JFrog Ltd. (FROG) Earnings Call Transcript & Summary

All right. Good afternoon, everyone. I hope everyone had a great lunch and day 2 at the NASDAQ conference. Once again, I'm Sanjit Singh, I'm the Head of Infrastructure software on the U.S.-based software team. We are super happy to have the Chief Financial Officer of a very cool company called JFrog. Jacob Shulman. Thank you, Jacob, for showing up at the NASDAQ...

Yes, thank you. Thank you for NASDAQ for hosting us, and good to see you here, the other side of the ocean.

Yes, very good. Yes, we see each other in San Francisco, and now we see each other here in London. So maybe just start off the conversation, Jacob. It's been 2 years since you've gone public. And for those who don't know the story, can you help describe the problem JFrog is solving for customers with respect to releasing and updating the organization software?

Yes, absolutely. So our vision is to power all software updates all the way from developer to device. And it's a big, big complex problem at scale. Most of the people know software engineers write in their code and soft-running machines. What in between, nobody knows. But it's a huge industry, full of manual, inefficient, siloed, vulnerable processes. So we built a platform that automates the software release process all the way from developer Keystroke to any devices. If you think about it, source code or code that written by developers is a text. It's not machine-readable files. And what's running on machines, it's not the people's language. It's machine language ones and zeros with binary files. So every company that releases software goes through the process of compiling and building these machine readable files, incorporating open source. And today, open source is about 80% to 90% of your application. So your authentic sources about 10% to 20%. If you build online store, nobody writes shopping card from scratch. People just bring open source and just it and that's it they're done. Then you need to secure it and physically deliver those files to all of those edges that Ryan. It's a big complex problem at scale. And that's what we're automating. That's why we see our customers typically are large corporations, pretty much top 10 in every industry, our customers, 85% of Fortune 100, majority of Fortune 500 significant portion of global 2000 large corporations that have thousands of customers, hybrid cloud and on-prem customers in different regions. Those typically that would be a good fit for our value.

I think that was the element that surprised me just having worked on the IPO with you and your team. A lot of the companies that we take public that are growing in kind of technology-focused verticals, SMB market, mid-market and trying to make the way up enterprises. You guys found landed and expanded in the enterprise quite some time ago and find that product market fit at an earlier stage was, I think, one of the things that most impressed me about the company. When we think about this category, we can call it DevOps or we can call it the software release cycle. It reminds me a lot of security in that there's a lot of players in this space because there's different types of workflows, and so can you sort of describe JFrog's role in the software release cycle you sort of described what you do. But in the context of some of the other players in the space that maybe some investors have heard of, whether it's Atlassian or Microsoft GitHub or GitLab, Datadog and Jenkins, -- like how do these sort of pieces come together? And what's sort of your role within the ecosystem?

Yes. So we believe that this entire DevOps Infinity loop will be split in 3 areas of expertise. And then platforms will be created in those areas. So one of them is, for example, monitoring talks. There are a variety of different companies and more internal tools, but it looks that there are some emerging leaders in that space. On other hand, there is another category developer tools. And again, tons of different companies. They used to be developers writing on their resume as some Java developer and C++ developer. No one does that anymore because now developers required to perform multiple tasks. There are multiple technologies that exist. And there are always going to be a variety of different technologies and new coming up every year. And developers would always want, they would love falling love with certain tools, and they always use a variety of tools. And that's also a very fragmented area, and there are some leaders kind of emerging in the space. We, in a category that called software supply chain. And we believe we're leaders in that. And we believe that we have a platform that today supports customers all of their needs in software supply chain. And it's not just comprised of DevOps. Our platform today kind of has 3 components, 3 cores to that: DevOps, security and IoT. And each of them has their own set of competition set of kind of pain that we solve. And for example, in our domain security is very fragmented. No one today has full end-to-end ultra-supply chain, and there are several companies that are trying to build those capabilities. And we believe that the platform play will actually be a significant differentiator over point solutions because in security, for example, Point solution will only allow you to detect vulnerability, but will not provide you any capabilities to remediate amerability. For example, I'm sure that everyone here in the audience are familiar with Log4j issue that was a big security kind of event that happened just about a year ago. And one of our customers top 3 banks in the U.S. with thousands of different applications running in hundreds of different environments was able to remediate that in less than 12 hours while other companies dealing until today, they're dealing with this issue. So how they were able to do that. First of all, instead of scanning all this application one by one with security tool, they went to Artifactory. Artifactory is your database of DevOps. You know exactly what packages run in what application, what environment. So within minutes, they knew the impact analysis. Then they brought a revised component. They had to scan it with security tool, then automated all the future builds against that new component, again, Artifactory feature and then replacing production that's distribution feature. Again, it's a platform play. And that's why we believe there will be a lot of opportunities for us to consolidate in that space.

And just a follow-up, just in to give a history of what you guys have been building. You guys started in binary package management, that's Artifactory. You've been expanding the product portfolio into vulnerability scanning, the pipelines. Now you've done like software distributions. You've announced more security capabilities, advanced security capabilities, you're moving into securing devices and IoT. In terms of -- like the vision is compelling, but one of the common investor questions that I get is what -- why would vendors choose JFrog as designate JFrog as a player to expand onto these capabilities? Or what gives JFrog license to do these capabilities with customers versus some of your other competitors?

If you think about what this category represents and what the only asset that is relevant along all of the steps within this category is the binary. So from the moment binary is created, it lands in our property. And then we provide enterprise standardized framework, secure framework for binary releases all the way to the edges. That's the journey of only one asset, which is controlled by us. Therefore, it can be secured by us and delivered to any device by us.

And maybe to follow up on that previous question in some of the newer product launches, right, whether it's some of the IoT capabilities or you just announced these advanced security capabilities. Maybe give the audience a sense of how you price. And then as customers adopt advanced security features, when do you think that starts to contribute to the income statement? Like how far away is this opportunity are we talking 2, 3 years down the road? Are we talking next year? Give us sort of a sense of when we might expect expansion into these security and IoT to start to contribute to the growth of the company?

Yes. So we have -- our platform can be deployed in 2 ways. It's on-prem or self-managed where we would sell server licenses to customers and they would deploy that either in the data centers, private cloud or even public cloud, but manage themselves. And the number of servers bought would be dependent on the organization size, on a number of different locations, a number of different projects or technologies used by enterprise. And the value per server will be dependent on the type of capabilities they want to adopt. It's just binary management or it's binary management plus Xray, which is our first security tool in software composition analysis or you want the full distribution capabilities. Now on SaaS, we monetize by data transfer and storage. So same kind of subscription structure, but the more you use the platform, the more data transfer and storage you generate, and therefore, you would pay more. With advanced security capabilities, we thought that the right metric of monetization would be a number of scans. It would be very natural for us to monetize a security capability by a number of servers or by data transfer. There's no correlation to value. We've also heard that customers kind of not so very happy with the monetization of security capabilities by number of seats. So we thought that a number of skin correlates the best with the value that we provide, and therefore, our advanced security package will be monetized by a number of skins and where there will be a certain base package, which includes certain number of skins and then overages will be priced per scan or a customer could have like annual commencements for that. So this product was just launched about 1 month ago. And we've seen great interest from customers. Again, today, it's a very fragmented area. And the purpose of this product is to replace multiple point solutions. We know that customers and we polled our customers through our user events, many of them deploy up to 5 different tools to solve this problem. And as a result, they have a lot of false positives, inconsistent data, so not actionable data from all of these tools. So they're really looking for one tool that would cover various kind of full end-to-end. And we believe Advanced Security will be that tool, and we have obviously reached road map, and we'll continue to introduce more and more capabilities. But we see a lot of interest from customers, trials, and we'll see customers in production. We believe that this tool could be meaningfully contributing to our revenues within the next couple of years.

Okay. Next couple of years. Great. And then essentially, the key message around the new capabilities, really on a kind of usage consumption-based fund structure, which is kind of where a lot of software is going these days.

It's built in kind of its built-in expansion, right, which we've seen work very well for us for cloud, for the DevOps core. And now we want to replicate that for our security cores as well.

Great. Makes a lot of sense. I've avoided talking about demand environment macro because, frankly, in -- by December of this year, I'm just sick of talking about macro, but let's at least do the deed. So on the topic of growth, the company sustained 30% plus growth, and frankly, close to a net expansion rate of 130% plus, plus or minus, all throughout -- for the last 2 years, including clean going back to the IPO. Can you just describe at least in terms of the environment that you're encountering today, the impacts you're seeing thus far? And sort of looking into next year, I'm not asking for guidance or anything, but what's your assumption unlike the demand environment and the -- either the -- how difficult of environment you're at least assuming going into next year?

So we started seeing some macro headwinds beginning in Q2 when we started seeing longer sales cycles, customers kind of requiring more and more approvals, especially for larger deals, above $500,000, manager or even sometimes a level wants to be involved. And then in Q3, we started seeing also some optimization on the cloud. And we talked on our earnings call about differences between pay-as-you-go impact versus annual minimum commitment on SaaS. It's easier to work with existing customers because they have this mental deadline of agreement renewal date but we do know they have to make decisions. It's tougher with new customers because they don't have that force infection. So you know that a majority of our new customers were kind of joining on our SaaS by conversion from free tier. So we established enterprise cloud trial, limited in time, so kind of to make people to further to trigger this action to either adopt our solution or kind of even to think about it. So that's been working well. But we will -- we continue to see the macro headwinds continuing in Q4 as well. So when we think about going forward, first of all, we discussed that we kind of -- majority of our customer base are very well-established companies. And although no one is immune to macro, our exposure to maybe smaller technology start-ups is somewhat limited. Again, our main value is automation. And if you have a developer shop of 5 developers, you don't think about automation. You think about product market fit, you go-to-market, all of that. Our products provide you value once you reach a certain level, about 50, 100 developers, that's when you cannot function without tools like ours. So we tend to work with larger companies. That's one thing. Second, we believe we have not penetrated more than 20% even into our largest customers. So think of -- obviously, Morgan Stanley -- very well. It's a lot of different organizations, even within Morgan Stanley, Commercial Bank and Wealth Management and Trade Desk and some others. And there are a lot of opportunities to standardize for tactors. So we've kind of had our foot in the door in all these organizations, but there are a lot of room for us to expand. I think we had an Analyst Day in February of this year. So the debt is as of end of last year, but we'll provide the numbers that are on average, our Fortune 100 customers only $400,000 ARR and Fortune 500 customers only $200,000 ARR. Each of these accounts called the multimillion-dollar accounts. So there is a lot of room for us to continue and expand, and we see that this expansion will continue. And our revenue growth primarily dependent on expansion of existing customers rather than contribution of new customers because new customers typically land very small. They start learning DevOps practices and that's how they expand over a long time.

I have my first kind of like CFO level question. You got 20 minutes into this conversation. But it's really around the growth and profitability balance. And I think even during the more frothier times of 2020 and '21, you guys were operating at a much more disciplined level than others, right? And so in the theme of controlling what you control because top line is exposed to like macro factors, which are maybe out of your control. But as you think about the balance between growth and operating margins, in a scenario where growth starts to slow, how do you think about margins and potential margins being offset? Is there sort of any Rule of 30, Rule of 40 type framework that you guys are philosophically aligned to?

Yes. So first of all, we're somewhat unique from cohort of public companies that went public in 2020 and 2021 because historically, we've been profitable and free cash flow positive. I joined the company. But 5 years ago, even then, the company was free cash flow positive. I think the company was built on the DNA that values efficiency, and we never pay $1.54 of revenue. It's very hard to change DNA of a company. It's like you're growing and raising your child and when he's 6 years old the time do it differently. It doesn't work that way. So Rule of 40 is our framework that we're striving to achieve. We were profitable in 2020. Then in 2021, we acquired 2 companies, and that's how our expenses significantly increased and areas of security that was primary investment. And back then, we committed that we will return to profitability within the 4 quarters, which we did. We guided this year to be breakeven, and we believe we'll achieve that. And we'll continue to build on top of this strength and continue to improve profitability. When I think about my cost structure, about 60%, 65% of that is headcount, around 15% to 20% is hosting costs. So those are major areas of kind of focus we slowed our hiring. We're looking to continue to hire in strategic areas. We've invested a lot in security. Now it's time for -- to see ROI. We continue to invest in some of the go-to-market activities such as channel and Cloud alliances. So far, it's -- we have 0 contribution from channels. So there are a lot of opportunities for us to expand with Cloud Alliances we started seeing first good results. Pretty much every quarter this year, we kind of provided a report on our earnings calls about yet another record-breaking contract in the Cloud and marketplace. That's first steps of our building kind of Cloud alliances programs. We start seeing co-sell opportunities with Cloud. And as working together, we're accelerating the trend of Cloud on-prem customer migration to the Cloud. And we see obviously upsell opportunities from those, and it's also beneficial for the Cloud. So we'll continue to invest that. Today, marketplace is around 1/4 of our SaaS business, and there is a lot of opportunities there to continue. It kind of remove some of the administrative kind of cadets for customers and kind of align very well together with cloud on the long-term opportunity. but we'll also continue to invest in the channel, and we'll start seeing contribution from those investments in next year. So we continue to be focused on profitability, improving profitability. And in general, our framework was trying to be a role for the company.

Makes a lot of sense. I do want to go to the audience and see if you have any questions for you, Jacob. I just wanted to on one topic, which is sort of around the around long-term growth and going back to the Analyst Day, I think you guys said a view of targeting roughly a 30% revenue growth -- can you sort of unpack that for us just sort of what's the sort of simple framework that gets you to that sustainable growth rate? And to what extent did that relies upon contribution from sort of the emerging product areas versus kind of the core DevOps portfolio.

First of all, again, it's primarily expansion. And with our net dollar retention rate at 130, which have been pretty much consistent for the past several years, that's one kind of angle to view it. We discussed opportunity within even our largest customers, how they can grow 5x from current levels, that yet another thing. Now emerging areas of opportunities security. We just launched a vein security. We believe it's going to be a meaningful contribution in the next couple of years. And then more longer term, our initial investments in DevOps for IoT, and it's kind of complete our vision of liquid software, which is basically powering software updates all the way to device. But that's a large market. billions of devices have to be updated. And today, it's a very large huge pain, huge pain for customers. So Q3, we had our first commercial contract, a large commercial contract in this space with one of the system integrators, we signed a deal with one of the militaries in Europe. I wouldn't believe that today's combat vehicles, tanks, they cannot drive cannot shoot without software updates and still sold just run between machines with discountedating software. So obviously, there's a lot big opportunity for us to do that, to update over the air updates and you cannot connect these types of machines to Internet. But it's also relevant for all of the car manufacturers, all of the medical device companies and see billions of devices need to be updated, more workloads go to the edge, which requires -- but that's more longer-term opportunity. So when I look at our immediate opportunity with DevOps, emerging opportunity with security and then longer-term opportunity with DevOps for IoT, that's what gives us confidence in these targets.

Great. Let's go to the audience to see if they had any questions for Jacob on the JFrog story. Just raise your hand and we can get the microphone to you.

I looked at the consensus figures for your revenue growth and it just looks very spectacular, but is it now a bit out of date given current circumstances and the slowing in -- the selective slowing in some of your hiring?

Yes. So I think you're talking about consensus for 2023 or guidance for '20...

Right through to 25 actually ...

I haven't seen consensus. I have my own, obviously, estimations and numbers, but I haven't seen the consensus for 2025. I'm pretty sure I'm lower... So again, when we look at our long-term model, the way we look at it, so in terms of operating profitability, we're targeting low 20s. So today, this year, we're going to be breakeven. We were at 13% just prior to acquisitions that we made in 2021. So we will gradually go to those levels of low 20s. Our targeted free cash flow margins about 30%. The gap, today's gap between our operating profitability and free cash flow is about 5% to 6%. I don't expect any significant changes in the working capital structure. So our free cash flow will be dependent on our profitability. Our gross margin, although will decline slightly today with 84%. Our gross margins for long-term model is about 80%. And the reason is because more and more of our business will come from SaaS and structurally SaaS gross margins lower than on-prem margins.

Sure. Maybe I was just looking at the revenue line, which goes June 23 $1.17 billion, June 24 $1.3 billion, June 25 $1.55 billion. Now there's a diminishing number of useful estimates within that consensus.

Yes. So we guided $280 million for this year. I just don't see how we just to [indiscernible]. Hopefully -- I think you have a different model.

Sorry. I'm indeed reading out the wrong figures, $23.355 million, $24.455 million.

Yes. What's about high 20s growth and with our targeted growth rates around 30%, that's in line with our own estimates to.

I have 2 questions. The first question is what are the switching costs for your customers? And the second question is how do you differentiate compared to the cloud service provider solutions such as AWS and Microsoft solution? And the third question, just to be sure, is it a SaaS subscription model or usage-based model?

Can you please repeat the first question?

The first part was about the switching costs. The second about the competition from cloud service provider. And the third, just to be sure, if it's a subscription model or a usage-based model.

So Artifactory, our flagship product became the heart of the software release ecosystem. And today, all of the developer tools integrated with Artifactory, all of the testing tools, CICD, you're monitoring to also integrate with Artifactory because these guys need information about binaries, they're running in production. So switching from our Artifactory became very sticky old. And our gross rotation is 97%. And to switch to replace Artifactory, it's very painful, very painful because it's really heart of your ecosystem. Now with regards to SaaS competition or SaaS offering, Cloud is very good partners of ours, and we discussed how we go to market together. But the KPIs are different. The KPIs how much traffic you generate on my system versus our KPIs, how we enable our customers to release software quickly and securely all the way to the edge. So therefore, they offer solutions that optimize for traffic generation only. So for example, all of them have container registries, which is a binary positer for one type of technology containers. You cannot build today application with just using containers. You have to build them with something, front end, back end, there are tons of different technologies involved. And therefore, the clouds offer kind of narrow solution optimized for certain usage performance. Obviously, the biggest differentiators with and the breadth of our offering, but there are also 2 business differentiators. One is hybrid and another one is multi-cloud. None of the -- none of the cloud can offer hybrid solutions. None of the clouds can offer multi-cloud solutions. So all of the enterprises would be interested in hybrid. All of they understand that the North Star is cloud. It will take them years to get there. 2 years ago, banks, big banks didn't even think about cloud. Now they started migrating their workloads, but it will take them 10 years. Not going to happen over time. That's why hybrid is very important, and that's significant business differentiator. And second, none of the big enterprise want to be Azure shop or AWS shop. So therefore, multi-cloud is very important. And the third question, I think, was about usage based. So our SaaS is usage-based based on data transfer and storage. And our on-prem is somewhat usage-based based on number of servers, which depend on the size of the organization, number of projects that you have a number of different locations, et cetera.

And with that, I think we're all out of time. Thank you so much, Jacob for the conversation really appreciate it.

Thank you, guys.