JFrog Ltd. (FROG) Earnings Call Transcript & Summary

All right. Hello, everyone. I'd like to welcome you to the 26th Annual Credit Suisse Technology Conference. My name is [ Roddy Salton ], from the software team here in Securities Research at Credit Suisse. Very excited to host Jacob Shulman, CFO of JFrog. Thanks for being here.

Thank you, [ Roddy ], for having us.

So for those of us new to the JFrog story, could you share your vision for the company and help us better understand how you're offering fits within the broader software landscape?

Yes, absolutely. So JFrog is a company in DevOps space. Our vision is to power all software updates all the way from developer to the device. As you know, these people know software engineers writing the code and people know software running on machines. One in between, nobody knows. But that's a huge industry full of manual, inefficient, siloed, vulnerable processes. So JFrog came to this world to automate this entire process, all the way from developer [ James Frog ] to the machine. And we build a platform comprised of 6 products. And the whole value proposition of us is automation of this entire process.

Yes. So I just want to take a quick step back, talk about the macro real quick. What areas are you seeing the most strength and resiliency as you think about sort of your conversations today versus the beginning of the year?

Yes. We became essential product, mission-critical product for multiple for our customers. Our customer base is tend to be larger enterprises. Today, we penetrated into 85% of Fortune 100, majority of Fortune 500, a significant portion of Global 2000. So we solve problems at scale. And those enterprises -- by the way, it's across all the verticals. It's top 10 pretty much in every industry, it would be a customer of ours. So [ we ] diversified portfolio of large customers. Those are less impacted by the significant macro headwinds, and we became mission-critical product for them as they go through their digital transformation. So yes, we did talk about macro impact. We started seeing elongation of sales cycles. We did start seeing some optimization of cloud spend, about 30% of our business coming from SaaS product deployment types. So we did see customers more focused on optimization of cloud usage. We did see some project cancellations, et cetera. But overall theme of digital transformation being mission-critical expansion within our customer base continues to be strong.

And then how have you seen customer priorities change over the past few months? Anything you kind of stick out to you?

Again, digital transformation overall theme. We did see new trends emerging such as migration to cloud. So about 70% of our business today coming from self-managed. And we do see that large enterprises now taking cloud more seriously, if 2 years ago, none of the big banks wanted to talk about cloud. We clearly see this trend that now either they have started doing something or definitely seriously considering it. And therefore, we believe and it's long processes. It's going to be years for them to fully migrate into cloud. And some customers will never fully migrate into cloud. There are some Air Gap customers or some customers who are required to be on-prem by regulation. Therefore, hybrid solution is a key differentiator, and we offer hybrid solution, its same product for us, the train on-prem and cloud. And this is one of the biggest differentiators, and this is one of the biggest values also that customer sees in using JFrog.

Yes. And then as we think about sort of the top line growth, 39%, the most recent quarter, cloud growth, 60% is above sort of the mid-50s target you guys had laid out. Sort of what would have been the key sort of growth drivers? I mean you touched on a couple of them sort of what have been the most salient growth drivers thinking in your mind?

Yes. So first of all, we've seen growth of the platform. The full platform adoption of all of the products became a meaningful driver. We still have a small portion of our customers who transition to the platform and therefore, the opportunity is big. Approximately, we disclosed about, I think over -- just over 690 customers above [ $100,000 ] in the most recent quarter. The entry level into the platform is $115,000. Not everyone in that group is on the platform, but that gives you kind of some estimate what the number of customers on the platform, just about 10% of customer base already generates about 40% of the revenue. So adoption of the full platform capabilities, Artifactory flagship product, Xray security product and distribution. It's a product that allows distributing artifacts in different places to the customers. So we've seen that cloud platform adoption is the big driver. Second driver is migration to cloud and growth in the cloud. Cloud has been growing very nicely, 60% in most recent quarter, and we continue to see that cloud will continue to grow faster than on-prem. So cloud adoption. And just recently, we launched a new security product called Advanced Security. That's our first attempt to branch out of our software composition analysis where we significantly with strong player, branch out kind of to first step and end-to-end security. So that's yet another security becoming more top of minds for people, and we'll see more and more interest in that as well.

Interesting. And then as you think about that growth rate, I mean, how do you think about balancing organic growth versus inorganic M&A, particularly as a lot of your cash trap peers have seen valuations come down pretty materially.

Yes. So, so far, we've done several acquisitions. Most recently, we acquired 2 companies, about 15 months ago, Vdoo, which is a security company and the Upswift, it's a company that helps us to launch Connect product, the DevOps for IoT products. So the new advanced security capabilities based primarily on Vdoo acquisition, with the developers and know-how in the research team that we acquired. We have about $435 million on cash -- paying cash on the balance sheet. So there are a lot of opportunities for us to grow, immediate areas of focus would be security. And then down the line, IoT. IoT is more kind of a year or 2 to monetization. So it's more kind of a future play. And then as we try to build end-to-end platform in security, there are a lot of opportunities for us to expand the inter and we'll use this cash for M&A. We still see a lot of gap between public and private companies, some of them very well-funded yet. And therefore, they still believe that those great days will come back soon. So there's -- we still need some mindset reset. But we continue to work on our wish list and when the opportunity comes, we'll use that firepower.

That's fantastic. Yes. Just sticking on security, DevSecOps has been coming -- increasingly important, particularly as companies trying to be more agile and get out software releases even quicker. In that regard, can we just talk about JFrog platforms or how it's differentiated and why you chose to focus on this asset?

Yes. If you think again about how the software release is basically journey of one asset. It's a binary. It's a package that's readable machine language. From the moment it's created, it's tested, secured, physically delivered to different machines and deploy the same asset. It's a binary. And therefore, we focus our platform focuses on binary management. Now security became a very significant portion of our business because hackers face binaries. What's in the field? It's a binary. Binary is attacked by hackers. It's not the source code, but binaries attacked by hackers. And hackers found the easy way to get into a back door in the application, about 80%, 90% of all applications today use open source. So it's easy for hackers to ingest vulnerability into open source, and then this component is consumed by company, and this is how they find the back door. So securing your -- all of the components of your application, from the moment they get into your organization, all the way through the journey of creation, application and delivering and deploying to the end that's became on top of mind for people, given a new trend, a period called the software supply chain, it's all driven by security. And now my past is in the hardware business. So in the hardware business, every when you use vendors, you know what kind of components you're getting from them? What kind of quality assurance they go through? When you build your product, you have serial number, you know where the products go. Software industry operated differently. They would bring a lot of open source from different locations without properly checking the components, build the product, deliver it without chasing to customers. So that's changing. And security is one of the reasons for that. So securing software across all stages is important, and that's why it's a significant portion of our platform, alongside with Artifactory that's becoming a significant value proposition for our customers.

It's interesting you mentioned that because everyone thinks open source, it's checked by the whole world. So it must be fine. But at the end of the day, that's actually one of the biggest...

We've seen several major issues, security vulnerabilities coming from Log4j recently SpringShell, SolarWinds and some others. So people [ don't mind it ] today to securing the software from open source all the way to the end device.

Yes. And then just focusing on the software supply chain. I mean you talked about Artifactory, is there anything else sort of in the products that you think that particularly address that?

Yes. What's important is a combination is a platform play. Artifactory is your database of DevOps. This is where all software resides and this is what being secured. But as a security tool, it's not kind of when you look at platform play versus point solution security, it's not just important to identify vulnerability. It's also very important to remediate the vulnerability quickly. And foreign solutions don't have -- don't provide those capabilities. Therefore, combination of a platform play with Artifactory, security with Artifactory and distribution helps you to significantly improve your remediation capabilities. So I'll give you an example. One of the top 3 banks in the U.S. when Log4j was announced, it started a race between [ high characteristics exploit ] Log4j and the companies to protect themselves from Log4j vulnerability. So one of the top 3 banks in the U.S., very large corporation has thousands of applications running in hundreds of different environments was able to remediate that vulnerability with a matter of few hours, less than 12 hours. How do we able to do that? First of all, instead of scaling each application by -- one by one with security tool, they went into Artifactory and Artifactory is your database of all of your software shows you within a minute, where is this Log4j component resides and what application, what environment. So it's not even a security tool issue, it's a Artifactory issue. Then they brought new component, fixed component from open source. They [ scanned ] with security tool and then automated they build again with Artifactory, not security solution and then distributed revised software to endpoint, again, with distribution, not the security solution. So therefore, we see that the platform play is a significant differentiator, significant value to the customers, and we'll see more and more companies kind of consolidate point solutions in the platform in the future.

Yes. It's interesting with the Log4j. You saw some companies start some weeks to -- I mean even -- even now so -- yes.

[ Actually recently view ] some people doing that. And obviously, if you're a financial institution, you cannot afford itself to be able vulnerable for such a long time. That's why it's a speed of remediation is also very important.

Yes. And then just pivoting on that point, like where does DevSecOps complement sort of existing security systems from a tax service management standpoint, what percentage of attach services actually covered under supply chain security?

So it's all about software creation, right? So until it's running in the production, this is for a software supply chain. It's -- there are different areas within DevSecOps. Even DevSecOps is a very fragmented area with multiple players coming from different angles to address that situation. There are focus areas such as software composition analysis. That's where we started initially. Basically, if you bring the component from [ marketing ] organization, you don't want to bring vulnerable components. So it's -- you need to check that at the gate when you bring it in to make sure that it's not vulnerable. But there are companies that start with coming from code analysis, like static analysis, dynamic analysis. There are some companies that more in the run time container security. So it's a very fragmented area. A lot of players now trying to build and expand their capabilities from end-to-end to cover this entire software supply chain. We're also doing that. Our advanced security product is our first step into that direction, and there we have very rich road map, and we'll be introducing more capabilities in 2023.

Yes. And just pivoting a little bit to go to market as we think about sort of the cohort expansion, average of 3x the past 3 years and it's been pretty stable. I mean, can you just walk us through key growth drivers of that expansion, how much is upsell versus new seeds versus expansion with an existing accounts?

Yes. So let's first take a step back. We have 2 types of deployments, self-managed and SaaS. Self-managed deployments are monetized by a number of servers and value per server. And number of servers would be dependent on the size of the organization, a number of different locations, a number of different projects or technologies used and value per server is dependent on capabilities that you adopt. On SaaS, we monetize that by data transfer in storage. So the more you use the system, the more data transfer generate, and that's how we solve. So a typical customer journey would be a team of developers would buy [ one server ] of Artifactory, which is 3,200 per server per year, and they will start seeing a lot of efficiencies than the other teams would start buying. Once there are 3 or more teams within enterprise that makes sense for the enterprise to upgrade to the enterprise X solution because interest of developers not always equal interest of the enterprise. What's important for developers is, [ ease of use ], Cool UI, integrations, et cetera. What's important for enterprise is Disaster Recovery, Single Sign-On, the Security, et cetera, right? So when a few teams with an enterprise already using it does make sense to enterprise to upgrade to Enterprise X. And that entry level is 41,500 for 3 servers and then provide you additional enterprise capabilities, but also it allows you to grow within the organization. That's how we see people continue to standardize on this package. And then once they ready to take the next step in the journey and distribute the software to different locations or maybe to different customers, then when -- that's when they upgrade to the platform. And that would be another 2 to 3x upsell. So the 3x in the first 3 years typically comes from adoption of new capabilities, so adoption of security capabilities, et cetera. And then once you standardizing on Enterprise X or Enterprise Plus subscription, it's primarily expansion by volume. So it would be either more servers for a self-managed solution or much more data transfer traffic that you generate from usage on the SaaS.

And as you think about sort of like the sales process, like at what point in that expansion, does it pivot from being more sort of developer-led grass roots to enterprise-level buying? Like at what point is it sort of handoff?

Yes. So historically, we've been growing through Inside & Inbound and the Artifactory, our flagship product became de facto standard in the industry and that's product that loved by developers. So it's -- we got a step in the door in all of these large enterprises through developers. But we realized as our -- over time, as our offering evolves, is no longer Artifactory, it's more the platform play. It's much -- many more personas within the enterprise who impacted by the platform who have interest in the platform, [ CSOS, security ] and security products. Ops managers and product managers, those were responsible for software updates on the customer side, that for distribution, et cetera. So we realized that this is more a strategic play. It's more long-term digital transformation road map for the enterprise, and that's how we realize that we need to tackle it from top down. And that's when we created a strategic team, enterprise sales team that deals with customers, large, very large customers who either just transition to the platform or have a potential to transition to the platform become a very large customer. So we established this organization just, I think, 2 years ago, and we continue to scale as more and more customers adopt the platform and graduate to that level. But still vast majority of the customers and new customers coming from Inside & Inbound.

Yes. And as we think about sales cycles and sort of how -- sort of, a, how that transit -- how that focus on enterprise-level selling. So how does that impact the length of sales cycles? And then also, if you could just touch on sales cycles in North America or the U.S. versus international?

Yes. So enterprise sales typically comes from expansion of existing customers. We could see new customers landing on the platform, but that would be just a handful number during the quarter. Vast majority of customers get to their platform through expansion because it's a process, right? It's not just adoption of the tool, it's adoption of different methodologies, adoption of a mindset, et cetera, et cetera. So therefore, the strategic team is drilling primarily with the expansion of existing customers. Now the sales cycle, it really depends what kind of capabilities you're requiring for a small Artifactory adoption that could be very quick within the quarter for enterprise platform, it could be up to 2 quarters, migration to the cloud, typically also requires involvement of technical teams, et cetera. So it could be also a longer sales cycle.

And as you think about your growth algorithm primarily driven by that expand motion versus new customer ACV, and that's been a big conversation with investors is sort of those businesses are tend to be more insulated in the macro downturn because the -- it is mostly expanded. I mean how do you see that growth algorithm changing in light of the recent macro? And then how do you see that kind of coming out of this macro environment, perhaps [ changing a lot ].

Yes. You're absolutely right that expand existing customers in this type of environment is somewhat easier than bring new customers. Existing customers have this mental deadline. That's the agreement renewal date, whether you make decision or whether you decide to upsell or not, but you have to make decision by a certain date. New customers don't have that mental deadline. That's why it's taking longer to bring new customers. Historically, we've been going through expansion of existing customers. New customers adoption of new customer by new customers is important to ensure the long-term growth. But new customers don't contribute significantly to revenue growth in a certain year in the first year that they joined. Again, you can join $3,200 per year per server for self-hosted solution $98 per month for cloud. It's really a smaller number, smaller lands. On average, we've seen our land to be around $10,000, but again, it's -- we're primarily expansion story. And our net dollar retention have been historically very good, 130% reported last quarter.

And then as you think about sort of your vertical exposure, obviously, you guys are pretty well diversified. I mean, are there any verticals in particular that you're seeing strength in any particular weakness that you'd highlight?

You're absolutely right. We're very diversified in terms of industries, the largest industries, it's technology and financial for us, but we also see transportation and commerce, et cetera. So very diversified. Again, we work primarily with larger customers. And while I think no one is immune to these macro headwinds, but larger customers have more kind of bigger budgets, the less dependent on certain projects, and many of them will become mission-critical. So therefore, we see -- I can't point to certain pockets of weakness within certain ministry. During COVID, we definitely saw some pocket of weakness in what travel and leisure industry. But I cannot point out to specific industry at this time.

It's interesting because like one thing I want to ask is on the tech vertical because it felt like when the market was good and you had plenty of developer talent, you could have your engineers build these -- all these internal custom in-house solutions, but as the developer talent gets tighter and you're engineering your budgets get cut, it's kind of you're much more likely to go out and actually buy a platform.

You're absolutely right. And that's intensified during past 2 years where retention became an issue for many of our customers. The technology became so complex that it's hard to get the talent, the right talent with the right knowledge. And that's why we see that this trend of migration to SaaS actually is strong.

Yes. And then just stepping back quickly, just thinking about your R&D budget, what are sort of like the key areas of focus? What key areas of differentiation and sort of what's the biggest thing we should be looking for [ as the end of the next year ]?

Yes. So our R&D budget kind of comprised of 3 major cores. One is DevOps and security and then IoT. DevOps historically been strong R&D presence with Artifactory as -- and distribution as a core capabilities in that regard with the acquisition, we significantly increased investments in our security core. And now we launched Advance Security, we'll continue to introduce new, new features, and we'll start seeing the return on investment on that. So obviously, today, the advanced security product was launched just about a month ago. So it hasn't yet contributed to the top line growth. And with the security being on top of mind, we believe that this will be significant growth drivers for years to come. And then the smallest bucket of investments is IoT. It's again coming with acquisition of a company called Upswift 15 months ago. We've not become an IoT company by no means, but we definitely see the pain that customers having to streamline the software release process all the way to the devices. So far, we've helped our customers to automate software releases all the way to their data centers or to some of their customers, where the customers have access to those devices. But we know that there are billions of devices that need to be updated on a daily basis that vendors don't have access to. That's a big pain. Therefore, we see that it's going to be a big growth driver for us in the future. Actually, last quarter, we signed our first large commercial contract for this product with one of the software integrators, one of the militaries in Europe. Today's combat vehicles cannot drive and cannot shoot without software updates. And until today, soldiers update software with [ discount key ]. So Over the Air update is something that is important. By the way, all of the transportation companies talked about that as well. I think Ford CEO presented at one of the conference, and he clearly talked about the value in the car is the value of software updates. So this is the future that we're seeing, and we intend to be a major player in that.

Yes. And then just a couple more quick ones. Just on the competitive landscape, can you just walk through what you're seeing there? And then particularly some of your more cash trap peers that maybe aren't in a fortunate position of being free cash flow positive, how you're capitalizing on that to your advantage?

Yes. So I would define software landscape by kind of 4 different categories. First one is, to it yourself a lot of homegrown solutions. That's the biggest market share that we replace and the clear differentiation around that. Then on a DevOps specific company, so I think this is what you referred to. I would divide it into several groups DevOps and then security because the dynamic slightly differently. On the DevOps space, in our presell call [ will run ] primarily into Sonatype Nexus. It's a company that was acquired several years ago by one of the private equity. And they're #2, clearly #2 in binary management. There is other players like GitLab, GitHub, they also building those capabilities, but we believe that we, by far, within the [ under in Dev space ]. In security, it's much more fragmented. We talked about the different areas of focus for security. It's a new area, a lot of start-ups. And some of them very well-funded at great valuations and some of them seeing more and more difficulties. Again, we believe that the platform play will be a significant differentiator because the remediation is very important. Then third layer would be cloud providers. First of all, they're great partners of ours. They just focus on solution that optimize data traffic. So their solutions tend to be shallow, but optimized for data traffic. And we partner with them, but there are also 2 business differentiators. One is multi-cloud, another one is hybrid, which none of these guys can offer. So those are the kind of dynamics hasn't changed much since plus few years. Definitely, the many more startups in security area. I think the platform becoming a bigger play, and we've seen some acquisitions in that space. So this is an area to watch.

And then one last one here. If we look back today, in 5 years, what technology do you think will be more transformative than I think investors are giving credit for today or aren't necessarily paying attention to?

I think that IoT will be much bigger 5 years from now and today, it's very small portion of our business. And I don't think investors even fairly understand the distribution and IoT capabilities that we [ having and ] building.

Yes. Awesome. I think we'll be good there. Thank you so much for being here.

Thank you for having us. Thank you.