JFrog Ltd. (FROG) Earnings Call Transcript & Summary

Everyone, thanks for joining the JFrog session. My name is Koji Ikeda. I am one of the software analysts here at BofA in the enterprise software team. So thanks for joining us. I am absolutely thrilled to have JFrog here, Shlomi Ben Haim, Co-founder and CEO. Thanks for joining us today. Super, super appreciated.

Thank you for having me. Pleasure to be back in person.

Yes. Yes, very excited to be back in person.

So Shlomi, I guess for those in the audience and on the webcast that aren't familiar with JFrog, maybe a little bit of an introduction of yourself, since you are the Co-Founder and CEO. What is JFrog? What do you guys do? What is the opportunity you're trying to disrupt?

Great question. And my name is Shlomi Ben Haim, I'm 1 of 3 Co-Founders. Together with my partners, we founded JFrog in 2008. We always say by the community and for the community. We developed tools that will help developers to be more efficient. On the highest level, it's not a cliche that we are saying that software [indiscernible] everywhere, software is powering the world, everything we do. And what we see is that organizations are in the process of adopting digital transformation. Now what digital transformation really is, Koji, is all about getting faster and secured and move software from the hands of the developers from point A to the edge point Z as fast as you can and secured as you can. In order to do that, you have to automate the process. And in order to automate the process, you have to build the relationship between the machine and the developer. This is what we call DevOps, DevSecOps. JFrog is a company that provides you a solution for your DevOp solution when you build your software to secure your software supply chain. That's the second bucket that we are covering and to take your software all the way to the edge. These are the 3 main calls that we are after. The way we do it is by focusing on what the industry calls software packages or binaries, which is the only asset that can automate your software supply chain, DevOps, security and IoT.

Got it. Thank you so much. So you guys recently had a conference swampUP a couple of weeks ago. I really apologize. I wasn't there. So this is a great question for me, too. So could you give us maybe the high-level takeaways you had a bunch of product announcements. I mean, coming out of that event, what were you most excited about?

Well, we were busy, we were busy while being remote and it was amazing to come back and meet the community again. JFrog is a very in-person community company, and it was great to see our customers and users in San Diego. This is a city tool. So the first swampUP happened in San Diego, and we will have 5 of them around the globe. The main takeaways that came from the keynote, we had several announcements that were actually solving specific pain on those 3 calls, DevOps, security, IoT. The first thing that we spoke about, together with Apple on stage is a new standard coming from Apple called Swift. As you know, Artifactory, the binary repository manager is a universal solution, and now we are the first and only company that support this new standard coming from Apple. They were with us on stage, very excited to announce. They are moving from source code automation to binary automation in order to have Swift as the new standard for IRS developer. The second thing that we announced was the advanced security package. As you know, we acquired Vdoo a bit more than 3 quarters ago, almost a year, almost our anniversary. And we were very excited to share with our users what advanced security in the software supply chain means. We spoke about binary security. We spoke about the only way to protect your software supply chain. Now without getting into too much details, the main thing that happened in the last 2 years is that the developers of the world are going with a target on their back. The hackers are getting into your organization through the developers. This is why you heard about Log4j and Springshare and SolarWinds. This is how you get into the organization today. You want to protect your software supply chain. The only way to do it is with binary. And obviously, the naked solution around that comes from JFrog. So we spoke about the new features that Vdoo and Xray brings together to the market and already available to our users. And the third piece that we spoke about is the IoT. We acquired Upswift 3 quarters ago as well. Upswift is a company that built the platform to manage the deployment of the binaries, all the way to the device. Now listen, the DevOp journey will not be fulfill until the developer will be able to deploy the binary security on your device because what's the point of being faster, if you cannot get it all the way to the end. What we demonstrated on stage is the new product coming from JFrog called JFrog Connect that connect the world of DevOps and IoT together. And together with the security and the repository, you can now see the full flow of what we call Liquid Software of taking software packages all the way from the creation, from the developer hands to the deployment and to the device. We also spoke about Persia, which is a new network, open source together with the community with companies like Docker and others that we did for the community to curate binaries wherever they are. So developers will be able to feel free to use them if they bring it from the open source. There were a lot of excitements around that. We were very happy to see the follow-up and we are now in the process of giving it to the market.

Thanks, Shlomi. Thank you for that recap. I want to dig in on a couple of the things that you said there. So when I talk about JFrog with investors out there. One of the first things I do as I pull out my iPhone and I say, hey, when you guys wake up in the morning and every now and then, you see an app on your phone, just kind of update. This is DevOps in the supply chain of software in real time. This is what you're seeing. And please correct me if that's wrong, in a characterization of the supply chain of DevOps. But I think it's very interesting that you talk about this Apple partnership that you have, this announcement. What does this unlock for you from a TAM perspective? First question. And then a big debate that I always hear out there with JFrog and some of the other DevOps players out there is, source code management versus binary repository. And you talked a bit about that, but I wanted to dig into that more. Why is Apple making that change from source code, you said automation? What was it source code to [indiscernible]...

To [indiscernible].

Yes, yes. So tell me a little bit about that.

Yes. Okay. So you're right. We are using iPhone. And if you like your devices, whatever the device is, iPhone is one example, you have to update the software. If you drive a Tesla, you have to update your software. If you use a coffee maker, to deplete that, that would take a software. So basically, this update, what is it? It's a binary deployment on your machine, right? My iPhone, your iPhone, they don't speak English. They don't speak source code. They don't know what a Git repository is unless you pack it as a software package as a binary and deploy it. You need it to be secured and you need it to be deployed all the way to the device. Currently, if you want to update your iPhone, you will get this iOS message probably schedule it for the night time and then reboot your phone 3 minutes. We all know the app is painful. This belongs to the '90s. I have 3 doctors. None of them is excited about software update. I still remember the first driver, the CD, the media that we used to update software with. This is changing. It's not a matter of if it's changed. It changed as we speak. What we announced with Apple was not about the update of your Apple devices. What we announced with Apple was a new standard that they want to provide to the millions of iOS developers to the hundreds of thousands of companies that are dealing with iOS, and they wanted to give them a better way to automate. If you want to automate software and to secure it, then you have to deal with the software packages. This is how you build the automation. What they did together with JFrog was to have natively support -- to have a native support of Swift package coming from Apple in tools like Artifactory, Xray and JFrog Connect. For iOS developers, it's great because then they can be faster and more secured and to have a standard that is sponsored by Apple. Regarding the competition you mentioned, Koji, that's a question that we keep hearing. So help us understand, what's the difference between source code and binary management. Source code is a very important tool to manage your code when you are a developer. This is where you manage your version. This is where you share it with other developers. This is how you sort of build your software. The moment you build your software, what you create is the software package. The moment you go out like 90% of us going out to the field, to the open source and you bring software, software package. When you hear Docker and you hear Kubernetes and you hear Maven, and you hear Gradle and .NET and, [indiscernible]. These are all software packages. Developers need a Git repository to manage the source code. Machines, what happened in DevOps, machine in order to automate need software packages. When you need to secure it, you need everything that you have in the software package. And this is 2 different aspects. It's like having source code is one thing, having a binary management tool, it's a different thing. JFrog is focusing on that. Before JFrog, nobody did it. You would build something in-house. However, source code management is there for 30 years, 35 years, Subversion, Perforce, ClearCase, you name it. Git is probably the modern technology. When you want to promote your software and to test it, and to automate it and to secure it and to deploy it, you will do it on the binary level. This is why software supply chain security can only happen on the binary level, never on the source code. So when Apple is thinking about automation, they understand what I just explained. This tool in the world of developers are coexisting. You have your virgin control for source code and you have your binary management and you have your deployment observability tools, project management and everything else.

Thank you. Thank you very much for that. I get that question a lot. So when we think about dev side than the ops side and the security on top of that, and then we add this IoT, I just want to be absolutely clear here. So when I think about IoT devices, definitely your Apple Watch, your phone. But when I think about your -- Tesla's out there or even your refrigerator that has software on it. I mean, are you telling me that any time I see an application on any device that is an opportunity for JFrog?

Every time this application need to be updated on whatever reason, security breach or just improving your software. It's a binary deployment coming from tools like JFrog.

Got it. Got it. Got it. Okay. So when we speak with developers, and we speak with a lot. We were always asking them, what do you guys use out there? What's the differentiation, et cetera. Artifactory comes up a lot. There's a binary repository. This is the one you want to use. Why is that? Well, how have you been able to establish over the years this premier position in binary repository management or your binary management?

Well, thank you, and thank you for the feedback. And we hear it a lot. People are saying, Artifactory is a standard maker in the world of binary. The main thing that you feel as you scale as an organization, when you have more developers, when you have more diners, when you have more open source, when you have more deployment environment, when you are working in your on-prem environment but also building your cloud environment, the main thing that we hear is that organization requires the single source of record. I need to know that if there is a vulnerable look for [indiscernible] somewhere, I'm going to the database of DevOps, to the repository, to the Artifactory and replace station zero and remediate fast. I need a single sort of record for everything we do. Think about it in the world of sales, okay? In the world of sales, if you will have salespeople that are working outside of your Salesforce, it will be catastrophic. It will be chaotic. But all of them have to work against Salesforce and the support team will work with Salesforce and other. Same thing happened in the world of development. You need to manage your software packages in one place. And Artifactory became the database of DevOps because of that and because of universality because we didn't ever said to developers, no, you have to do it with Java or you have to do it with Docker or you have to do it with .NET. We said, whatever you use, we will serve you. Today, JFrog support over 30 different technology type that's by far, higher than every other competitor. The second thing is that you build binaries by millions every day because it's not just the developers, it's also the machines. So it need to scale. And Artifactory is scaled in all other tools in the market. Artifactory is actually powering 85% of the Fortune 100 and 50% of the Fortune 500. And the world is powered by this machine that scales to Infinity. And unlike source code that is being created by developers, binaries are brought from outside and created by machines. So it's a lot and you have to scale and you have to scale fast. Our customers are telling us. If JFrog is down, the business is down because nothing can walk around Artifactory. And the third thing about Artifactory and there are a lot of other reasons. But the third thing that customers and developers really like about it and made it the kind of single source of tools for all of these organizations is the fact that Artifactory is smoothly, very well integrated with your ecosystem. We recognize the fact that what we do, we do best. But you also need observability. So what about integration with Datadog. They need the binaries. Yes, Artifactory will be the database. What about [indiscernible]? I need to manage my project. They need the binaries. Yes, I will go to Artifactory. What about GitHub. I'm building from source code. I'm building binaries. I need to deploy it somewhere. Yes, I will deploy it in Artifactory. So Artifactory became the art of the software supply chain. Well, other tools that are integrated with JFrog are checking in and checking out on a minute basis. So it made Artifactory, not just sticky but also very popular and kind of setting the standard.

Okay. Okay. I get it. And I want to take this moment to kind of get a little bit in the weeds of how Artifactory works within an organization. So certain DevOps tools are attached to a project. Is Artifactory attached to a project? Or is it more deployed on an enterprise type basis? I guess the question is, how does Artifactory look and feel within deployment at an enterprise?

So we see different use cases. The most popular one is that you will use an Artifactory as a blessed repository for the entire organization when it comes to the enterprise. And then replicated Artifactory is closer to your developers. So it goes by deployment environment. It goes by teams. It goes by project. When we look at big organizations like all of the top 10 banks in North America are followed by JFrog, they have thousands and thousands of developers. You have to get closer to the developer, you have to give them a silo project repository, but you also have to tell them, this is mother ship. You don't go outside. You drink, you take directly from the mother ship. So first thing we see is single source of proof installment and then satellite that serves teams of developers, different projects and different deployment environment.

Got it. Thank you. I want to change the subject just a little bit, thinking about competition out there. So I mentioned earlier, I talked with a lot of developers, they always talk about Artifactory. So how do you think about the competition? Are there other competitors out there? Do you think about maybe point application providers at the competition or the platform vendors? I mean how do you guys characterize your competitive landscape out there?

Well, first, the -- I'm honored to be in an industry that is evolving and changing so fast. Like every other day, you hear about a new DevOps technology, a new DevSecOps company and so on. But going back to the 3 calls that JFrog is working on, the DevOps, the security, the IoT. In the landscape of DevOps, what we usually see is that we are replacing homegrown solutions and homegrown solutions that were built not so long ago, 10 years, 15 years ago. This is what -- this is how they manage the binary. Now they need something that scale, something that is universal, something that is integrated, something that is cloud native. Boom, that's happened for us. That's the first tier. Second tier is point solution. And there are other tools in the market that provide package management repository. One of them would be Sonatype Nexus that have quite a large installed base in the market. Other will be the cloud package management, like Amazon ECR or Google GCR or Azure ACR or serving as a Docker registry, which is also a binary. And these point solutions, it's a -- you can compare the scalability and the efficiency of Artifactory versus these tools, but they are there as well. When it comes to security, second call, there are -- most of what we have in the market are point solutions. Remember, when you secure your software supply chain, the only way to secure it, the only way, ask every developer on the planet. The only way to secure it is by looking at the binaries, not source code and nothing else, just the binaries. This is the only way to protect your software supply chain. Now if you understand that the developer became the target and you understand that what you bring from outside might be vulnerable or might make you vulnerable, then you want a solution that not only scan and let you know, hey, Koji, you have a Log4j here, but also tool that tells you, here is the repository, replace this package and distribute it. So holistically, when you look at security, it's not just about the extra scanner and the video technology that we brought in, that's obviously empower the solution. But the end-to-end solution from the depository to the security, the scanning, the identifying, the policymaker all the way to distributing it to the edge, so I will remediate faster than others. Our customers remediated themselves from Log4j in a matter of hours. Others are still dealing with it as we speak. So this is for security. Point solution, point solution in the world of security like WhiteSource or Black Duck or Veracode on Snyk. They are good, but they are point solution. What we see and what we hear from the industry is that they would like to have an end-to-end holistic security solution. Now on the IoT side, 3 years ago, I said -- at swampUP, I said every company will become a DevOps company, not a software company because it's all about automation now. And 2 years ago, we said security is going to be part of what you have to deal with Mr. Developer because the CISO cannot catch up with 6, 7 times releases a day. So you will have to take care of it, and you will have to protect your software supply chain. This is already a reality, we see it. What we are saying now is that 2 years from now, the developer will have to take the binary all the way to the device. And this will be the full fulfillment of the DevOps vision. And this is why we build JFrog Connect. This is why we acquired Upswift. In this world, JFrog is the only one to provide a distribution automated solution that connect the CI/CD and the IoT. I'm sure that we will see more competitors there as well.

That makes a lot of sense, thank you. I wanted to ask you a question about the enterprise adoption cycle. As far as we understand, you guys are bottom up, but you also topped down from a buying perspective. And you mentioned who is the competition you might be going against homegrown solutions. There's other point application vendors out there. But thinking from the customer's lens, the enterprise lens. What is the catalyst that helps JFrog gets standardized across the organization? What does it take maybe from too many tools or too much confusion or I don't know, talk to me a little bit about that. What is that catalyst for standardization?

Well, usually, when you see an enterprise adapting more of JFrog and actually going after the platform story, the end-to-end platform story. They want to have a 360 full binary life cycle manager, which means is that don't just provide me with a repository and the [indiscernible] solution. Don't just provide me with the security and not just the distribution, I want all of it. So usually, the catalyst will be distribution. Distribution to edges became a very big thing when companies are now moving to the cloud. A lot of security demand and not just the native security or the legacy security, but also convection analysis. It's okay that they have a vulnerable package. I'm going to know if I'm exposed, if I'm not, then why wasting resources and time on it. So security, distribution are the main catalysts for the enterprise to scale to the platform solution.

That makes a lot of sense. So in DevOps, you have your source code, you got your binaries and your Artifacts. And kind of the next process there is CI/CD. I think it's an interesting part of the tool chain, but I always have a little -- I struggle a little bit of understanding exactly what that is. So I got one of the premier guys in DevOps right here. So explain to me what exactly is CI/CD? Is this a huge category or not? Why is it important?

Okay. These are two questions, the category and what CI/CD is. If you are a developer in the modern world, in the past 10 years, you would probably already automate the way you work. The way to automate what you do is to write your source to actually code and to take a CI/CD tool and automate it. It's like bringing the robot that keep building and keep testing what you hold. Source code with CI/CD on top of it creates binaries. So you bring a developer, you start to write the code, you start to automate it and you create binaries in order to take them to the next stage. This is CI. CD is this automation, continuous deployment versus continuous integration is the deployment of these binaries wherever they need to be deployed. So continuous integration and continuous deployment are the way to automate what you have built and to take it to the next stage. Continuous integration also help you to better test to do faster testing and to build in parallel concurrent pipeline. So you will be able also to distribute faster. Now with the second part of the question, koji, I believe that what we see in the market is that CI/CD as a stand-alone point solution, just like as security, would not be the first choice of the developers, nor the enterprise. Organizations are looking to have platforms that are specialized in the assets that they are bringing. So CI/CD, my bet is that we will start to see more and more platform like GitLab, GitHub, JFrog and other and less stand-alone point solutions CI/CD.

Got it. Got it. And part of your platform, a big part of it is security. You talk a lot about it, security. You did an acquisition, Vdoo, you have Xrays. It's all layered on top of the pipelines probably a big part of the Connect platform, too. So what are maybe some of the core differentiators of your security offering? And where I'm going with this is we hear a lot about security. There's the pure-play security vendors, there's other vendors within DevOp space as talking about security. So it almost gets watered down a little bit, like maybe security is just -- you have to have it as table stakes, but I know there's differentiators. So tell me a little bit about what our JFrog differentiators with security?

Yes. Funny think about, 2 weeks ago, at swampUP, when I started the keynote, I've asked the crowd to raise their hand if they have more than one tool to secure the software supply chain. 100% of the people raise their hand. Not even one organization had only one solution. Then I asked how many of you had 2 and, 3 and 4, and 5. And people just kept their hands up. Security, when you speak about security, you have to ask yourself, what are we trying to protect? Is it the developer that we are trying to protect or the organization? And when we brought in Vdoo. We brought a very strong, well trained security research and development team. And what they told us when we met them for the first time is that the world is shifting to protect software supply chain. The only way to do it is full binaries. And this is the technology that Vdoo build, and this is the technology that JFrog build with Xray. The reason it's happening is that now when you have a container, what you have inside this Russian doll is the world is blind to it. And you have to open it and you have to look at the composition analysis and the different tendencies and then to secure and to isolate the vulnerable piece and to tell the organization, yes, this should stay or no. This immediately have to be removed. And the only way to automate and manage it is through looking at the binary. So the technology that we build together with Vdoo have this capability. And not only that, they have free access to the repository to the warehouse of the binaries. So we can tell you about 0 days before others and to remediate you. We can tell you about vulnerable packages that you shouldn't be concerned about. We announced the contextual analysis feature 2 weeks ago. This is basically tells you out of the 1,000 venerable packages you have in your list, 300 of them or 400 of them are protected by other places in the organization, stay cool. But we started to build a bridge between the developer and the CISO, not just with the alarm system, but also with the remediation process. We announced this, the 0 days capabilities, the interaction with -- the integration with Artifactory and distribution to take your binaries all the way to the end and a lot of other features that are part of the advanced security piece of JFrog. Now what we know now, and this is why we invested, this is why we acquired Vdoo. This is why we keep investing more in security. What we know now is that most of the organizations are already in the process of becoming faster with DevOps. And they now -- when they look at the challenge they have in front of them is that they became too fast and they lost a lot of points on the security because the traditional tools are not covering the software supply chain. JFrog is the only company that provides an end-to-end holistic security solution for software supply chain protection.

When you were at swampUP and you asked the question who raise your hand of how many security solutions people are using and you are telling -- you just told me people have 2, 3, 4, 5. How do they end up there? Why do they have so many? What is that issue?

Well, that's exactly the point. They have a solution that secured their container, and they have a solution that secured the Git repository, what we call statistical analysis, the scan your source code and they have a solution that secured their binaries, and they have a solution that secured their binaries in the run time environment. And you start to see pieces and some of it coming from a different wallet, not even the developer. Most of the security tool are hated by developers because someone from security or from legal pass it on them and then they need to have another security tool to scan their open-source project and to see if they have any license compliance issue. So they end up with a bunch of security tools, a long list of what they have to review before they release. And they slowed down, or they are not secured. So in both cases, they just add more and more layers in order to make sure that they are not putting the organization in a risk.

So I could remove all of those layers with the JFrog security platform?

All of what is related to the software supply chain. We are not cybersecurity. We are not network security. When it comes to development and binaries, everything will be covered by JFrog.

Got it. That's amazing.

A great opportunity for all.

I wanted to switch gears a little bit to the demand environment, kind of the go-to-market strategy. I've been asking all the CEOs and CFOs that I've been speaking with over the past few days, the macro environment, it's kind of a tough environment out there, so it seems. So I wanted to ask you the question with everything going on, Russia, Ukraine, Europe fears, China fears, inflation fears, et cetera. Are you guys seeing any impact to your demand environment? If you are, could you characterize that. But more so for the future, how are you thinking about positioning the business for a potential recession in the future?

No, that's a great question. And without getting into too many details of the geopolitical situation. We don't see a slowdown count, not in EMEA, not in North America. APAC is in the process of adopting enterprise DevOps, but we don't see a major impact or direct impact of the situation on the market currently. However, one of the things that we started to hear is that this threat coming from a geopolitical corner is also a security threat. And organizations started to be vulnerable with cyber attack that comes for the developer. If you think about Springshare, [indiscernible] and npm and Python and all of these packages are used by developers got into your organization and put you in risk. There was a discussion about software supply chain protection in the White House level. So I believe that if you take both the geopolitical threat and the cyber front, people are worried about what the developer can bring in. This is where JFrog can see an opportunity. Regarding the market itself, we don't see yet any slowdown.

So it sounds to me and please correct me if I'm wrong here. You were always a beneficiary of digital transformation and the evolution of DevOps and DevSecOps. It seems to me there's another layer here with everything going on, heightened sense of security as an important factor. Would you characterize these 2 as great tailwinds for your business over the next, call it, 12 to 18 months?

Security comes with a higher demand, yes. Is it because of the geopolitical situation? I'm not sure, but we spoke with some CIOs that showed some concern about that. They will ask about changing the priorities inside the organization because of it. Moving to the cloud is another big thing that happened and people are not stopping because of what happened in the world or in the market. The movement to the cloud is a strategic move. Moving to multi-cloud and hybrid environments, strategic decision for the company. So these are all powered by DevOps and companies like JFrog are the solution for it.

Got it. Shlomi, we are out of time. Thank you so much for doing this. This has been great.

Thank you for having me.

Yes, thank you so much.

Thank you.