JFrog Ltd. (FROG) Earnings Call Transcript & Summary

Hey, everybody. Welcome. Thanks for joining. My name is Koji Ikeda. I am one of the software analysts here at Bank of America on the software team. I am super thrilled, as always, to have JFrog, CEO; Shlomi Ben Haim. Thank you so much for doing this. I appreciate it.

Thank you for having me.

Yes, of course.

Of course, just to start off the conversation, I always like to level set JFrog just for everyone in the room that might not be -- might not super well knowledgeable on JFrog and for those on the webcast, too. Just a very quick overview. What is JFrog, what do you guys do? What is the opportunity you're trying to disrupt?

Yes, sure. So JFrog is a software supply chain platform provider. When we look at software supply chain, we are looking at 3 different core. We're looking at the DevOps core, providing the universal binary or software package repository. On the security core, we are providing a full software supply chain coverage. And on the IoT side, since binaries are also deployed on our iPhone and connected devices. We are the one that connect the edge devices to the software supply chain platform. We call that Liquid Software. This is our vision. The company serves now over 7,000 customers worldwide, 1,400 employees. And I'm thrilled to be here again.

Thank you. Thank you. I've been asking every management team kind of 2 boilerplate questions. One on the macro and then one on everyone's favorite topic, AI. So on the macro front, the way I've been asking the question is, how does the demand environment feel for JFrog today, June 2023 versus January 2023 versus a year ago, June 2022. Does it feel the same, different? I mean, just walk us through what does it feel like?

Yes. So it's a very good question that from one quarter to another, I hope that the answer will be in both. But JFrog is a provider of a hybrid solution. We have a cloud business, multi-cloud business and self-hosted solution. What we have seen at the end of 2022 was almost always felt like a panic. All the CFOs of our customers sent their engineers to cut costs on hosting. And we saw these breaks being pushed at the end of 2022 to optimize the hosting consumption. Since then, 6 months into 2023 and mainly because of the fact that JFrog is an infrastructure piece, you cannot optimize infrastructure forever. It's not an application. It's not a service. It's something that if you don't maintain, if you don't grow, you just block development and software at least. So we started to see it climbing back again. Longer sales cycles. So if in '21 and '22, a VP of Engineering would approve a PO of $100,000 to $200,000 a year. Now it requires some C-level approvals and so on. But it starts to climb back again. Mainly around the cloud, the low-hanging fruit was optimizing on storage and data transfer was a bit more disciplined. Now it's hard to climb back again. We projected mid-40 for 2023, and we still see that it's in line with our projection. Regarding the self-hosted, this is interesting because a lot of companies took a strategic decision to move to the cloud to migrate DevOps workload to the cloud and then the recession kind of accelerated it. And the strategic decision is still valid, but the economic decision is delaying a bit the migration to the cloud. So what happened on the self-hosted and how it's impacting us is that on one hand, they will not invest a lot only the must-have investment on the on-prem and the migration to the cloud is taking a bit longer. So to summarize that optimization on the cloud usage and slower migration to the cloud from self-hosted.

Got it. Got it. Okay. AI. Here we go.

AI. We need the full conference.

Yes. Yes. We need.

Well, Koji, you know us, but I think that what I see now that every CEO wants to say 5x AI in a sentence. So I'll be a bit more authentic about it. AI for JFrog is, by definition, a great opportunity. And the main reason is that the more AI you have, the more binaries you have, okay? AI replaces humans. AI is not about automation. Automation is something that we built 10 years ago. We boosted developers efficiency 10 years ago with automation. AI replace human. This is why the code management is kind of being disrupted with AI. But what happened the moment after you compile your source code, you create the binary. So for JFrog, we don't care if the binary was created by a machine or by human being. And therefore, we are very excited about the opportunity. On the second core of JFrog, which is security, the majority of the security events are being still managed by humans with human decisions. And if machines will replace that, what I think that we will see is the smarter and faster scanners available forever, like they will align themselves with the hacker. The hacker is always there. Scanning is by the policy of the company. So we will start to see more scanning, and we will start to see automated remediation. Think about Log4j. Log4j, an app is out that everybody in the room probably heard about, it's a binary, it's a binary vulnerability. You have to find it, you have to replace it and you have to distribute it according to the dependencies that you have in production. What will happen probably would be scanning, finding patient zero, replacing it in Artifactory and automatically remediate. So we see the opportunity coming but even more authentic, what is an AI model, an AI model is a binary. So some of our customers are already asking us, "Can I use Artifactory as the AI repository, the AI local repository." you have the public repository like some of you probably heard about Hugging Face and public repositories for AI models. The local repository for AI model will be Artifactory. So we see a great opportunity there, but we also want to be very responsible. We hear about copilot, we hear about other solutions. It still requires a lot of regulation. It still requires a lot of ethics rules and policies in the company. So we have 7,000 customers, the majority of the Fortune 100, the majority of 500, they are not rushing into AI with everything. They want to see a bit more steady adoption of AI. But for sure, it will be at the magnitude of the cloud. It would be at the magnitude of Internet and we are excited about it.

So when you say an AI model is a binary. Let's go into that a little bit more because I think a lot of the focus right now is on OpenAI, ChatGPT, LaMDA, et cetera, et cetera. And I think a lot of the discussions out there is that, hey, these are going to become more democratized, maybe even commoditized in the future, but that means that enterprises are going to be making a lot of LLMs or whatever the next version might be for generative AI in the future. But you're saying that you might be a beneficiary of hosting the binaries for that. Is that right? Is that the right way to think about that?

Yes. AI model and algorithm, the machine learning out of it creates the binary. They need to be hosted somewhere especially if your organization created it. OpenAI, we love them, and we are working with some of their tools. But it's not that open. The name is misleading. OpenAI means that you have to host it, where they tell you. OpenAI means that you have to use their models, you cannot count the beat to your model. So OpenAI is not open. So what happened now, if you, as an enterprise, want to use one of the models, you need to manage your own repository. What is this repository, a binary reporatory. I believe that Artifactory today is a standard maker. So we have a great opportunity to leverage the businesses.

Okay. Okay. So you sell to a lot of enterprises out there. You sell the developers to and you sell to CIOs, Head of DevOps, lots of different people. With the proliferation of generative AI and minds going wild with the buyers out there, how have the conversations maybe changed over the past 6 months? Are they thinking about things differently? Are they coming to you with different pain points, Walk me through what the customers are thinking right now?

Yes. So the first interaction that they have -- I don't know about AI overall. I know about the AI in the landscape of DevOps, security, software distribution, software deployment, observability. I think that Gary spoke about it as well here, the CEO of Splunk. The first thing that they ask themselves, can we trust AI to build software for us, to code for us. And why is that? Because no one, including your developers, whatever organization you are working at, even if it's a 5-developer shop organization, no one is building from scratch. No one is building from scratch. You bring Artifact. You bring binaries from outside and you start to build your code, then you compile it and it's a binary. So if I don't know where the machine is going and what it brings, maybe an open-source license that is not legal in my company. Maybe an IP violation can happen. If I can have the full trust, in what is this machine doing, I will start to look at it but still not adopted in production level. The second thing that we see is that there are immediate action on taking policies into action in the organization. For example, GitHub copilot. There is no question whether the machine can help us build faster and maybe even more high-quality code. But I don't know what was shared from what I wrote outside because I shared it with the machine. So think about the ChatGPT, okay? You don't have to be a coder to understand that. ChatGPT, you just ask, you run a query in ChatGPT. You don't know whether your question went to when you asked ChatGPT. Because the whole idea of AI is that the machine teaching itself. So before this will be regulated before this will be completely clear with how we use AI, it would be probably a mandate by the sea level down. This is what I hear from our customers, and this is what we also did in JFrog. We have almost 700 engineers. Before they go and use ChatGPT, they will have to follow some policy and rules of what can be done. And we also enforced some security tools on top of it to make sure that they didn't bring any GPL license or something that I don't want to see in my production or to violate someone else's IP. So mainly, what we hear now is a lot of questions around AI and how it's being implemented and some proof of concept that's being made with a very, very supervised, highly regulated environment.

Got it. Got it. So JFrog already has AI within the platform. But I wanted to ask you about future opportunities, specifically on monetization. I mean we're in a room full of investors here. It's all about how is it going to drive growth, right? So when we think about AI within the JFrog Platform for the future, does it mean it's going to be embedded within the platform and you just get it with the price that you pay? Do you have to pay more for product A, it's product A plus, are you coming out with new products altogether that are featuring either AI embedded tools or even generative AI tools.

Yes. Well, currently our monetization plans and the model we shared doesn't include the AI leverage of our tools. And the main reason for that is that whoever tells you that they know how AI will look like is either illusionizing or lying. That's the bottom line. And we look at it as more like an infrastructure. I want to see how it's improving my DevOps solution. I want to see how it's improving my security solution. I want to make sure that we are not being disrupted by a security solution that is powered by AI and our security solution is being adopted in different deals. So I think that it's too early to answer that. I'm sure that the improvements of the technology will raise the adoption of our platform, and it goes from expansion among our customers and new customers that will fit in. There is -- my observation of the market is that in the next 2 to 3 years, AI decisions will be a top-down decision, so not the bottom-up decisions. The adoption would be a bottom up from the developer's up. But the decision whether you bring in AI tools to the organization, yes or no would be a top-down decision. So it will be a longer cycles of approvals and so on. With specific -- with our customers that will upgrade to new versions of JFrog that will include AI, I think that it will go on a slower pace of upgrading. It's not just upgrading from Artifactory 1.0 to 2.0. It will be what has changed, what have you done in prior to the release, what have you done to make sure that we are not violating any kind of flow.

Got it. Got it. So switching a little bit to the supply chain of software you work with a lot of enterprises. You see a lot of supply chains of software. How well prepared are enterprises out there for what presumably would be a higher velocity of applications being built? Are they ready? Are they not ready? And how does JFrog help alleviate those pains?

Well, it really depends. I think that we see differences between geographies. I believe that DevOps and DevSecOps in North America is mainstream now, unlike in APAC which are at the earlier phase of adopting DevOps, CI/CD, what we saw here maybe 10 years ago. In terms of security, that's very interesting. In the past 2, 3 years, binaries, software packages, call it, whatever name you want to choose, containers, artifact became the primary asset, mainly because of the fact that the hacker, the attacker can reach out to your software supply chain through your production environment. That's the only asset that you have in your production environment. And therefore, the developers became the target. This is why you hear about Log4j, you hear about SolarWinds. You hear it about PyPI, you hear about Springshare, you heard about MPM. These are all binaries. And whether it's a malicious code, or some secrets that were left in your binaries or whatever went out with your containers, and it's going out not once a quarter. It's going out 1,000 times a day. Companies are getting more and more nervous about the software supply chain security. And if that was not enough, the White House is issuing a report like I'm sitting here feeling very comfortable with Biden administration, speaking about Log4j because it's a binary. But for my customers, the government is starting to kind of apply all type of tools of how you manage your software supply chain security. So I think that to go back to your question, it's not just a matter of velocity. It's not just a matter of scale and the volume and of the amount of binaries. It's the enforcement of new rules that are automated in the software supply chain flow.

Got it. Got it. And I think this is actually a really good segue into the competitive question. Every software company has competitors out there. We do our checks. We hear -- and I'm going to ask this in 2 different parts. First, on the binary side and then on the security side. So starting on the binary side, we hear Artifactory is one of the best out there for this over and over and over again. So what are -- how do you think about the competition within -- for Artifactory, you don't have to give any names, but just how do we think about the competitive aspect there?

So on the DevOps side, which is -- where we have Artifactory as the centerpiece there are 2 type of competition. The first competition is some point solutions. Sonatype Nexus is 1 of them. Cloudsmith is one of them. GitLab claimed to have a package management. But these are point solutions that what we usually see is that where you get to a scale to a specific level of scale, you will upgrade to Artifactory. And that's probably the minor side of the competition. What I'm opening my big Frog's eye on is the hyper growth because AWS with ECR and Google with GCR, and Azure with ACR are providing container security, container registry. Container registries is one technology that is supported in Artifactory, the Docker registry. Today, Artifactory sells the biggest -- the most I think, scalable Docker repositories of the world, but the cloud are the cloud. They are doing a lot of things, and they will commoditize you in order to generate more traffic. So although we are working very close with them on the cloud, they are co-selling with us and co-marketing with us. We have to build some authentic differentiators when it comes to the cloud. This is why we came up with multi-cloud solution. Because I don't know about even one enterprise that will just be an Amazon job or just be a Microsoft job or just be a Google job. This is why we came up with a hybrid model. When we first started 4 years ago with a hybrid model with our platform on a hybrid model. It was an internal job because we are Frogs. We said that we are on [indiscernible], we have cloud, and we have on-prem, we have water and land, nobody got the joke, but the hybrid became a standard. And what the hybrid enables is not just a differentiator but also taking the migration to the cloud at your own pace. Nobody just moved to the cloud in 1 year or 2 years. It's a strategic migration. And the hybrid became a very important differentiator. You would be surprised how excited the clouds are to work with us on migrating companies at the size of 50,000 developers, 30,000 developers that are trusting Artifactory. So on the hyper growth, we have to build strong authentic differentiators. On the point solution, we have to be better in the technology, obviously better in the technology is mandatory, but there like you win by feature. And in the cloud, you have to come with something more stronger than just by having a better technology.

Yes. Yes. Yes, that makes sense. On the security side, Advanced Security Platform. You guys have a security platform. So I think security has a terminology within DevSecOps and just the broader security land in general, get store out there a lot, and we've had this conversation many times. But I wanted to dig into it a little bit more. Let's talk about the products, I guess, within your security platform that are differentiated, how do you think about it? I think you've mentioned there's at least 5 different products or so within the platform...

The JFrog [ Advanced ] Security.

Right, right. So static analysis being something like that. So how does that competitive environment feel like? What is this platform? Who does -- broadly, how do we think about the competition there, point solutions, platforms, et cetera?

Yes. Well, Koji, 2 years before we went public in 2018, we took a strategic decision to go full platform, not integrated tools, but full platform. Second thing was doubling down on the cloud. This is why our cloud business is growing faster than the self-hosted. And the third one was security. In 2021, a few months after the IPO, we acquired Vdoo. Vdoo is a mature security company from Israel, the team was trained by the best intelligent forces in the Army and the Israeli Army. Some of them are attackers and some of them are defensors. And we started to build JFrog Advanced Security, which is Tier 2 after X-ray. X-ray was the first composition analysis tool sitting natively on top of Artifactory. And then Tier 2 with JFrog Advanced Security. That's the first fruit of the acquisition almost 2 years after. We announced that a quarter ago. It comes with 5 different capabilities. Each one of this capability is a company beta. Static analysis, you know companies like Veracode, like CheckMark, like Snyk, like WhiteSource, those are -- the static does the code scanners. Container securities, companies like Aqua, like TwistLock and so on. When it comes to secret detection, you have a set of companies that are doing secret detection. When it comes to open-source compliance, open source license compliance, you know companies like Black Duck and [indiscernible]. So what we thought about is not we will do it all. You know me, I'm actually against those guys that are saying, I will have it all. But how can we be focused on one primary asset and to be the best in this asset and to provide you with the 360 coverage. And when it comes to binaries, there is no better company than JFrog. But guess what? All the vulnerabilities that lately were found in software supply chain were binaries. And all of these tools that I just mentioned, 100% of them are integrating with Artifactory in order to provide you with the scanning that you need to protect your software supply chain. Now if that was not enough, I'm not happy about the recession, but they start to have more and more conversations with CIOs, CTOs, CISOs that are telling me, we are not going to replace it now. But if we will find out that you can actually cover the full software supply chain, then displacement and consolidation is also part of our decision process. So we are very excited about it. It's too early to celebrate. My team knows that 2023 and 2024 is all about execution. If it's not going to be executed, then someone from them will be executed for that.

Okay. I lost my train it off there for a second. I wanted to -- okay, so earlier, I asked you about the monetization of AI, how to think about it. I want to ask you about the go-to-market strategy now and I'm thinking about it a couple of different ways because you sell Artifactory, you are bottoms-up and top-down type approach. And then you also sell advanced security. So who are you selling to? Does it eventually become one buyer? Is it always -- is it going to be different buyers? I mean how does that sales strategy work, is it just a top-down sale at some point in time? Just walk me through that type of strategy.

Yes. So I'm just coming back from New York, Atlanta and Chicago when we had our first security road show, and it was for me after 14 years in JFrog, it was, for me, a completely different experience because suddenly, you don't speak with the community, you speak with the CISO, with the Director of securities, with the uptick leaders, with the Infosec leaders. And it's security is mostly around top down. Even if the adoption will come from the bottom up, the decision will come from the top. So that's about security. Now you know JFrog, we build the business of over -- we cost the $200 million in 2022, almost with no salespeople. It was all inbound inside sales, and we started to build our strategic team that goes after our strategic customers and expand with the platform. And we build the partners and the channels team that goes through channels and third party to expand among other territories and customers. So what we see now is the hybrid funnel, some of it is still coming from the bottom up, more adoptions of small development organizations and scaling as it used to work in the past. But big deals that are coming over a $1 million deal, over a $0.5 million deal are coming from the top-down expansion to different silos in the organizations are coming from the top down and especially when everybody is now looking at the dollar consolidation is something that you want to look at oversee the all of organization and not just the group that you are working with. So what we are now seeing is a transition from a full bottom up, full inside, full inbound to a mix of top-down and bottom up, mainly because of the security focus that we are now on.

Got it. We've got about 2 minutes left. I do want to open it up to the audience if there's any questions out there. Please raise your hand and we can get the mic over to you, to squeeze in a question from the audience.

It seems that, I was very boring or very clear, so I don't know..

Are very scared. Okay. Last question for you, Shlomi. Thank you very much for doing this again. Long-term targets. On the last quarter call, you introduced some long-term targets, 5-year targets. Why now? What is giving you the confidence? I mean you came out first time you gave out long-term targets. Yes. Can you walk us through that, please.

Well, it's not that -- the Street didn't have the model, or the management didn't share the model. We actually updated or shared more about what they saw. But Jeff, Jacob, myself, we will sitting together. I don't want to say frustrated but trying to understand what the market doesn't get about JFrog. So I remember that 21, 22 money was free, people didn't reward us for being profitable. I got it. What now? And then when we started to ask like what do you see in 2027 when you look at JFrog. And we heard that they project around $70 million to $90 million free cash flow, and we are targeting $200 million to $240 million, that's below our mind. And therefore, we felt like we have to upgrade the model and share it with the Street. And especially after we delivered 2022 according to what we said in 2023, first quarter again. So we felt comfortable enough and we wanted the Street to know what is the management position and the management commitment to the Street. Same thing goes to the CAGR, 22% to 24%. The Street looked at around 20%. So we wanted to kind of fine-tune the model and to make sure that the Street is very aligned with the management commitment. This is why I said it's on us to execute. Now if you look at the model, it's mainly built when you look at the 22% to 24% growth, basically, if we deliver on the expansion, which is our model expansion and lending and expanding, if we deliver there, it will be subject to 3 conditions, right? A, adoption of our platform. We are already very transparent about that, and we are checking this box every quarter, we share more and more customers that are not just saying -- JFrog is saying that there is a platform, but nobody is paying for it. Enterprise Plus subscription is growing every quarter. The second thing is the cloud. we finished 2022 with mid-50 in terms of growth. And we said that we will grow this year again with the mid-40. So we deliver on that. Now security is the third thing, and this is on us to pull.

Got it. We're out of time. Shlomi, this has been great. Thank you so much for doing this.

Thank you. Really appreciate it.