% almost of software creation. I know that there are more delicate steps. But the [ go steps ] is really your write code, you almost immediately convert it into a binary. And then you run this binary -- this is -- this actually is your software -- you run it through a couple of security check and quality checks. And then you distribute it to where it can be consumed by your run time. And finally, there's the last step you take it from displays and you put it in the run time. This is the software update. And this is, of course, a repetitive process. So really, when we speak about a software update flow, it's really a flow of binaries. And this is what the JFrog platform really support, okay? So Artifactory. We speak about Artifactory a lot. It's the database of DevOps. It's where you store everything that you're going to run. And Xray is where binaries are being scanned for security and compliance issues. So compliance is licensing issues. Then we have JFrog Distribution, which is all about taking this software before it's ready to be deployed to the run time and moving it closer to the run time so that it can be deployed. And JFrog Connect, which is about taking those binaries and putting them on real devices. We provide this platform in all 3 major clouds, so Amazon, Azure and Google Cloud. And you can also run it self-hosted. So you are fully -- we are fully hybrid. Let's go and uncover the bits one by one. So Artifactory, it's basically the center of every software development process. The reason it contains eventually the stuff that matters most. This is what's going to run in the run time. So you have 2 types of binaries. On the left, you have binaries that are coming down from the Internet, open-source libraries and you have the libraries that you create in your organization. And that people are going to integrate into an application, which they are going to be installing. And the way we developed Artifactory -- and by the way, not just Artifactory, the whole JFrog platform, is always with the developer in focus, but always have the enterprise in mind. So this is the unique differentiation of the platform. And I'll go one by one about these differentiators. So first of all, Artifactory is part of a unified end-to-end platform. It's not just a stand-alone product. There are other products out there that may cover a docker registry or some other type of registry. And they exist outside of a complete end-to-end platform. The other thing that differentiate us a lot is actually scale. And this is why most customers are -- eventually the big ones are coming to us. Serving -- writing a repository for managing binaries is -- may sound very easy, but when you have to sound -- to serve organizations with as much as 50,000 developers with different permissions and very busy deployment cycles, this is where scale comes in. This is where actually we displace most of our competitors and push them out. Universality. So we support more than 30 different technologies today in Artifactory. The reason we are capable of doing that is because we have the infrastructure and framework that took us years to develop that allow us to accelerate very fast and add support to new ecosystems very, very fast. Shlomi showed you this -- how binaries are in the center and how many players they need to pull binaries and push them in production or pull them in order to facilitate the CI process. So the to-integrated-to-fail mantra of JFrog is about this integration with so many partners, so many tools, so many vendors that make Artifactory part of many, many software flows out there. And finally, we are not only hybrid. We are also multi-cloud, and we are also multi-region. So you can get our platform in many clouds in different regions. I want to speak about trust for a second and about having a single source of code for your binaries. So if you think about a car and let's say that you have some sort of an airbag, say that has a defective component in it. You want to be able to track all the cars that are out there on the road, driving with this faulty airbag. And software is very much the same. And the goal is to be able to know exactly what ends up in your software. This is what many people refer to as SBOM, it's Software Bill of Materials. And exactly like the car example. It's a bill of materials of everything that exists in your final product. And this is what Artifactory provides. We have several technologies and several bills of materials like that, like building for releasing for pipe info for that gives our customers this information and allow them to actually know what's in the run time, and this is extremely important. And it's not just JFrog, actually this is a MITRE image from a recent work they did. And it's all about creating this secure bill of materials along the pipeline of creating software. And you can see that pretty much after the beginning, after you start to build your software, this is a game of a flow of binaries. This becomes relevant. Code becomes relevant pretty much at the very first step of the flow. And I want to give you a real example, just something from the recent days. I'm sure everyone heard about Log4j. So Shlomi mentioned Log4j is a binary. It's a binary that is mostly installed in Java applications, meaning that it's very, very common in enterprises around the world. And this version of Log4j, which was around 2 months ago, it was perfectly legit to run it. It became the nightmare of every software organization just a few weeks ago. It became such a nightmare that it reached the White House. And what one of the 3 top banks in the U.S. did, which is, of course, a JFrog customer, since they have a center in place where they keep this bad version of Log4j, they will be able to take this bad version, replace it with a fixed version, so nobody can pull the bad version anymore and rebuild and redeploy other applications in just under 12 hours. And if you think about the amount of applications running in such a big bank, it's pretty amazing. And the fact that you can control it centrally, you don't have to ask for the collaboration with anyone is a very, very big differentiator. And this couldn't be achieved unless they had Artifactory. So this was the Artifactory with the database of DevOps. Nati is going to cover Xray in deep in his presentation, but I just want to give you some points about Xray and its uniqueness. So first of all, Xray is integrated natively with Artifactory. We have the ability to scan your binaries and break this asymmetry between [ C servers ] and the number of developers again, you have a central control point. You don't have to ask for the collaboration with anyone. And it also applies the technology of a unique database graph that keeps the impact path. It's the container ship. It's this -- if you remember, the binary of binaries. We know how to extract the impact path of every binary that has a vulnerability to it. And as part of the Vdoo acquisition, we're investing a lot in this domain. We are adding to the binary scanning. We're adding configuration security and zero-day vulnerability detection and very leading thought leadership around discovering issues with the ecosystem with public software in the ecosystem. Nati will cover that in more detail. So this is Xray. Now Distribution. I know that Distribution is a very interesting question to many of you. And I want to expand what we're doing with Distribution. So there are 3 types of distribution. There is internal distribution, which is all about sharing binary, sharing artifacts with global teams with a global remote force and global data centers. It's just a physical problem that you need to solve. There is another case, which is external distribution. This is a very common use case today where companies share APIs, share packages with their own customers, with their own partners and so on. And finally, there is the distribution to the run time, which is all about creating private distribution networks that can sustain network connectivity issues and sustain a huge load of clients trying to get a software update. And we have specific technologies at JFrog to solve each and every case like that. I will not have time to go into details about each technology like that. But I'd like to share with you a use case of a distribution of our customers. So this is a large investment bank that is currently implementing this solution. And if you think about this bank, they have many, many branches across the world. And they need a safe way to distribute software to it. So they're on the JFrog platform, they're building a solution where they signed thousands of applications. They have tens of different technologies that these applications are using. And they have tens of thousands of developers that are developing these applications and then distribute to different, tens of global locations, each with their own policies and regulation. And this is the type of scale when I'm talking about when I'm speaking about the JFrog platform, this is the scenarios that we have to support. So this is JFrog Distribution. Finally, I'd like to talk about JFrog Connect. And what JFrog Connect does -- so JFrog Connect is the new name of Upswift. This is the acquisition -- our recent acquisition from September '21. And what they do is they really bridge the gap between DevOps and IoT operators. Because normally in the world today, there is a gap you have with your nice DevOps loop and then when you have to distribute your software and push it to devices, you lose the connectivity, you lose all the meta data that -- and you lose the flow, you just move to a different system that is disconnected from what DevOps are doing. And what UpSwift are doing is they are capable of updating any Linux-based device with the software -- with the SBOM that depicts such update. You can manage very large fleets. You can even remediate failures and go and inspect the developers of devices because they have a unique agent technology that is very lightweight and allows you to do that even if the device is not -- it doesn't -- it's not open to the Internet. So this is the JFrog Connect technology. They also have a very nice low code update flows. So many of those IT folks, when they're building the update flows, they like to do it in a graphical way. So in a visual way, so you can really create this drag and drop update flow, deploy different type of binaries, execute scripts and even do rollback in a pretty granular way, and this is really important because many of these devices are not approachable. You cannot -- unless you send some technician, you cannot get to them and fix a bricked device. So this is JFrog Connect. Now I'd like to spend a minute with you just to share with you what we are up to where JFrog is moving. Because of our unique position in the center, because we are just in the center of every software flow with managing the real bytes that are going to run in your run time, we are going to expand both to the left and to the right. So on the left side, we're going to onboard developers right at their desktop, even before they start writing the code. And that means that we are going to integrate with their IDs and more things that will come later. Another very important area of focus for us is the ability to curate all the source, all the binaries, open-source or non-open-source that gets into your organization. This is a very high demand from customers, especially because of everything that's happening with security nowadays. And even further to the right, we're going to merge the Connect technology and the Vdoo technologies to provide run-time tracking of what binaries are actually in my run time and also apply behavioral protection in the run time itself. So this is not something that will happen in the most immediate future, but this is where JFrog is aiming. And this is a good step to risk a live demo, just to show you what I'm talking about. And my demo is about -- just imagine an organization that develops a small medical application, the type that you're finding in many pharmacies today that allow you to do a self-examination. And they need to update hundreds of devices. And let's say, they have a cluster -- I have a cluster, one in New York and one in Dublin, Ireland, and they need to update those devices. So the way I would do it with the JFrog platform. I can use the full power of the platform. We will not have time to show everything today, but I will just show you just the end result. We are building the software. We are pushing this application into Artifactory with this software bill of material that tells me exactly what's in it. We are scanning the software, with JFrog Xray. And then because we want to be able to run updates in New York and in Dublin, even if the central hub of Artifactory is not available for some reason or just to save on network bandwidth because I don't want to pull everything all the time from a remote location. We're going to use Distribution and push it to edge nodes in New York and Dublin, where those updates are waiting for the devices to pull them from. It's also a matter in terms of security. And finally, we're going to use Upswift. We're going to use JFrog Connect, to issue a connect -- an update request and have the new version of the software deployed to devices. And then we will be able to actually see this version and see the new version running. So I actually have a real physical device near me. You can see it here. I just have to be careful. I'm sure if you can see, let me try and focus it. So this is my small medical application, okay? And I can check my vision and check my pulse. I'm going to check my pulse. Imagine that I put my finger into this small device that is attached. And boom, something bad happens. This is a faulty version of the application. So I'm just going to leave it here for a second. And I'm going to switch to the laptop here. Okay. So I'm going to log into the JFrog platform. And I can see these 2 versions of the application. This is the medical app application. I have 2 versions of it. By the way, these are all containers inside this each and every version. And I can actually see that -- I have deployment tracking. I can see that this application is version 1 of the application is actually deployed right now. I can also see that it has some critical vulnerabilities to it, okay? So I know that those critical security vulnerabilities are the ones causing the application to misbehave. The reason I know it, it's because of this end-to-end integration, Xray scanned this version of the application. It scanned the release, the full release, this collection of binaries and I know that it's faulty. So now I'm going to go ahead and I'm going to run an update of -- I'm going to push version 2, which has just a very few -- low severity of vulnerabilities. And I'm going to do it through this very develop-ish UI because this is how most developers will do it through a [ rest ] call. And now I'm going to go to JFrog Connect from here because I want to track the update process. So my application, I'm going to try and use both my hands and hold it in my hand. And you will see the screen flashing as the update is going through. Let me go to the updates page. So this is already the integration of JFrog Connect. I can see I have an update here that I ran just 19 seconds ago. Here, you see the screen flashing. It means that I have the new version of the application. And now I can try and test my pulse again. and wait a few seconds. Testing my coordination and everything works because this new version is not vulnerable and even my pulse is in range. So it's all good. So if I switch back to my presentation now. So the purpose of that was not showing you that it works, right? We don't expect anything but the JFrog products to work. The purpose of this was to show you this end-to-end integration, this unique -- it doesn't exist -- this end-to-end integration of binary to device all the way through. This is what our customers are getting from us. So it's managing the flow of binaries all the way to the run time to achieve software updates. And if I hadn't done it this way, I would have to stitch together a bunch of different tools and do the do-it-yourself approach in order to achieve that. And this is the JFrog way to achieve trusted software updates. This is what we call liquid software. Thank you. So with that, I'll have some time, I guess, to take some questions.

[Operator Instructions]. Mike Cikos from Needham & Company.

I do just want to ask you and appreciate the commentary on this expanding product road map that you guys are talking to, shifting both left and right. If I think about some of those comments, if we're looking to expand further left as an example and onboarding developers right at the desktop, can you help us get a better understanding of the timing for when some of these new products and features will be laid into the broader platform that you guys have?

Yes. So of course, when we do this integration, so it means that we're going to integrate into the developer environment into their IDs. So this is what it means. In terms of time line, this is something that is already in progress. We don't have a concrete ETA right now. But I can tell you that it's already a work-in-progress at JFrog. Any other questions? Okay. So in that case, let me introduce to you our next speaker. So I would like to introduce Nati Davidi, former CEO of Vdoo and Head of JFrog Security. Nati, an entrepreneur and 3-time CEO of cybersecurity companies, all paved the way for automated, modern software security solution. Prior to Vdoo, Nati cofounded and led Cyvera, advanced end-to-end protection start-up that was acquired by Palo Alto Networks.

So thank you very much, Yoav, for the warm introduction, and hi, everyone. It's a great privilege to be here today. And thank you, Shlomi, for having me joining to the executive team such day to share our security approach to product security, our security achievement so far since the acquisition and our security plans for the foreseeable future. So a very quick recap about binaries because it will serve the discussion about the security of binaries. So the binary starts with a developer coding a code. It being compiled and becomes something that can be run on whatever on machines, on devices, on servers and web services. And this file is being pushed directly to the production environment or become part of binary of binaries and make all its way to your devices, to your mobile devices, to your IoT devices, to your servers or any other end point. In this phase of code becoming binary, many things are happening and we'll not cover all of them now, of course. But I can tell you that binary is not a source code. Binary contains far more than just source code. And binary is what made its way to the production environment and not source code. So when an attacker wants to attack a given organization, you reach out to the live environment, to the production environment. And what he will see is clearly, binaries, executed binaries or binaries in rest. And he will want to find a way in, he'll want to exploit the systems, so he need to exploit the binaries, which means he need to reverse engineer them and find vulnerabilities in these binaries. And lucky he is, it's relatively easy for him to possess the software because he can simply buy it or he can drop it from the medical device or if it's a Microsoft office, he can simply have it and then start to reverse engineer it or if it's a SolarWinds package, he can just acquire it and start working on that. So the binary is what the attacker is -- sees. The attacker can gain access to the software, to the binaries in order to find faults in them and utilize them. And then he will exploit them. So again, binaries are what is being attacked. Binaries are not source code. They contain more than just code. So therefore, it won't surprise you if I say that all of the highest profile vulnerabilities that were exploited by attackers in the last years, such as in Log4j and SolarWinds, they hacked this, these were all pieces of software that were consumed, integrated, deployed and distributed as binary, not as a source code. And therefore, binaries must be analyzed, they must be monitored and they must be protected. So clearly, you have to protect the developer when he's coding his code. But in order to also protect the organization that use the software and possess it, you have to embrace the binary approach. And the binary approach is the common ground to protect both the developer and the organization that use it. So what is that, that the attacker is looking for within the binary when he wants to exploit it? It starts by understanding what it contains, what are -- what is the software bill of material of the binary? Because when the attacker knows it, he can go and find known vulnerabilities in the world that are public, and he can just try to exploit them. And this has, of course, become the biggest problem of our era. This is why the White House, starting May 21, even before Log4j, raised it as a big issue to deal with the supply chain -- software supply chain security, the third parties that are being introduced into any modern software. So that's the easiest way for the attacker to get in to find the third parties, to find the vulnerabilities, the known one within them, which are being called CVEs, common vulnerabilities and exposures, and use them. And by the way, clearly, it can also be the case with commercial off-the-shelf product, not only open-source software. The second thing that you'll try to do is a more advanced attacker, is to find new unknown vulnerabilities, which are also known as zero-day vulnerabilities, which are considered to be the Holy Grail of our field. Why the Holy Grail? Because they can be exploited for a long while, without anyone even knowing about them. That, by the way, was the case with Log4j. That was the case with SolarWinds. These were at zero-days. And until the point that someone found them for whatever reason, we'll not get into this right now, only then they were turned into CVEs, into a public knowledge. And then everyone started to try to find ways to deal with that. So again, known vulnerabilities, CVEs, unknown vulnerabilities, zero-days that are being there intentionally because the developers are not perfect. It's a given fact. No one is perfect. So bugs are there, so vulnerabilities are there, and they will be always there. The next thing, which is relatively new, is malicious code that is being pre-injected throughout the supply chain of the software. Meaning the attacker find a way to push malicious code or malicious packages into your product and then exploit it afterward. And the last thing are the simple things, the non-code issues, configuration issues, how do you keep your credentials, how do you keep your keys, the interaction between binaries and processes. In many, many cases, these simple things are the easiest to exploit because no one is giving attention to them and that attacker will definitely do. And with that, I would like to move to the more exciting part of what is our approach, the JFrog Security approach for these challenges that will be delivered through the next generation of Xray and actually is already being delivered, and I'll share with you what is going to be announced actually tomorrow. So it's all start with these 3 decades of tension between the developer and the security persona. The security persona want to be able to apply policies, want everyone to comply with the policies. They want to have security in all layers across the entire life cycle of the software, which is a lot. And his role is to come to his colleague, to the developer and tell him, you are doing a bad job. This is never a fun thing to do. And the developer simply wants to deliver his software, to deliver it on time to release his release in the most efficient manner. So when you have this clash between security and development, it never ends with a perfect security and it never ends with a perfect product. So you lose in all sides. We for -- bring -- we actually build the ground for better collaboration between them, and you can achieve it only by focusing at the binary. So comprehensiveness for the security persona and efficiency and focus and context for the developer. And this is exactly what we introduced with the next generation of Xray. It starts with software composition analysis which is contextual. And it's not an alleged contextual analysis. It's something that you can do with only -- by only using binaries. We have a proprietary capability we call Applicability Scanners that for each and every CVE, we'll tell the developer whether it's exploitable or not or not, whether you should take care of it immediately or not. Now think about the ratio, the difference. Today, the developer gets a list of 1,000 CVEs and if someone asks him just to fix it, it will change its road map dramatically. We will say, you do have this amount, but you need to fix only 18. And not only that, here is the way to fix it step by step, and it's not about necessarily updating or upgrading. But doing these small changes in order to mitigate the risk. They love it. I can testify it. They love it, they use it. So this CVE applicability approach is something that can be achieved only through binary. The second part is the contextual security focused static analysis of binaries and very quickly about the SaaS and DaaS data spaces. These products were built to find bugs, not necessarily security bugs. And again, there is a huge difference between telling the developer, we have new 6,000 bugs than telling him, you have 4 security-related bugs that are exploitable and here is the proof of why is it exploitable and here is the way how to fix it. They love it. And again, we saw them using it. Malicious code detection, again, is a newer thing, and we are pioneering it. So it's not only about enhanced technology, we are pioneering it. We are the first to introduce the ability to find malicious packages that are introduced into your organization software, and we are doing it in a fully automated manner based on the research that our research team are doing. And of course, I'll share more details on that later on. And the last part is about automating the painful manual penetration testing and analysis tasks that can be done through configuration security engine that we have in our offer. Now take all of this, you have the comprehensiveness for the security persona, you have the focus and the context for the developer that can reduce dramatically the overhead that security puts on him. And then he gets the evidence, he get the explanation how to solve it. But the more important thing that what happens when it becomes part of the platform. And this is the real magic because security is one thing, but security where everything happens is different thing. And that's actually when we take our security capabilities and stretch them across the entire software supply chain and across the entire software life cycle. From the moment the developers start to code, as Yoav mentioned, all the way it is being pushed into the device because only by doing continuous examination and accreditation of these binaries, only by that way you can achieve through software supply chain security. And more on a personal note, that's exactly the reason why we were so excited to do this connection between the companies. Taking such a decision of selling a successful startup company in 2021 and choose the combined avenue rather than the independent avenue is not an easy decision. And from the moment that we start speaking about this collaboration, we understood that combining DevOps and SecOps into one big platform is far, far more than just doing only security or doing only DevOps. And this connection, same philosophy around binaries is the thing that enabled that. And this comprehensiveness that we achieved through the many capabilities of security and the entire platform is what is going -- is the thing that is going to replace and obviates the many other point solutions in the market. So let's talk quickly about our approach versus the competitors'. And clearly, it's a lot about binaries, but not only. And I'll start by showing what others are saying about binaries, not us. So I think it's more than a decade now that there is this debate of source code analysis versus binary analysis in the space of software security. 10 years ago, the main argument was that it should be better, doing binaries analysis, but it's so hard to achieve that let's use source code analysis. But today, it changes. And when I say today, I mean today, today like a few days from now. Here you can see, for example, a project funded by DARPA, by the Eurocom France and Arizona University, when the output says they see clear convergence between source code and binary analysis, but in some cases, the binary is superior and find things that cannot be achieved with source code analysis because binary contains more than just code. And if you look around the world, in different regulation and governmental entities, for example, this one, the Cybersecurity Agency in Singapore. In their security scheme for devices, they say you need to evaluate the software of your device using automated binary analyzers, not source code analyzers because that's the only way to do it. And when you look at the recent National Telecommunication Information Agency report on minimal software bill of material elements, you can see that they suggest that if you can obtain the bill and not the source code for the sake of understanding the true real software bill of material, do that. And I can tell you there are many other citations and great support for what we choose as an approach. But I want to be a bit more concrete and explain how our approach shifts the application security space into a full end-to-end software supply chain security. It starts with software composition analysis that became commodity. Today, you can just have open-source solution doing it for you. You will need to configure them, of course, and work a little bit around it, but it's a commodity. And you get a naive output telling you, you have these amount of CVEs and you have these licenses. This is not helpful. It just creates more work. When you do it on a binary-based approach with the contextual applicability scanners, you focus only on the things that really need to be fixed. You focus on the things that really impose risk on the production environment. In terms of the data that is being provided by solutions, allegedly like ours, you usually get just information about number of CVE and a short description. We will provide a very detailed information about the nature of the CVE, about how it could be exploited, about what needed to be done to mitigate it. And actually, this is already there, and this is what I'm going to announce. We replaced manual penetration testing parts with the automated configuration security. We replaced the common source code-based SaaS and DaaS data that are a lot about bugs and not security with binary focus that is looking for truly exploitable zero-days. And we found more than 450 of them in the Vdoo days, and we find many others in the JFrog days, and I'll share that as well. But another important point here, doing it in a binary way, will protect your intellectual property. And listen to that because it's not only about how careful you are. It's about regulation. For an example, in Japan, in many industries, you are not allowed to upload your source code into the cloud for whatever analysis, whether security or other. You cannot do it because it's risky. It's risky to expose your source code. So we provide a binary-based approach to it. Instead of telling you just fix your version or upgrade it, which is the usual basic remediation if you get from a competitive solution, we give you the detailed mitigation step-by-step instructions that will always look for alternatives of dramatic architectural changes or things that require a lot of work. I mean just change this configuration, change this permission, if possible, and it will solve your issue. And clearly, we do not give you the solution to deal with only one kind of artifact or only with a mobile application, only with container, only with firmwares, you will have it all in one place. Whatever kind of artifacts, whatever kind of application we'll deal with them all, and this will be part of the entire JFrog platform, meaning it's not yet another disconnected security solution. So when looking at all of it as a whole, this is where JFrog is going to shine. This is a true end-to-end solution that gives, again, the security persona and the developers whatever they need, comparing to the fragmented potential solutions that are being offered by competitors. Another way to look at it is that today's abstract solutions are focusing very much on the shift left, which we are covering with the binary approach. And they are missing the entire end-to-end software supply chain security. They are missing, for example, what happens when you create your build -- your interim build your nightly build, where your release that goes through your devices. They cannot provide a gatekeeping mechanism that truly tell you, be aware you have a risk. Your customers are going to be damaged because of that. And with our approach, we do it in whatever gates you choose all the way to the device. I would like to use now a recent case study which we are very proud of, that started actually just before the acquisition were completed -- just after the acquisition. It's about a very big -- one of the biggest network enterprise vendors in the globe, that wanted to be able to create a gatekeeping mechanisms for their software before it is being pushed to the field. And more specifically, they wanted to find zero-days before the bad guys do. We started with a POC prior to the acquisition, where we were able to show how our capabilities produced 14 different zero-days that are exploitable. This is a huge number. It's hard to stress in such a short discussion. This is a huge number for one product. It was the flagship product of the vendor. So it's not surprising that very quickly and just after the acquisition, we landed with 6-digits deal for 3 years when the buyer is the CTO of the organization. And that was just for 3 flagship products. So imagine where it can go. And more importantly, that was the door for expanding with the other part of the JFrog platform. So Security becomes the entry point, another entry point for the security persona that pushes the other part of the platform into the organization. Now I want to spend a minute to talk about the minds behind the solution. And maybe this is one of the most important parts. Our team is what enables that. Our team's spreading security knowledge and enable automation of their minds in order to automatically find zero-days and to push them into our product and to be able to teach our customers and help them with their challenges. That, of course, creates brand awareness around security, and it create leads for new customers and leads with existing customers. And finding [ 450 ] zero-days in such period of time is a big deal and contributing such information to the industry is even bigger. Very quickly about how it is being reflected through the Log4j use case. So as Yoav shared, immediately when it happened, we conducted a very quick research and updated the entire platform with a detailed research data on Log4j. Then we released to the community open-source tool to look for Log4j in the binary file in the Java form. And we also continued the research to find even more other packages that have the same phenomena, that have similar issues. And we were able to find another very common package called H2 and another very common package called Apache Cassandra that we are going to reveal today that are in the same level of severity in terms of the commonness of how much they are being used. And the team found that they were able to push it to the field immediately. So in the case of Log4j, we opened immediately Log4j research center that has the entire information that help our customers and the community to solve the issue. And with that, I would like also to share with you some numbers. Since the acquisition just 2 quarters ago, we came with more publications, original publications, not recycled one, original publications, about high severity zero-days vulnerabilities, about malicious packages, more than any of our competitors. This information immediately contributed to the community -- to the society actually, and I'll explain why. This information is immediately being pushed to our products and serve our customers to help them block any potential attack. And this information is what serves us in our mission to become the provider of software supply chain security. And we will keep doing that. Today, we are going to reveal a high-severity vulnerability in Apaches Cassandra that I mentioned. This is a very extremely common package in the level of Log4j used by many, many big organizations out there, that unless we found it, it could have been exploited. Unless we work with the maintainers to fix it, the risk was there. In other words, I'm saying it boldly, we avoided -- we prevented another Log4j from happening. We did it. We did it with H2 as well. And we will keep doing it. And we will keep doing it in a bigger magnitude as time goes by. In terms of where we are going. So we started by delivering Q3 and Q4 milestones around high-profile CVEs and enhancement of the database, remediation, mitigation instruction and applicability scanners. And we are going to continue into the year with the zero-day capabilities, the configuration security and the product persona experience. And of course, this won't be the end. It never ends. We're going to add more and more capabilities and enhance the existing ones. And I'll take this perfect opportunity to announce the completion of the first integration phase meaning the thing that I'm sharing now will be pushed gradually to the customers and are available now. First, the data that is being enhanced with more than 700 articles that give you the details about CVEs, information about malicious packages when we are the pioneers in the market of being able to identify such packages. And of course, the most exciting part of contextual analysis that is highly focused on containers, and we start by serving it through the SaaS solution and extend gradually to the self-hosted solution. And with that, I would like to thank you, and we'll spend a few minutes on getting questions.

Yes. So just thinking about security, there's a lot of vendors in the space. There's a lot of options from the other platform vendors too. So why is it important to have security embedded within the binary supply chain versus using another security application as an overlay? And if you could maybe point to 1 or 2 key features within the Vdoo and Xray offering that is difficult to replicate as it becomes part of the larger JFrog platform versus some of the other application vendors out there?

Sure. So I'll take with the second part. The Applicability Scanners is something which is our proprietary capability, some of it is patent protected. Our zero-day analysis, which is binary based is patent protected and is our asset. And I can tell you, it's very hard to get it. We have 3 PhDs in a group of 20 vulnerability researchers doing that, building that just to get this group in place is, by itself, a huge target. So this is about the second one. For the first part, as I said, binaries are what being attacked. When we talk about software supply chain and in the light of discussion, when you're talking about the integrity of software, you have the coding phase and then many, many things are happening all the way to production. You want to make sure that you keep the integrity, you want to make sure that no malicious code is being introduced to the software. You want to make sure that what you compiled is what is being introduced in the product. You cannot achieve it technically, scientifically with source code. I hope that answered your question. So thank you very much again for your time, and we'll now take a break of 10 minutes before the next session. Thank you. [Break]

Welcome back to JFrog's Investor Day, and thank you, Yoav Landman, Nati Davidi for the amazing presentation. Even I got excited. And now enough us talking about us. Let's hear the voice of the customer. Let's hear from those who need to face thousands of developers every day and make sure that the business is working. I'm honored. I'm excited to join our partner, customer and friend, Gerard McMahon from Fidelity to take the stage. Ger, stage is yours.

Thank you very much, Shlomi. Hello, everybody, and welcome. I'm not sure if we can see the slides. But my name is Gerard McMahon and where I'm VP of Architecture and where I head of the ALM Tools and Platforms here at Fidelity Investments. Fidelity has a rich and powerful investment in technology. We've used it throughout the -- our career internally, and we use technology to power our businesses and really power our experiences that we deliver all to the customers all over the United States and globally. We're going through a digital transformation where we're looking to create the next digital experience, the next digital set of products that we offer all our customers and all of the enterprises and businesses around the United States. In 2016, we began our cloud journey and -- where we had deployed our first application into the cloud. In 2019, we launched our hybrid cloud strategy where we're looking at using the services of the cloud providers to backfill where our needs are and, again, deliver the products and experiences to our customers. Today, we have about 4,600 applications on the public cloud, and we're not even halfway through that journey. So we have a huge amount left in our digital transformation and a lot more to transform as we go through the process. The Fidelity cloud strategy is based on a couple of principles. One, cloud computing, so enabling cloud services so we can leverage the innovation and the expertise and the services to be deployed to the cloud quickly and accelerate our business value we can deliver our customers. We wanted 1 unified plan across all of Fidelity ecosystems so we can offer our customers as they create their financial journeys with Fidelity Investments. We want to make sure we've account -- financial accountability by having a rich and thorough FinOps practice around our cloud journey. And again, we're trying to build our workforce so we can create the talent that's required, again, to deliver the value, deliver the products and deliver the services. But core and central to our entire cloud strategy security, we really want to establish the standards and security best practices to ensure what we -- and all of our teams have to deliver the cloud. They can deliver knowing that they're safe. They know that the applications they're delivering are secure, and they know that behind the scenes, they are able to innovate and experiment and deliver very quickly the business value while underneath the security, the guardrails, the compliance is all provided by the cloud platforms and the products and tools and services we leverage. So one of the core and critical items, I'm on Slide 6, is part of our digital transformation in securing the software supply chain. In traditional systems when we work in data centers and doing waterfall development, an application was very simple. It usually contains a single monolithic artifact or binary. And usually, the development team handed that binary to different teams across silos like testing, production services, operations to -- as it went through the software delivery life cycle. Very simple and very keen. In the agile world and in digital transformation as part of the cloud, that journey, the application itself, the construct of the application has changed dramatically. There is multiple application artifacts. There is binary, there are software, there's infrastructure, all having to be developed by the applications. And today, in an application, around 90% of an application is open source. So that is 90% of our applications are built by people all over the world, finding value that we're incorporating and leveraging within our software applications. How do we trust the work of all those people for 90% of what our applications contain? And this is globally within any organization. So securing that supply chain becomes critical, as we've seen through the events of December with Log4j. It's really critical to ensure that we're protecting our applications, protecting our customers because that is the most important thing that we hold dearest to us is that our customer's safety and the financial services, the well-being of our customers that they entrust in us, and it's our responsibility and accountability to make sure that, that trust is honored. Teams are rapidly innovating through continuous development as they're developing every code request, every change that they deliver is they're trying to get faster and faster and faster to get that value into the hands of our customers. We've got to control all the testing cycles and then we got to verify that. And then we've got to deploy that into production. Now if every application team had to manually verify the security of everything, all the teams would not be delivering business value. So we've got to find solutions where we can package our code into binaries, and then we can entrust that binary into an artifact repository like JFrog unified platform, and we can have the platform then continuously monitor and continuously scan those applications to ensure that they're compliant with not only what's happening in the external industry from a security perspective, we can also actually scan and monitor what happens and is it compliant to our internal security, our internal audit and our internal risk policies and controls that we have to implement. We can verify that the development teams have taken the steps, have done the necessary checking to ensure that it's -- what's delivered is not only secure, but also in compliance with our engineering policies, our operational policies or, again, and our internal audit and governance and compliance policies. If every team again had to do that one -- artifact by artifact, as we deliver thousands within the day, we would not actually be delivering any value to our customers. So entrusting that into the platform is a core and critical capability that we require and teams require to ensure that we can maintain that acceleration. We're 4,600 applications going to cloud, going through this process on a daily basis. And if we want to get to the tens of thousands of application artifacts that we're deploying on a weekly or monthly basis, we need to have a powerful system that we can entrust that safety to. And not only that, it's the reliability and production, right? Our systems need to be there for our customers. So if we're unable to ensure security at the run time, make sure we're able to deal with zero-day vulnerabilities, rehydrate or to make sure we're compliant with the operating system, we need that system available all the time. So if our system, like JFrog, is not available, our systems are down, and our customers may not be able to access the systems they require. So that's why we have this partnership. And that's why when you think about code versus binaries, we have thousands of lines of codes changing daily. How do you know in production, how it is -- it's those thousands and thousands of changes that are spread across lines and lines of code across multiple developers, multiple teams? So having that source of truth at the binary level ensures we can always rely what's running in production, and we can trace that to -- match that to the binary. And then into the binary, we can build the SBOM, right, the software bill of materials. And that can show the lineage, and that can show exactly back to the lines of code to make sure what's running in production, but our source of truth becomes the binary. And that's why it allows us to accelerate our security scanning, accelerate all our software compliance products, and it -- and ensure that we have the reliability, we have that resiliency in production that we can always be there for our customers. And Shlomi, I'll hand it back to you. Thank you.

Gerard, thank you so much for sharing the use case of Fidelity. What a journey. What a journey of transformation and how Fidelity become even more digitalized with your effort. Thank you so much for sharing this use case with us, and thank you for your partnership. Our next speaker, Bill Morton of Broadcom, not only have to support thousands of developers, hundreds and thousands of applications, but also to support consolidation of inorganic growth of the development organization. Bill, stage is yours, take it.

Sorry about that. I think I was on double mute. Hi, I'm Bill Morton. I'm the Head of DevOps platform team in the Software Business Operations, that's part of the Broadcom Software group. Our team supports about 23 business units across Broadcom. As an example, Symantec is 1 business unit. CA Technologies comprises about 3 business units. So we work with many, many different DevOps teams throughout Broadcom. And also, we work with the SaaS platform engineering team and the services team. We're in the middle of every acquisition. So I've been involved in 15 acquisitions and also divestitures. The most recent, AppNeta, and then divestiture of BlazeMeter to Perforce. Also, we work very closely with InfoSec and legal and compliance and audit teams. And so we're in the middle of everything. We work with about 16,000 product engineers and hundreds of DevOps teams, as I had mentioned. So because of this, we see a lot of patterns across Broadcom, whether they're developing software for SaaS systems. We deliver about 6,800 deployments a day. Also for on-prem software for SDK, for embedded software, we see patterns across all those teams. And also, we're responsible for the application integrations, to a large extent, and plug-ins. So with that, the next slide, please. This just kind of gives you, Slide 3, indication for just how we work with the Symantec teams. Here's a number of the DevOps teams just for Symantec. And we provide also a CI/CD pipeline, which many of these teams are using and are adopting. And so we're able to track their adoption, how they use it, the metrics that come out of that. And also at the end, we'll give how this relates to R4J. So next slide, please. And this slide kind of shows you how we come up with our standards. So our team helps to define standards across Broadcom. And this is not an easy task. It requires a lot of working with the various business units and the development teams to kind of move to standards within the DevOps space. If you ever looked at DevOps tools, it's kind of like a periodic table of hundreds and hundreds of applications that you could potentially use. And then there's all these integrations between the various applications and then there's various plug-ins that are available. Well, Broadcom, we acquire a number of companies. And when we acquire a company, let's say, CA Technologies or Symantec, we find out that they have acquired a number of companies, but they're in different states of integration. And so there's all these hundreds of variations. And what we try to do is rationalize that down to a standard set that works for most of the teams. And as part of that, we can do that because we help define the standards. And also, we look for what's happening in the industry as a whole. We get out ahead of future acquisitions. And then we bring new acquisitions into our standard set, enable them to use it and then help them decom any of their old systems that they had developed themselves, but weren't able to maintain. So all that kind of helps us move to what our standard set of tools is. And I won't go over that, but I would just say that Artifactory, JFrog and Xray or -- and Vdoo and a number of the other JFrog pieces in their stack are part of our standard set. So if you would, slide -- the next slide, Slide 5. So I'm just going to talk about Broadcom's Software Group and their use of Artifactory. We also support the semiconductor side and the 17 other business units that develop embedded in an SDK software. One interesting thing about Broadcom is even before our acquisition of CA or Symantec is about 40% of our engineers were doing software development. So this is part of our core. There's a lot of software development that's going on. There's a lot of binaries that are being deployed in various methods. And so we use this for third-party component dependency support, also for making sure that we only use approved OS images and any inter-product dependencies that we have and various types of libraries and registry and other pieces of this. So we also use it for security and vulnerability scanning, which the previous presentations, I believe, touched on with Vdoo and Xray. And we also use it within our own pipeline. Currently, there's about 6,000 engineers within Broadcom using JFrog products. And on the semiconductor side, about 400, but we're starting to have some of those teams that we support look at using Artifactory and moving off of their own homegrown systems. So with that, the next Slide 6. I realize not everybody is a techie here, so I was trying to create an analogy that I thought would work to explain how this works. Continuous integration. The developers who are doing continuous integration, they're like the cooks in the kitchen. They're pulling from all of the latest ingredients. They're trying to make sure that they're deploying the correct intellectual property, following the recipe, doing it correctly. But at some point, they're going to create something that needs to be packaged. So they're going to take something that is kind of code-based and they're going to move it to an artifact that can then be dealt with. And our team works throughout both on the CI side and the CD side. So on the CD side, we want to make sure that whatever comes out is correctly packaged, correctly labeled, the metadata is correct, that it gets promoted to a certain level so that only certain versions or certain components that are meant to go into, let's say, moving from development to verify, to production, that we're only pulling in those artifacts that are needed for the next stage. And then we need to package it up and serve it at the end like this little quiche at the end. But it does more than that. So in this analogy, I was thinking there have been cases when a quiche has been recalled even though it was perfect, but because it was mislabeled. I think one of the cases was that -- had been mislabeled and they didn't put that pine nuts had been included in the quiche or it had been processed in a factory that included nuts. So they had to recall all of those quiches. So where do they go to? Who were they sent to? And so it had to be tracked back and then they had to go and redo their process to make sure that it wasn't happening again. So just recently, there was an outbreak of Log4j. And in this particular case, we had already deployed a number of artifacts. We had to determine what was the impact, who was at risk and had to track back. Artifactory helped us to do that. It helped us to understand where the impact was. But then we also used Vdoo and Xray to understand how did we -- how do we go through and make sure that we aren't impacted with any changes as we went to 2.15 and then 2.16 and 2.17 to try to address Log4j. So we used Vdoo to generate reports by -- and scanning the release repositories. And then we provided those reports to the product teams. And then in some cases, we provided individual reports to the teams. And so Vdoo was a part of that. That help us get ahead. And actually, we use some additional tools. So we look at -- and this is a dynamic space. So we look to any tool that can help us understand how to track, how to find and how to mitigate any of these issues. And so that kind of quickly shows you, in a way, it's not just all about the source and how you handle it that's important, trying not to have contamination, but downstream, you also have to be able to deal with all these packaged binaries and make those available to your customers and be able to track it. So just on the SaaS side, we deploy about 6,800 releases a day. And that's just a small part of what our team is involved in. And then last slide then would just show some of the additional platform tools we use from JFrog. And we also are looking at using pipelines in the future, but that's still in a proof-of-concept evaluation stage right now. So with that, I'm sorry for speaking on mute at the beginning, and Shlomi, back to you. Thank you.

Bill, thank you so much. An amazing use case. 6,800 releases a day. Wow, that's impressive. And thanks for sharing us the Broadcom story, and thanks again for your partnership and the time taken. We will now open the line for questions.

[Operator Instructions] Our question comes from Sterling Auty of JPMorgan.

Based on -- I'll give you kind of 2 questions. One is, there's a lot of questions around whether people want complete portfolios of DevOps tools from a single vendor. So the complete suite end-to-end or do you still want best-of-breed? I'm kind of curious to your experience in your environment. And then the second one is the on-prem versus the cloud. Where are you in that journey in terms of the deployment of the DevOps tools, shifting to the cloud and where do you see that headed?

So I guess I'll go first, Ger. So yes, this is a good question. The tightly integrated suite versus the best-of-breed. And we go through that process all the time because with every acquisition, we rethink our set of tools and our integrations. And so what we tend to do is we look for both, actually. So in cases where we can -- let's say, on the pipeline side, if there are areas where we can bring in, let's say, pipelines from JFrog, we are looking at doing that. If that makes sense, we will disrupt our own pipeline architecture to do that. However, we also know that we are very cost-conscious culture. So we tend to be careful where we get too sticky. And so that tension for us is always going on. And we tend to balance that by having more than one best-of-breed kind of strategy. And then we look with who we can partner most closely with. So we're not only looking at what can they provide us right now, but how closely will they partner with us as we show what our own road map is. So I would just say, hey, we haven't solved that. I think that's -- I have been having that conversation for 15 years. I don't foresee that we'll ever solve that completely. But where we can partner and where we see that our partner is going to address our future road map, then we're happy to do that. And then on the other part, we're actually going through an on-prem-to-cloud transformation ourselves. Broadcom, as a whole, is very data center-centric. A lot of what goes into a data center anyway is built by Broadcom. You may not realize that. But -- so we have our own data centers. But even with that, we still see some benefit of moving to the cloud. So our Broadcom software group is largely moving to a cloud-hosted. That's a journey that we're making right now. But for the semiconductor side, it's mostly on-prem and data center. So we'll have that mix going forward, and our team kind of balances that. So Ger, thanks for letting me speak first.

Thanks, Bill. I think for us here in Fidelity, it's an ecosystem of best-of-breed. So we look to see who are the leading industry providers of a particular piece of technology or a set of capabilities and how do we use them end-to-end to take the ideas that people create and how do we move them across the software delivery life cycle and deliver them into production and continue to -- and operate them. So for management, there, if you look at who are the industry-leading providers from a CI/CD perspective, there's vendors out there, and then obviously from binary and artifact management. So for us, it's definitely a best-of-breed, but it's trying to get the best piece of technology, the best provider of that technology, again, to Bill's point, who we can partner with and as we build deep relationships and deep partnerships because we can't do it by ourselves. Just like Log4j, for example, with JFrog and the Xray product and the Vdoo acquisition, they are able to provide security expertise to Fidelity to complement our security personnel and our software delivery experts and our DevOps teams to ensure that we're remediating quickly, we're reacting very quickly and we're keeping our environment safe and sound. So it's definitely a best-of-breed for us, but using the leading technology and leading partners. On the cloud side, we're definitely moving all of our DevOps tool chain to a mixture of SaaS plus cloud. When you're [ shipping ] binaries, for example, so we got -- if you're looking at the cloud, you've got a VM image. So an AMI for Amazon or a VM image if you're in the Azure world. You're looking at container images, base images. And these can be megabytes if developers are doing well, but on some of the larger things, they're getting into gigabytes. If you've got to move gigabytes of data across your network, that's a huge amount of bandwidth, especially if you're talking about a large event where there might be -- you might need massive of amount of computer scale up for that event, the transfer of gigabytes of data over the network is going to impact your business. So we want to have -- we want to be in the cloud, and we want to have all of our binaries and things like that at the edge. So we can be in proximity to where our applications are, so we can have high performance, we can have low latency and we're not flooding our network and our network bandwidth to the cloud because that actually interferes with our other services that we might offer, or all of our associates who use their laptops connected to the data, connected to our corporate services, to all our businesses that might run on-premise going up to the cloud. So we got to make sure we're protecting all of that and maintaining it and, again, making sure we can provide for our customers.

Our next question comes from Steve Enders with KeyBanc.

I guess I just want to ask on how you kind of see the future usage of JFrog evolving for both of you. I think there's been a lot of discussion here on some of the expanded security capabilities and distribution and connecting some of those areas. But I guess how do you kind of view some of those newer areas fitting into what you're trying to do? And then as well, how you see your general usage of JFrog evolving from here?

Bill, I can start with this one. So one, we actually see under 2 ends. So very excited with 2 ends of it. One is on -- it's what I call the left side of the development process, which is kind of Xray, what we're calling curation. So how do I have Xray be my gateway to the external open source world? So if you -- we have about 16,000 technologies here in Fidelity, all of the coding away pretty much around the clock. So 7 by 24, depending on between our global locations and our U.S. location. So as we -- as developers pull independencies, we got to make sure that they're secure, right? We're not putting in anything that's containing vulnerability. We got to make sure we're using the right software, right license types. We've got to make sure it's -- make sure we're not using old end-of-life pieces of technology and things that might create technical debt in our environment. So it's very important that we have a point for where developers go through to put in all of that external works. So -- and we want to make sure we scan that in real time to ensure we're not creating friction on our developers and slowing them down, but we have the guard-ment (sic) [guardrails] in place that they can develop at a safe -- at high speed, but safe and secure. So that's one thing we're going to be heavily investing in, in over the next number of years. And then on the -- as that software then moves through the software delivery life cycle, we want to make sure we're scanning it moment in time, depending on what we want to check for. So if it's secure internal audit and internal policies, we want to make sure as we promote that artifact, that we're ensuring it goes through the necessary steps. We can certify and we can provide the evidence for that based on any audit or security or anything like that. And we also -- then on the right side of it in production, we want to really distribute our binaries right to the edge. And in some cases, we have trading platforms which are really, really -- you're talking about milliseconds, microseconds and latency that we -- if there's a blip in the network, these applications have hiccups. So if there's a scaling event, if there's a rehydration event, we want to make sure that those binaries are as close as humanly possible to the application binary. And if need be for using the Kubernetes world, we actually might deploy them, the binaries, right alongside, in the same name space, right alongside the application parts that are running. So on a scaling event, those things can react very quickly and make sure they're providing the services within all the SLAs, the SLOs, the SLIs that those applications have to adhere to. So that's kind of how we view it. Bill?

Thanks, Ger. I'll just talk about a couple of things. We are looking to address a number of -- I wouldn't say gaps, but inefficiencies in our pipeline. One is how do we deal with third-party artifacts? In the past, we let every development team kind of deal with this themselves. And as you can tell with Log4j and other issues, it takes a while to figure out, okay, which development team is using what and what version are you on? Are you -- did you attach to 2.16? Or are you on 2.17? So what we decided was we needed to get ahead of this and try to solve it for the DevOps teams. So we are looking at a number of third-party artifact management systems. And as we went through this and as we started to partner with JFrog, they are working with us in this area. So being able to vet open source and third-party components ahead of time. And then -- and then say -- I'm sorry, can you guys hear me? Am I on mute again? I heard a little background. But so anyway, we want to vet third-party components and then say, these -- and then tag them and say, these are the ones that have been vetted. If teams want to use ones that are unvetted, they can do that in the development space, but they won't be able to promote. They won't be able to package in the later stages and then go into verify and production. So this is one area where we see some benefits potentially from JFrog. The other area is on the pipeline side. Broadcom has -- we have our own pipeline. But in any particular area, we already are looking to disrupt ourselves. So if it's possible that JFrog pipelines could come in and do more for us, we're trying to create a secure execution environment so that essentially, whatever is needed to do the build and to package it is only temporary. It will go away. It will be deconstructed. And then that way, it's a secure environment. So we're looking for JFrog to help us in that area. We've made some enhancement requests recently in that area, and JFrog has been very responsive to that. So hopefully, that answered your question.

Thank you, Ger and Bill. Bill in San Diego, sunny San Diego, Ger in Ireland. You guys together support 30,000 developers and who knows how many applications and processes in the organization. You are the real champions of DevOps and lead the community. We are honored to have you as our customers. Thank you for taking the time to join us today. Thank you for sharing your experience and wisdom. Thank you very much.

Thank you.

And now I would like to move to the second part of the day. I hope you guys are ready to hear a bit more about our business. And although I would spend more days speaking about technologies and binaries and why it's important, we also have to cover the business side of the company. I'm honored, and I would like to introduce Micheline Nijmeh, JFrog's CMO. Micheline brings over 25 years of technology marketing experience, leading and implementing global enterprise marketing at high-growth software companies. Prior to JFrog, Micheline was the CMO of Zscaler, a global market leader in cloud security. Please welcome Micheline Nijmeh.

Thank you, Shlomi. And thank you, Ger and Bill, for the amazing story that you just shared in your journey with us. We're excited to have heard this. I want to bring back the kind of the half the day we shared -- we reviewed with you a few things, and I want to kind of bring back kind of a summary of where we are today. As you've heard from Ger and Bill, enterprises have the need to deploy software quickly, as quickly and (sic) [as] possible for every day. And then we need to deploy it to the edge, as Ger and Bill just shared. And with that comes complexity and efficiency if we don't have the right tool. And with JFrog, as you can see, when technology -- when the developers are using the technology, it can be -- they can bring from different organizations, millions and millions of software components. You heard from Ger that 90% of his software components are from open source. This opens up the organization to security vulnerabilities, to large attacks. And without the right platform, without the right unified tool, this can also be at risk. When you think about also the complexity of organizations in terms of where they are in the digital transformation, Ger and Bill shared their view of their journey. For example, some might be under the journey of on-prem, some may be going to the cloud or hybrid. And without the right tool that's automated and secure, this can be a challenge. The JFrog platform is a unified platform that only provides the single source of truth. They bridge developers to their production environment, and they bridge organizations to their customer. And so today, I'm going to be sharing with you a little bit about how we're addressing these challenges and how we're planning to grow the business to address these challenges with the persona and the go-to-market strategy. And Tali will be sharing with you the sales motion to influence the go-to-market. There are 3 types of personas that we're going after. The first is the community. They are the developers. They are the heart of every organization who builds and secures and releases software. When you think about the amount of software that they're managing, you heard from Ger and Bill, thousands, tens of thousands of developers that they are supporting. They expect a universal tool that works in their environment. They expect a tool that works within their tool stack, and we are committed to universality. We were the first to go to market with a universal repo, and we continue to support that with over 30 software packages today. And that's only the beginning. We continue to invest and partner in open source communities, such as Conan, which we acquired for this growing community of C++, or partner with Apple for their Swift because we know iOS developers have this need. And this is only the beginning. We want to make sure that the massive adoption that we're trying to do with our platform is making it easy and simple for them to access our platform. You heard from Nati around security. Now we used to address security from a developer standpoint. And with the recent JFrog and Vdoo acquisitions, together, they are -- and the integrations of the capabilities, we're able to open up our platform to a new entry point for security. These security personas, they're the ones who are needing and worrying about tool -- security tool consolidation or proliferation. They worry about security and compliance. And this is just the beginning for us because this is a new persona that we're going after. We have work to do in terms of building the brand and the engagement. But we have the team, and we've hired -- we've acquired from Vdoo over 160 security experts. So we know that we have the foundation to build the brand as well as to engage and drive the demand. And the third persona are the product leaders. These leaders are the ones who worry about standardization. They worry about automation efficiency. And when you think about as we go up into an organization, what's important is we start influencing the CTOs, the CIOs. And these are important when you think about a unified platform. We are looking at an end-to-end platform that we will actually offer them as a unified view and visibility that Yoav shared earlier. And with that, you've heard from Yoav -- from Shlomi earlier today the available market to us. You heard from Nati and Yoav in terms of the unified end-to-end experience with the platform. And there are a few growth opportunities that we're going after to address those challenges that enterprises have with our unified platform as a solution. The first is the platform adoption. We are -- we have been a successful growing -- high-growth company because of the bottoms-up, product-led motion that we've had. And we're going to continue to support that. That is an important engagement for us to building the community. And with that, we have community events that we support, and the entry point to that is our free subscription to cloud as well as on-prem trial. And when we think about the growth in terms of the enterprises, we've been seeing many enterprises join the unified platform through our enterprise subscription, and we want to double down on that. We want to go deep and wide. And we've implemented new motions to support our inbound bottoms-up funnel. So think about the outbound that were implemented. We've hired field marketing managers to support the regions, to support Tali's sales team. We've also implemented regional marketing to support the cloud adoption and co-marketing that we have. And as you think about what we've done in Americas, we want to replicate that in the international regions. For example, Europe and APAC is a focus for us. We've -- we started to build the brand there. We started to build the marketing and sales motion, but we're going deeper and wider in there. So for example, APAC, if you consider the number of developers that are in China, India, in Japan, we have -- we are the first to start thinking about that in that region. We want to be the first to think about that in the region. And we have built marketing leadership there to begin the brand awareness as well as the demand. And Shlomi talked about the various different industries that we cater to. One of them is being -- is the public sector. You've heard the different standardizations from the government talk about the Log4j and the DevOps modernization initiative. Well, we want to make sure that we're taking advantage of that. Our customers are reaching out to us from the on-prem side to ask for engagement and support around our initiative. And what we've done as a strategic move is lead with the Iron Bank certification for our on-prem customers as well as our cloud customers, we are looking to be certified for FedRAMP later this year. And so with that, I want to kind of take a summary of the -- excuse me, the excellence that we've had and the growth that we've had for -- from the company in the last several years with a product-led approach. We are adding to that. And if you think about all of the different motions that we're adding from a marketing organization, from our inbound moving up to our outbound as well, we are looking at the different growth revenues that we have with the developers, with accelerating the growth in the enterprise and the expansion into the APAC and EMEA region. I feel confident that we've built a team and we've built our processes last year to scale for next year. And with that, I'll take some questions.

Our first question comes from Sanjit Singh of Morgan Stanley.

I wanted to talk a little bit about the free product offering that the company announced. I think, towards the end of 2020, it might have been 2019, correct me if I'm wrong. Two questions there. One, how successful was that in terms of building a base of new users to attract to the JFrog platform and get them to sort of kick the tires on the expanded portfolio offerings that we've seen over the last year or 2? And then secondly, what initiatives are you driving to drive that free-to-paid conversion? What did that look like last year? And what do you have sort of set up for 2022 and beyond to drive that free-to-paid conversion?

Thank you for the question. Yes, with the free cloud offering that we have, we're seeing more additions to the cloud with the free subscription. So we are seeing more consistent conversions throughout. What we're actually seeing is that a developer may come in and sign up and start using the offer, the solution, but then he or she are also adding their other engineers to work together on the free tier, but then also come back and buy. So we are starting to see that. We want to continue to drive that adoption because we know this year is -- if we have massive adoption from the bottoms up from our developer community, eventually, they will convert only because they're using it and they're active users. And to your second question, we will continue to engage with the community. We have a developer relations team dedicated for the support of the committee (sic) [community]. We will continue to support them with the software packages that we offer that are compatible with how they work. We will continue to evolve and make sure that we are engaging with them at the level of where their environment is. And I believe Yoav talked about their CLI and where they -- we will meet them where they actually are.

Our next question comes from Mike Cikos of Needham & Company.

Just wanted to circle up. I appreciate what you guys are doing down with the community and the developers. But if I'm thinking about touching into the C-suite, some of these CTOs, the CTOs who are tracking it to the, I guess, product level, higher end of the organization. Typically, that's a different sales process or a different orientation. Can you talk to specific initiatives that are underway at JFrog to help you in that process just to ensure that this is, I guess, a seamless endeavor as you are going to these higher-end executives at the leadership levels of these customers?

Absolutely. We are seeing -- we see different stages. It depends on where you are in the organization in terms of the market segment. So we do see still that developers are influencing the purchase decision. We see that. And as we go upmarket, we are seeing more and more leaders, like I mentioned earlier, the product leaders. We're seeing VPs as well as the C-suite. The C-suite are influencers to us. They are the ones that we are going to be making sure that we are driving awareness and engagement. And then when you -- Tali Notman, our CRO, will talk a little bit more about the strategic team, but we put in place a strategic team and a field marketing team to support in terms of how we're going to go top-down. And this -- last year, we've just implemented a new marketing motion. We have outbound. We've tripled our SDR team to go outbound and look and engage with the top-down approach. So this is a -- it's a balance. It's a bottoms-up approach with our community, but it's also going top-down with the VP, Director and the decision makers.

And one more, if I could just squeeze it in real quick, but I know you were talking about the developers influencing that purchasing decision. And I have to imagine it's a delicate balance at your customers and prospective leads as far as the power that the developers are taking on versus the power that the C-suite holds. Maybe taking a step back, can you just help us think through what that dynamic is at your customers? Because it makes sense that you would be feeding into both the top and the bottom end of the funnel. I'm just curious how those organizations are handling that struggle or challenge, if you will, on their side.

Well, actually, Tali is going to be sharing with you the journey of how an enterprises have -- they've evolved with us, and she can touch that a little bit. And if we didn't answer the question then, I'm happy to answer it at the Q&A panel. But what we're seeing is definitely, as you said, a balance between driving influence and then making the decision. But I think you'll enjoy hearing Tali's presentation around the journey of an enterprise, and we can touch on that a little bit. Thank you. All right. Thank you for the questions. I would like to now introduce Tali Notman, JFrog's CRO. Tali proudly leads over 6,600 customers portfolio that she built from the ground up from almost day 1 at JFrog. She built JFrog's go-to-market strategy. She has grown the organization, the global revenue team, and has had consistent growth year-over-year for over 10 years. I'd like to introduce Tali, my partner in crime and our CRO.

Thank you, Micheline, and thank you, everyone, for joining us today. I'm excited to be here. I'm Tali Notman, JFrog's CRO, and I'm happy to share with you today the JFrog go-to-market strategy and mainly how we've taken it from here, stronger and faster. Let's start. Before I will share with you the new growth areas that we are after this year and in the next year, I would like to take a moment and share with you the foundation of the future growth because the foundation is definitely important, and you need to trust that you have the strong foundation in order to build the next layers in your go-to-market. There is no better way than developing your go-to-market based on the alignment between these 4 pillars that you see here: The evolving domain, the changing adopters, the JFrog solution that keeps expanding over time and the sales motion that continue to change. And what started with agile software development with an individual adopter, the engineers, and was served by the single product of JFrog was really enough to serve with the bottom-up, self-serve low touch. But as we continue to evolve and where we are today, in a world of digital transformation, we see the level of interest at the level of the organization with different types of adopters and different types of personas. This is where JFrog is taking another leap and providing end-to-end platform to address these needs of our customers. And we are in alignment, adding additional motions of sales, such as the top-down strategic sales and indirect sales. You, of course, heard the stories of Bill and Ger, and I would like to take a moment to share with you one more story. This story is a story of one of the largest wireless network operators in the U.S. This customer started with JFrog in 2014, adopting basic binaries management capabilities and using our Pro subscription with less than $30,000 initially. As they continued to grow with the automation in the organization, this customer is now moving to serve more teams and adopting highly available solution by JFrog, now upgrading to the enterprise subscription. In 2019, this customer is now adopting Xray to secure the binaries and upgrading their subscription to Enterprise X subscription. In 2020, we are looking at a company that is now standardizing all DevOps processes on the JFrog platform and, of course, upgrading to the Enterprise Plus platform. Now here is the interesting thing. This still is a project of a customer that is serving internally, the internal use case of what you have called before the internal distribution, global technology services with thousands of users in the organization. But this story is actually becoming even more interesting when in 2021, this customer is taking us towards a new adventure and looking to distribute their software to the 5G cellular towers. Of course, the default player for them is JFrog. And this is where we see them taking the Enterprise Plus all the way to the run time with distribution to multiple edge points. We are looking here at $2 million in ARR. This is the last year in 2021, and this was served -- was managed by the strategic team of JFrog in the past year. But what we really see here is the potential of this customer to continue and grow to multimillion dollars ARR in the future. So now the question is, how do we do it? The first thing that we believe in is high focus. We focused on our team in order to make sure that we maximize the potential that we have with each and every tier in the market from the SMB all the way to mid-market and the enterprise. And applying, of course, the different sales motions, as I shared before, so our inside sales with low to mid-touch know to take everything from SMB all the way to the enterprise. And yes, you know right. We added strategic sales as well. But before I will get there, I want to share with you that we are not transitioning into strategic sales. We are adding additional capabilities. We are adding additional motion, but we are actually also doubling down on the base -- on the foundation we built in the first decade of JFrog with outbound sales, with security focus and a hybrid sales team. High-touch strategic sales. I was sharing with you prior to our IPO that JFrog is going to develop the strategic sales practice for the first time at JFrog and so we did. In 2020, we established our strategic high-touch sales team and continue to build this team over the past year. And in 2021, we already had a global team structure of account executive, solution architects and high-touch support led with an experienced leadership. But this is again just the very beginning. We are looking to continue and develop this practice with indirect sales going after top GSIs going together with our cloud partners. And, of course, provide more white-glove services and premium support. And one of the things that was mentioned by Micheline before is definitely having additional focus on industries such as government. This was shared with you last week. This is from our last earnings. We are looking at 2021, ending with 537 customers with over $100,000 of ARR. This is impressive and definitely, I'm excited for this number. I'm excited for this number not only because of the fact that we see more growth with our existing customers but also because we do see more customers lending on the platform of JFrog from the get-go. But there's another reason why I'm excited with this number. It's actually because of the fact that we see here the additional 6,000 customers that are not yet on the JFrog platform. And if you connect the dots of my previous slides and everything we heard today, then you will see where I'm taking it to. I'm taking it to new routes of revenues and additional growth of the business. First and most of, cloud. Our cloud sales strategy is definitely aligned with the company's strategy as we are taking our customers and the company towards a future of hybrid this year. We are merging the 2 teams, the cloud and self-hosted into one team, removing friction from the internal resources that we have and enabling more customers to grow towards a hybrid future. This team is definitely even incentivized with customer -- with cloud first in mind. We are taking our cloud partnership to the next level of co-sell to ensure that we continue to grow our business together. And if (sic) [since] I'm touching on the cloud partners, this is another area for growth for us moving forward. Just as I was standing here in 2019, end of 2019, and shared with you the development of the new strategic team, I'm sharing with you today that JFrog will start this year to establish the indirect sales with partner programs targeting the top GSIs. Not only that, this year, we actually transitioned the cloud alliance team from the business side into my organization with one goal in mind, to align the vehicle, the driver of this growth with the revenue growth moving forward. Another area for growth for us is geo-expansion. And just as Micheline mentioned, we are going to gear up with APAC. You heard us sharing with you that in 2021, we made some investment. This is the time for us to continue and gear up in APAC. I want the developers of APAC to have JFrog and the JFrog solution as the default opportunity option for them to use when they are exploring the new path into DevOps. And of course, we will do it with expanding our direct teams. We will do it with additional channel partners, and we will also develop and establish our multi-cloud strategy there as well with top cloud providers in the geo. And last but not least, you heard a lot today about tech innovation. And you know what (sic) [that] we know what to do with it already. As you saw in the previous slides, when I'm getting technology from my product team, this is the time to embed it in our go to market as well. All the innovation in software supply chain will be -- will continue to be the driver for enterprise scale. Not only that, we were talking about security quite a lot today, and this is an exciting new entry point into our platform. And last is the IoT. This is a complete greenfield that we will go after in order to generate additional new business for JFrog. And with that, I'm positive that myself and my teams are ready to concur our next business goals. Thank you. And I'm ready to take some questions from the audience.

Our next question comes from Sanjit Singh of Morgan Stanley.

What we've seen over the last 12 to 18 months from JFrog is really expanding the portfolio quite significantly into security. And I wanted to get your perspective on how you plan to sort of monetize this security innovation in sort of in 2 senses. One, sort of getting the core users of JFrog, these DevOps teams, these developers and engineers, to take on the security products like Xray. And then on the other hand, the whole security operations team, which are pretty influential in terms of vendor selection, what resources have you built? And how are you going to better address this almost new buyer in the organization where you guys may not have previously had much experience doing to sort of address both sides on the security, sales machine?

Thank you. Thank you for the question. Well, the first thing that we need to take into account and just as you mentioned, when we're thinking about going towards security, we first have to keep in mind that just as I mentioned before, this is an entry point into our platform. So the goal eventually is to be able to bridge the gap between the security people and the developers and you can come from either the door of security or the door of DevOps processes and eventually have one joint ground for the 2. Now when you're looking at the existing business of JFrog, still, half of my customers are not using Xray. So this is where we will have to continue and grow, of course, adoption with the new solution. And not only that, we will have to go after the new adopters, as you mentioned. Now we acquired the company, the Vdoo company, and we didn't just acquire the solution, but also we joined great talent to our teams. We will continue to work on developing these practices within our teams in order to ensure that we know how to go after the security persona and take them all the way towards the adoption of the platform.

Our next question comes from Ben Schmidt of Piper Sandler.

Looking at these new routes to revenues, just with these 4 categories, wondering if you can sort of rank order them, I guess, thinking about them in the context of path of least resistance, where you think the greatest short-term opportunity is? And then specifically looking at the partner in alliance group, exciting to see that you're going to move more heavily into targeting GSIs. Can you just talk about the monetization opportunity there and the growth opportunity there and what the strategy is?

Yes, definitely. So of course, there are some growth areas that we are already well invested in. And some of them, as you mentioned, are newer to us. The cloud strategy is something that we put -- of course, it's part of our targets, a few years back. In the past, I would say, mainly 2 years, we started to shift over this direction. So we will continue to invest in this direction, mainly, by the way, because of the fact that we are looking at customers that are looking to continue and take the journey -- you heard it from our customers today, moving into the cloud. As for specifically the indirect sales, there is one area of indirect sales that we are developing and establishing, but there is a different area of indirect sales, the cloud indirect sales or the cloud alliance. This is an area that was already, as I mentioned before, developed in the past few years. And we have there the growth engine. Now we have to make sure that we will take you towards the process of building the revenues even higher, stronger revenues coming from our cloud providers. And of course, the establishment of indirect sales will be a process of, just like in any other company, will be a process of putting the right foundation. And just like we did with each one of our growth areas that we had in the past years, we will have to first build a strong foundation and only then accelerate. So this is where we are taking it moving forward. We have more time for your questions. Oh. Thank you so much for your time today. And please let me introduce -- although I'm sure most of you don't need an introduction to our next speaker. I'd like to welcome Jacob Shulman to the stage. Jacob joined JFrog in 2018, bringing over 25 years of experience in building the financial infrastructure and driving growth. Prior to JFrog, Jacob served as CFO of Mellanox Technologies. Jacob?

Thank you, Tali, for the introduction, and good afternoon, everyone. I hope you're enjoying the day so far and have learned a ton from Shlomi, who presented our vision and explained why binaries are the most important asset of the DevOps; from Yoav who presented capabilities of the platform and explained the value that our products provide to our customers; from Nati who dove deep into our new security capabilities and explained how different is our approach versus other companies in the SecOps space. I'm sure that the presentations by Tali and Micheline explained how material is an opportunity in front of us, laid out our go-to-market strategy and the plans to capture those new markets and geographies. And lastly, I'm sure that the use cases presented by our customers explained how material and how mission-critical JFrog is to them and how important partner we are to them as they continue to navigate the DevOps journey. But I'm sure, guys, that you're here for the numbers. So here I am. I will focus on 3 main areas in my presentation. First, I will speak on deliveries on our goals in 2021. Then I'll touch a few aspects on how we build sustainable and diversified business. And I will finalize my presentation with the considerations for the long-term model. Let's start. 2021 was a solid year for JFrog. We finished the year on a very strong note. Overall revenues grew 37% year-over-year to $207 million. Back early in the year -- back in Q1, we said that we expect acceleration in the business, and that, indeed, we delivered successfully on this commitment. And our revenue in Q4 grew 39% year-over-year to $59.2 million. This great visibility in our business is driven by the fact that we are very well entrenched in our customers. That's, by the way, highlighted by a very high net retention -- gross retention, sorry, of high 90s, and we understand very well the demand levels. On top of that, moreover, the only variable portion of our business is -- that's subject to usage-based SaaS revenues. And SaaS revenue is still today a very small portion of the revenue, and therefore, this -- therefore, we built a very predictable and -- a business with high visibility. SaaS revenue represented 25% of total revenue as of end of Q4, and revenue coming from outside of the U.S. was 37%. We continue to expand our capabilities outside of the U.S., specifically in EMEA and APAC. Our strategy of hybrid and multi-cloud growth bore fruit, and our revenue on SaaS environment grew 52% year-over-year to $50 million in revenue. And we are very proud to grow our number of our largest customers very significantly in 2021. This growth is a great testament of the value that our platform provides to our customers. Specifically, the number of customers of over $100,000 in ARR grew 53% year-over-year, and we exited the year with 537 customers over $100,000. Of them, 15 customers were over $1 million in ARR growth of 50% year-over-year. But we continue to see great expansion of our entire customer base. And we accelerated our net dollar retention in Q4 back to 130%, the commitment that we made to the market early in the year. To remind you, that expansion of our customers was impacted by the pandemic. And back in 2020, we did see contraction in our net dollar retention rates. We are very proud to stabilize and actually reverse the trend and grow again in 2021. We continue also to build strong foundations for the sustainable growth. Our non-GAAP gross margins improved from 82% to 84%, driven by significant enhancements in our gross margin on SaaS business. We continue to invest into R&D, specifically in areas of security and distribution, and our R&D expenses represented 29% of revenue in 2021. We continue to build our top down, and Tali talked about the action items that we took during the year in building the strategic team and go-to-market -- top-down go-to-market approach. Our S&M expenses were 38% of revenue in 2021. And as a result of us becoming a public company, our G&A expenses increased to 16% of the revenue. As a result, our non-GAAP operating income declined from $13 million to $4 million or from 9% to 2%. However, our unit economics remain very efficient. We continue to generate free cash flow. Actually, the free cash flow generation improved in 2021 from 17% to 21% and achieved $43 million. And this takes into account onetime payment associated with holdback agreements related to Vdoo and Upswift acquisition. And our sales efficiency remained on top of the class at 1. And CAC payback, again, top of the class, increasing slightly from 16 months to 17 months. Overall, we are very proud with our achievement in 2021 and believe that Q4 serves as a basis for the strong performance in 2022. Now I'd like to speak about building diversified business. Shlomi and Tali discussed with you how strong our customer base is and how we're able to attract top 10 pretty much in every industry. In fact, as of end of the year, 85% of Fortune 100, 45% of Fortune 500 and over 30% in Global 2000 customer -- companies were our customers. This is a tremendous customer base that continues to expand with us. I'll provide you a few stats just for you to better understand what's the potential to grow this customer base. Fortune 100 customers today represent approximately 15% of our business, Fortune 500 customers today represent approximately 20% of our business. Average revenue from the Fortune 100 companies is about $400,000. Average revenue from a Fortune 500 company is approximately $200,000. Tali provided you an example of a Fortune 100 company that could be a multimillion dollar account. That just highlights how material it is an opportunity for us to expand within this customer base, maintain the sustainable expansion rate. And we continue to believe that we have not penetrated more than 20% even into our largest customers. And we made investments to accelerate that penetration and expansion. On the right side of the slide, you could see that the revenue coming from our Fortune 500 customers actually accelerated in 2021. Back in 2020, our revenue from Fortune 500 customers grew 26% year-over-year, with the investments that we made in 2021 with building strategic team, our top-down approach, we were able to accelerate this growth to 38%. To further highlight how increasing adoption of our platform becomes a significant driver for our revenue growth, I'm showing you 2 analyses of revenue by subscription. You could see on the left side of the chart, that our revenue from Enterprise Plus subscription of our full platform represented approximately 35% as of end of Q4, growing from high teens just 8 quarters ago. However, the portion of customers who adopted the platform is still very small. Approximately 5% of customers adopted the platform. Another -- about 35% customers on enterprise subscription and the majority of our customers on the Pro and Pro X subscription. That would present a significant opportunity for us with our new capabilities to drive accelerated growth and expansion of these customers. We also believe that we can also grow ASP for the platform. Entry level into the platform is $115,000. But our average revenue coming from the platform user is approximately $200,000. We definitely believe that with the new capabilities that we launched in 2021 and we'll continue to launch going forward based on our very rich road map, we will be able to grow ASP for the platform even further. Therefore, the platform will become one of the significant drivers of our revenues. And we believe that majority of our customer base will transition to the platform over time, therefore, driving significant revenue in the future. And this cohort chart actually highlights very well the opportunity that we see in front of us. And we continue to see that each and every cohort continues to more than double every 3 years, and that's what gives us confidence in sustainable net dollar retention rates that we see around 130% going forward. I would also like to speak about the new customer trends and the investments that we made in free tier and the cloud strategy bore fruit in 2021. Back in 2020, majority of our customers joined as self-hosted customers, 60%. We self-hosted 40% as SaaS customers. The free tier introduction and the hybrid approach actually reversed that trend in 2021. And we see approximately 60% of customers come in on a SaaS environment and 40%, self-hosted. So our cloud environment gives an opportunity for customers to land at smaller lands. And therefore, we see many more smaller companies adopting solutions like ours, but they expand much faster. It also provides an opportunity for prospects to try different components of our platform. And therefore, we see more and more customers when they convert, they actually land on the full platform, Enterprise Plus subscription. And we started seeing every quarter, several new customers joining us on the full platform. Despite that, the majority of our customers continue to land on the Pro and Pro X subscription. And therefore, we see just a slight uptick in our average ARR per new customer. It increased from approximately $10,000 in 2020 to approximately $11,000 in 2021. Now I would like to talk about our long-term model. Before that, I would like to reiterate the guidance that we provided last week. For Q1, we expect our revenues to grow $60.8 million to $61.8 million. At the midpoint, representing 36% growth year-over-year, and we expect to be around breakeven levels for Q1. For the full year, our revenue is expected to be in the range between $273 million to $275 million, 33% growth at midpoint. And for the full year, we expect to be around breakeven levels. Our Q2 expenses -- operating expenses will grow as a result of merit increases that will become effective in -- on April 1. And therefore, Q2 profitability will be the lowest point in profitability. And then from those levels, we'll continue to improve profitability and grow to the guided levels around breakeven points for the full year. Before I dive into the long-term model, I just kind of wanted to reiterate and explain the areas of focus for us for investments in the short term. First of all, on the R&D side, we significantly increased our investments, more than doubling quarterly investments from $8 million back in Q1 '20 to $18 million in Q4 '21, growing our R&D expenses from mid-20s to roughly 30% of revenue. And our investments focus in 4 major areas: innovation -- and during 2021, we ingested a lot of new technologies into our portfolio from PDN to projects to additional capabilities in distribution, so a lot of innovation that wasn't invested into. And based on the road map presented by Yoav and Nati, we will continue to improve and introduce new technologies to the market. Products. We'll spend a lot on the products, specifically in security and distribution areas. And Nati and Yoav showed you capabilities of our new security Xray product as well as Connect, X. On the infrastructure side, we spent on improving our infrastructure on the SaaS level. And that was one of the reasons why we saw improved gross margin on SaaS. But we also adjust our products to the global scale, introducing some self-service features as well as adopting our products more and more for the usage-based models. So in the short term, we expect our R&D to remain around 30% of revenue, and then after 2022, to start gradually converging towards 21% of revenue for our long-term model. On S&M, again, we significantly increased investments from approximately $13 million back in Q1 '20 to roughly $23 million back in Q4 '21, 75% increase in quarterly spend, which just focuses on community. And Micheline talked about new persona that we're after with the introduction of security capabilities as well as distribution capabilities. We continue to expand globally with emphasis on APAC and additional -- building additional capabilities in EMEA. We will continue to scale our strategic team as number of large customers adopting the platform continues to grow. And there are new areas of investment, such as channels and partnerships. So for the short term, we expect our S&M expenses to be around the high 30s, and then we'll gradually start converging towards our long-term model of 27%. So just to summarize our long-term model. On the gross margin, we expect our gross margins to be 80% in the long term. That is driven by the fact that structurally, our SaaS margins are lower than self-hosted margins. And while we continue to expand our margins on SaaS, they will -- structurally, they will be lower because of the hosting costs. And therefore, as cloud continues to represent a bigger and bigger portion of our revenue, we will start seeing a gradual convergence of our margins towards 80%. In 2022, we still expect our gross margins to be in the range between 83% to 84%. Our research and development targeted portion is 21%. Sales and marketing, 27%. On G&A, we expect that as we continue to grow, we'll continue to see more scalability and, therefore, we'll see gradual conversion towards 9% on the -- for the long-term target. So on the operating income, for 2022, we expect to be around breakeven levels and then beginning 2023, improving our profitability towards our low 20s as targeted operating margin. And we will continue to be free cash flow attractive, growing our free cash flow margins gradually. So before I finalize my presentation, I'm sure that we were able to demonstrate how significant opportunity in front of us. We're proud to have more than 6,600 customers that are top-notch customers in every industry. And we were able to build sustainable and solid business. Therefore, we believe that we will continue to grow at the rate of over 30% for the foreseeable future. With that, I'm happy to take your questions.

Our next question comes from Sterling Auty of JPMorgan.

Yes. I want to drill in on sales and marketing spend in particular. If you look at kind of the current resources that you have, can you help investors understand how much capacity is still left to grow within those resources? And how much are you needing current hiring within the spend that you outlined to hit this year's numbers versus that hiring being more for 2023?

Yes. Thank you for that question, Sterling. First of all, we continue to expand our sales and quota-carrying headcount during 2021. Not everyone is still fully ramped. Typically, it takes about 0.5quarter to full quarter to onboard inbound sales reps, about 2 quarters to onboard strategic sales. So overall, we see that we -- in the high 70s in terms of quarter attainment. So we still have improvements from the existing headcount. And we obviously have plans how to increase that to maintain our targeted revenue commitments.

Our next question comes from Jason Ader, William Blair. Our next question comes from Rob Owens of Piper Sandler.

Jacob, as you look at the success you've seen in retention rates and you predicted they'd bottom kind of on the tougher comps coming out of COVID, but now back up over 130%, where could those potentially go to longer term in your mind?

Yes. We definitely see improvements from the pandemic lows, but we're not yet -- the pandemic is not out of the woods yet. And prior to pandemic, our expansion rates were slightly above 140%. Today, we have 130%, so we definitely expect that we could -- we will improve. But again, we're not out of the woods yet. And therefore, currently, we're projecting and taking into our guidance that we will remain around 130%.

Is there any dynamic either from the customer base in aggregate or as you're moving up market that could put some type of governor on that as you look aspirationally to get back to 140% longer term?

Yes, absolutely. So first of all, Tali spoke about the great potential in conversion of our Pro customers to add additional security capabilities. Today, on average, entry point into the Pro customer is about $3,000. On average, they pay about $4,000 annually. Just adding security capabilities takes that 5x opportunity. So definitely, we believe that new security capabilities that we introduced will help us to drive that expansion. On top of that, the strategic team and Tali again showed an example of a large customer who doubled -- almost doubled in a year. So -- and as more and more customers become strategic and a portion of larger customers become a bigger portion of overall business, how fast we expand them, that what will define our overall net dollar retention. And that's why we put emphasis on expanding these large customers to be able to continue and expand our net dollar retention further. With that, I would like to invite the entire executive team to up to the podium to take further questions.

Can you guys hear me okay?

Yes, we can hear you.

Great. Great. Yes, first one for you, Jacob. When you look at some of your software peers, a lot of times, you'll see sales and marketing as a percentage of revenue and kind of 60-plus, in some cases, even 70-plus percent of revenue. Is there an argument that you guys could be spending more on sales and marketing, really kind of stepping on the gas? I know that you probably would argue you already are stepping on the gas. But you're still, like I said, well below some of your high-growth peers, especially with this kind of new push on security as an entry point avenue that Tali spoke about. So just maybe just talk through what are some of the puts and takes there.

Yes, absolutely. So first of all, I'd like to remind everyone that in early days, we took inside inbound approach. And when you sell to developers developer tools, they really don't want to see any salespeople. They want to try the tool and if the tool works, they want to adopt it. And that's what drove efficiency of sales to go-to-market strategy for JFrog. And this is what we continue to do successfully with the developers. Yes, introduction of the new security persona and as well as our new product persona changes slightly the go-to-market approach, and Micheline and Tali spoke about it. That's why we're also introducing additional capabilities such as top-down for larger customers adopting the platform, expanding into different geographies where it's not always bottom-up. So we definitely see that as we address more and more persona, the go-to-market approach may change, and that's how we start building capabilities. But again, to remind you, our audience is developers, and we don't believe that this is the best way to send sales -- very expensive salespeople to sell Artifactory. We definitely want to sell -- send them to sell the full platform, and this is what we've been doing successfully.

Okay. And then just a quick tech follow-up for whoever wants to take it. On the security side, you talked about some of your unique capabilities. I guess, I would think other DevSecOps vendors offer binary scanning analysis. So first of all, is that not the case? Am I wrong about that? And if it is the case that some of your competitors offer binary scanning analysis, what is it that you guys are doing that is special? Like, what's the secret sauce?

Yes. Thanks for the question. So I'll start and Nati can shed more details on the advanced Vdoo capabilities. So the -- one of the major differences that JFrog has is that our technology analyzes the binaries recursively. So we keep this graph, which allows us to immediately give you the impact of any vulnerability, which would otherwise require -- in other vendors, you'd have to speak with the developers. You have to run through the CI/CD process all over again in order to do this impact analysis where we can provide it to you in a matter of less than a few seconds. Also, there are some very advanced capabilities that Nati, I think you're the best one to speak about, in what we are acquiring now, bringing into the platform now with Vdoo.

Yes. So to continue the answer from a more technical point of view. So the answer is, first, yes. There are other players that suggest or offer binary analysis from a bit -- not a bit, from a different angle. They are doing it as a very point solution, focused solution to provide specific type of output, mostly around bugs. When -- first and foremost, what we are doing is doing it as part of the platform and combining our capability with the fact that you can run on so many banners that are already managed by Artifactory. This is the first step. More tactically, the way we are doing SaaS on binary is a unique proprietary way that is highly focused on things that are really exploitable. And the way we do the Applicability Scanners that focus on CDs that are exploitable is unique to us. This is something that was not offered ever by anyone else's binary analysis tools.

I would like to add to it. Maybe combine answers for what Jacob was asked and this question about security. JFrog is a product-led company. And when we think about what is the next product and what is the next solution. We look at the market, we do the analysis, we listen to the pain and then we act. Yes, there are other competitors that provide binary analysis. But you have just heard the vision from Yoav and then the practice from the market. How long do you think that enterprise would consolidate the repository, the distribution and the security around one solution? Why should I take a single point solution if I need a single source of truth coming from JFrog, if I need to remediate with distribution, so our security solution holistically look at the full pipeline, and therefore, I think that we are coming with a great advantage to the market. Going back to the question that was asked about adding more salespeople and maybe go aggressively after the market. This is what you do when you have one product to sell. You bring an army of salespeople. There is no value. There is no innovation. You bring an army of salespeople and utilize what the market have to offer. What we are doing is that we are introducing the world every leap with a new technology that solves an authentic pain, and therefore, part of what JFrog is seeing is this hybrid growth from the bottom up, embraced by the community and from the top down, extended within our customers.

Our next question comes from Brad Reback of Stifel.

Two quick ones. First, for Shlomi, you obviously have done a couple of acquisitions in the back half of '21. Just your thoughts on additional acquisition activity in '22? And then for Tali, if I look back to 2019, you added almost 1,000 customers. Obviously, '20 was impacted by COVID. '21, you sort of got back to 600. But what needs to happen for you to go well north of 1,000 heading forward, especially with an $11,000 ASP on average?

So I'll start with the question regarding acquisition. JFrog acquired so far 8 companies successfully. The reason I'm saying successfully is not only because of the technology integration. It's a great honor to have all founders still working with us. It's crazy. If you think about it, 5 years ago, we acquired Conan, we acquired CloudMunch. Their founders are still with us building this company with us. It's not just about the culture integration, the technology integration. It's also about the leadership that comes with it. So we are taking very seriously the strategy around M&A, and it will come in 2 directions: A, we need to get closer to the edge and make sure that what we can deploy as a binary goes all the way there efficiently, automated and secured. So it will come either in expanding our security solution with JFrog Security, bringing more technology to support this flow or it will come with more capabilities that pushes deployment faster and automated to the edge. The second area that we are looking at is obviously the programmers. We call them developers today because they are a developer that runs a business of 10,000 developers. They used to be called programmers because they were focusing on the code. This is -- we are talking about the community of millions and millions of developers that, every day, come with a new technology that disrupt the market. We did it with Conan and as we get closer to the developers, you have mentioned it, we will stay there. And if it takes more talents that are coming from the community, that might be our next target. And obviously, on the business side, we will consider any expansion that will make sense for us in terms of the business growth. Tali?

Yes. Thank you for the question. So as for growing additional customers towards this journey, as I presented earlier today, first and most of when you're asking how we are going to get there, then what you could see in this demonstration of these customers that we spoke about today is how we are embedding the value, the technology value and capabilities, additional capabilities in order to drive continuous expansion with our customers. So our land-and-expand motion is basically taking us there. Of course, Jacob mentioned in his slides that with the additional capabilities and what we are injecting to the product, we should expect to see also the ASP growing of these enterprise customers.

Our next question comes from Aaron Husock of Ashler.

Great...

I think we lost the speaker.

Our next question comes from Steve Enders from KeyBanc.

I just want to ask about some of the cloud ARPU trends that you're seeing. I know it's below kind of corporate average ARPU at this point. But how should we kind of think about that trending longer term? And what are the key levers in your view that will help drive that kind of increased usage? Or is it upside on the plans? What are kind of the big lever points to drive that higher?

Yes. We see a continued trend of increased ARPU on the cloud. It comes from 2 aspects. A is the increased usage by our customers. Our monetization on cloud is based on usage. And we see more and more customers using different capabilities of the platform, driving higher data transfer that will drive the monetization. We also see more and more customers landing on higher-end subscriptions. To remind you all that the Enterprise Plus subscription on the cloud became available only in the second quarter of 2020. So it's a relatively new offering. And therefore, we see many more customers who prefer to land on the Enterprise Plus subscription on the cloud, and that's what are driving ARPU from cloud higher.

Is there any way to kind of think about kind of the percent of enterprise customers, the Fortune 100, Fortune 500, which I appreciate the updated numbers there. But the percent of them that have kind of began adopting the cloud solution at this point and be getting a bigger push there?

I don't have the exact stats for the Fortune 100 or Fortune 500. What I can tell you is that a significant portion of over $1 million customers do have hybrid installations. Many of them use both self-hosted and cloud. And actually, some of them use cloud only.

I can add to add to that, that we're seeing customers that are choosing multi-cloud now and also a new pattern of distributed cloud. You heard Fidelity speaking about it. Basically, it means running application all over the world closer to where they need to run. So that also impacts the growth.

Our next question comes from Sanjit Singh of Morgan Stanley.

Shlomi, a great first Analyst Day. Great content. I wanted to talk about cloud. And I think the tone of the company coming out of Q4 earnings and today on cloud has definitely changed in terms of tone. You guys had a pretty neutral posture beforehand. What's sort of driving the change in terms of leaning in more aggressively to cloud? And do you think with your efforts, if you're successful in cloud, is that going to be accretive to JFrog's growth? Or is it going to be more of a model shift from on-prem -- from your on-premise customers to cloud? If you could address that, that's the first question.

Thank you, Sanjit. If 10 years ago, this question would be asked, I bet that the majority of the vendors in the market would say, cloud will not happen, on-prem will stay forever. We watch the market very closely, and we see the transition to the cloud. But we see a very unique transition to the cloud. First, what we see is that all enterprises are choosing multi-cloud solution, not only one cloud. Second, what we see is that most of them, as Bill from Broadcom well emphasized, most of them are looking at the hybrid environment, even in the far future. What we see, we see vendors that are closing the door on self-hosted and an on-prem solution. And we also see vendors, new vendors in the market, that started in the cloud and they have only cloud. We serve the enterprise. We serve the developer in the enterprise, the DevOps engineer, the security engineer in the enterprise. And they have other needs. And what I mean by that is that the balance that Yoav spoke about in our philosophy is -- forever stay our mantra. A, we need to make sure that we can support the enterprise need as our destination. B, we want to give the developer the freedom to choose the deployment environment, the production environment, the development environment. So in short, I will say that in the next few years, we will have more and more capabilities in the cloud. We will add more and more cloud and not just the major 3. We will have more and more releases to the cloud, but we are not going to push customers to the cloud. And with that, I want to add one last thing. JFrog is a super technical company. This is our DNA. This is how we think. This is how we develop. And the best experience that we can offer to our audience, whether it's the community, our customers or our partners, would be to use the best, latest and greatest version coming from our store. And there is nothing better for a company like JFrog to get an immediate feedback on the technology that was released. In the on-prem, it's really depend on when the enterprise itself decided to upgrade. So we see it as an advantage that we see more and more customers are moving to the cloud. The 3 tiers that you asked Micheline about earlier, this is not just a deployment environment for us and a route to grow. It's also a mirror that shows us if we are in the right direction. So yes, we want more and more customers to move to the cloud. It's part of our strategic decisions, as Jacob and Tali mentioned. And no, we are not going to push them to do it. So if the question was, are we going to do a sunset on all the on-prem solution? Not in the next few years.

Our next question comes from Koji Ikeda of Bank of America.

I wanted to build upon that question about the hybrid and the multi-cloud. And Shlomi, this question is for you. Going back to your presentation, I remember a slide talking about the hybrid and the multi and then also the edge cloud. And I wanted to focus on the edge cloud, thinking about binaries and DevOps at the edge cloud. When does that become a reality in your view? And how much different or maybe more complex of an environment is that versus what we see today?

Yes. Thank you, Koji. The edge is really what you define an edge, okay? If we are speaking about getting software deployment on an edge, which is a server that sits next to your developers in Europe or in APAC or in the Middle East or in North America, then it already exists. And as we reported in the past, this is our #1. This is the key driver for our customers to upgrade to the end-to-end platform, to the Enterprise Plus subscription. So this already exists. But there are other customers that will refer to the edge as a device. And this is what Yoav shared not only on this slide but also with the live demo. We are working on something that can be scalable. The difference between an edge that looks like a server and an edge that looks like a device is the scalability. And everything that comes from JFrog scales to infinity. We take pride in the scalability level that we got to. And we know that millions of devices, billions of devices require some seriousness and responsibility on the vendor side. The next thing will be also to secure it. So obviously, edge as device will take more time. Edge as a server on your data center or cloud already exists, and we have hundreds of customers that upgraded to the Enterprise Plus because of it.

Our next question comes from Aaron Husock of Ashler.

Sorry, I cut out earlier. I want to ask about Log4j. I think you did a great job articulating how Artifactory and your security offerings can really help your customers with Log4j. Unfortunately, it seems like the first half of 2022 is going to be a period of kind of heavy Log4j response from large enterprises. Can you just kind of frame what you're seeing in terms of pipeline development and bookings if you've already had some that seem to be driven by Log4j?

Yes. As indicated by our technical executives here, by Yoav and Nati, Log4j episode just highlighted how important our platform is. And therefore, we did see increased level of interest in the capabilities. We helped multiple customers and prospects during Log4j episode. And we are seeing that they're looking very closely into our products. And we believe that this event, Log4j, will drive increased pipeline going forward as -- just due to the fact that it highlighted again the importance and the value of the entire platform to our customers and prospects.

Yes. I'll add to that, that the work that we did around the Log4j data center -- sorry, resource center, created thousands of opportunities. We had tens of thousands of visitors coming in to read and learn. And we got many calls, many different calls, some calls saying, we want to enjoy early bird knowledge about zero-days that you are bringing from your team. We got some others saying, how can I utilize Xray with Artifactory to block things whether before they come into the organization or if it's already there, how can I identify it and block it afterwards. And there were some others that were simply excited by the fact that we learned so much and conveyed so much messages and knowledge about Log4j, that they wanted to come closer to the security team and get to be more familiar with our road map and agreeing to start POCs to learn about the capabilities. So I don't have one answer for that. I can share that it takes tons of attention, especially because it comes now from the regulators around the world. And we will, as Shlomi said, keep listening to the market and provide the right answers and the right answer as part of the platform, not in Xray only.

I fully agree about that. The fact that we have Log4j is merely an awareness factor. So what it did, it create a huge impact in the market, bringing the awareness for security even for the single developer. And I think this calls out for solutions that JFrog platform actually solves today to prevent other Log4j incidents because there will be other Log4j incidents. It's not a question of if, it's a question of when.

Our next question comes from Rob Owens of Piper Sandler.

Wondering if you could touch a little more on the international opportunity as it represents one of your growth vectors moving forward. Just in terms of where it is with regard to DevOps maturity, any incremental competition outside of the U.S. that we don't consider that might be regional?

Thanks for the question. As mentioned earlier, so EMEA and APAC is obviously a focus for us this coming year or 2 as of now and continue to expand in there. What we're seeing from the APAC specifically, they're still early in the DevOps journey. We want to make sure that we are able to build the brand, the awareness, the education. And we're starting with the community first. As Shlomi said, we -- our developers is our hearts and minds, and we want to make sure that we continue to expand there as well as build with our partnerships in the APAC region as well as continue to evolve with EMEA.

Our next question comes from Mike Cikos of Needham & Company.

I just wanted to add, if I'm thinking about the number of products that you have and you're building out of this platform, the acquisitions, combine that with the go-to-market initiatives, the bottoms-up approach you're maintaining and this top-down approach you're layering in and then the indirect channel potential to improve the net dollar retention, why shouldn't we expect revenues to accelerate from where they are today just based on the number of positive momentum drivers that we're talking about?

That's a great question. I'll start and Tali, Jacob, if you want to chime in. First of all, like every other SaaS company, you land, you expand. The potential that we see within our portfolio, based on the innovation and technology we added in 2021, is huge. Jacob shared it, Tali shared it. We have over 3,000 customers that are still using just Artifactory on the basic subscription. This is on-prem. Second, what we see in the cloud is the moment that you introduce yourself to the JFrog platform in the cloud, you get all the product in front of you, unlike the on-prem different subscription. So we think that we will see growth there in terms of consumption and usage. The third thing that we see is that there are new persona, as Micheline mentioned, that we never met before, and they start to reach out to us not only in terms of what Artifactory can do for me but also how can you support me with my security pain and how can you support my distribution and multisite topology and how can we distribute something to China when this is prevented from them on the regular CDN solution and so on. So I think that we see a lot of areas that we can go. But what gets us very excited is that it comes with the Vdoo technology that at least half of our customers are still not using. So we are very optimistic about that.

Yes. I would like to add to that, first of all, new security capability is fairly new. And frankly, we're in the midst of the integration and by midyear, in our user conference, we will present the results of the integration. So it's fairly new. It opens up additional opportunities, and we invest for the future. So definitely, all of these capabilities and opportunities that we present today, it's not just what we see right away. Some of that will be extending beyond 2022. And obviously, in terms of the monetization, security is probably the shorter-term monetization starting point, going to all the way to devices more 2023 and beyond.

We have time for last question. Our last question belongs to Steve Enders of KeyBanc.

I just want to ask about -- you give that customer example in the Log4j section, I think you said it was able to resolve it and deploy in 12 hours. I guess how sophisticated and mature was that customer and their DevOps practice? And how do you kind of generalize that use case across the chasm and take that across both your existing customer base and potentially leverage that into the new opportunities?

Yes. Thank you. It's a great question. So JFrog was doing software supply chain from day zero. If you think about it, Artifactory, the reason it existed from the first place is about controlling what gets into the organization. And the Log4j use case is a great example of that because once you have a single place in the organization where you can not only just scan binaries but you can also apply rules to avoid the consumption of misbehaving binaries, let's call it like that, then you break this asymmetry that CISOs and security organizations which are, frankly, even in a very big organizations, they are very small compared to the amount of developers. So this brings out a new -- really a new partner for how you can apply security in a way that is not interfering with the regular development work because you don't want to break the productivity of developers. And for that, you have to be -- you have to have the right tools. You have to be in the right control points. And JFrog, obviously, with Artifactory and now especially with the Vdoo acquisition, is in a great control point to apply such patterns. I hope that answers your questions.

No, definitely. That's helpful.

Thank you all for your questions. I would like to invite Shlomi to podium for the closing remarks. Shlomi, please.

Thank you very much for joining us today. I'm listening from the sideline when the team spoke about what we have built, what we've created, almost sounds easy, where hours, days, nights of investment in everything we've done this year. There is no battle that I wouldn't take with a thousand Frogs that are working day in and day out to support the community, the customers and the community growth and the company growth. I also want to thank our shareholders and analysts that joined us today. Your time is not taken for granted, and I hope that we provided content that help you understand better the liquid software and the JFrog story. And last, if I may, it really comes to one question. Every company you see in the industry, and you guys see all companies, it really comes to one question. Is it a trustable vendor, predictable, deliver what was committed? And are they betting on the right future and the right technology? I'm sure that there were questions 10 years ago about electric vehicles and 12 years ago about cloud. I'm telling you right here, right now, binaries are the future. And JFrog introduced the world with this innovation, and while doing so, educate the world, building a business and grow. We are positive that our road map will lead to a different way of managing software, of managing the software supply chain and security and making the world not just green but also liquid. Thank you very much for your time. Thank you to my team. Thank you.