JFrog Ltd. (FROG) Earnings Call Transcript & Summary

Coming down to Austin, as Shlomi would say, I'm probably biased, a great place to be. I'm glad to have you guys all come down here and join us today and hear about some of the key announcements we have and give you guys a chance here in the audience to ask management any questions you might have about some of the announcements we made today. But with that, I get the fun job of reading the typical legal disclosure before we begin today. Leading the event today will be JFrog's CEO and Co-Founder, Shlomi Ben Haim; CTO and Co-Founder, Yoav Landman; and Ed Grabscheid, JFrog's CFO. During this event, we may make statements related to our business that are forward-looking as that term is defined under U.S. Federal Security Laws, and are made pursuant to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995, as amended, including statements related to our future financial performance. The words anticipate, believe, continue, estimate, expect, intend, will and similar expressions are intended to identify forward-looking statements or similar indications of future expectations. You are cautioned not to place undue reliance on these forward-looking statements, which reflect our views only as of today and not as of any subsequent date. Please keep in mind that we are not obligating ourselves to revise or publicly release the results of any revision to these forward-looking statements in light of new information or future events, except as required by law. These statements are subject to a variety of risks and uncertainties that could cause actual results to differ materially from the expectations. For a discussion of material risks and other important factors that could affect our actual results, please refer to our annual report on Form 10-K for the year ended December 31, 2023, filed with the SEC on February 15, 2024, which is available on the Investor Relations section of our website. Additional information is available in our recent Form 10-Q filed with the SEC on August 8, 2024, and other filings and reports that we may file from time to time with the SEC. Additionally, non-GAAP financial measures may be discussed at this presentation. These non-GAAP financial measures, which are used as a measure of JFrog's performance, should be considered in addition to, not as a substitute for or in isolation from GAAP measures. With that, I'd like to turn it over to JFrog's CEO, Shlomi Ben Haim. Shlomi?

Yes. Thank you, Jeff, and thank you, everyone. Can you hear me well at the back? Cool. Thank you, everyone, for joining us. A very exciting day, obviously, for the Frogs. But from what I hear after the keynotes, I hear that it's a very exciting day for the community as well, not only because of the announcements, but also because of the amount of innovation that is injected into what we call software supply chain management. And some of it was shared here today by JFrog. I'm sure that other companies are doing a great job as well. Today, we will focus on 3 main announcements, the first one, something that we were working on since last year. Those of you who joined us at swampUp last year in San Jose, remember that we announced the availability in JFrog Curation and JFrog Advanced Security on a hybrid version. JFrog Advanced Security and JFrog Curation were the first add-ons on top of Xray and the results of the acquisition of Vdoo. And during this year, they started as you have shared on his presentation to see some success within -- among our customers and portfolio. And today, we completed a process of taking care of your binaries all the way to production, to the run time environment, with something that is very unique to JFrog with a differentiator that no other company can provide unless they want to integrate with our assets, which is the shift left, shift right, take it to whatever side you want. Full visibility and traceability in order to generate 1 thing, 1 value, which is fast remediation. It doesn't help you if you have the best front time security on the planet. And you know about the vulnerability in your production environment. If you cannot trace it back and replace patient 0 on whatever repository. JFrog Runtime Security was something that we built on top of the other assets like JFrog Catalog, JFrog Curation, JFrog Advanced Security. So it will not just be a siloed solution. It would be part of the platform, and it's available starting today to all of our customers and prospects. The second announcement that was shared today on stage in 3 different talks. As you could see, is the second stage of the partnership with GitHub. On May, earlier this year, we announced Stage 1. Stage 1 was integration between the platform. And we knew that this is not complete because it's not all about developers. You have to make sure that you provide a 1-platform experience for the user that's checked. But what happened when it comes to security and you have different stakeholders. And what happened when someone start to ask you, if you have to go between the different products and UX. So we announced today the availability of JFrog Advanced Security and GitHub Advanced Security, all displayed with the findings from source code and binaries, on Github and JFrog. So you choose where you want to be. If you are a developer, you would probably land at the GitHub platform. If you are a DevOps engineer or a lease manager probably on the JFrog, but we unify the view on 1 pane of glass. And and the third -- okay or is it a mistake? Or am I speaking too much? And the third one, the third deal on the GitHub integration was the Copilot. How you bring GenAI into the process of managing, securing your software supply chain. Copilot is not only a nice chat box. This is a window to the JFrog assets. That's a window for a developer to the JFrog asset, like in what world can you see it as a developer and ask what packages should I use for X or Y? Who's using it in my organization? Who's using it in my -- not who, but how popular it is in my sector and my industry? And all of it from the get go, so you would prevent any mistake. So if you think about the main pillars that GitHub and JFrog now with this very strong partnership provide, it's the speed and the trust among the developers and security community. And the third announcement that we covered today was the NVIDIA collaboration. And what we've heard from our customers, as I mentioned, as the keynote is that this is really a scary world, we don't know. Everybody is speaking about AI, everybody want to have AI. Everybody is willing to pay money for AI. Nobody knows what AI is, okay? And if someone tells you that they have all the answers, they are probably smarter than me. But we hear it across our portfolio, SMB, enterprise, public companies, private companies, self-hosted, Cloud, it's across the portfolio. And another thing that we hear is that unlike in the past, 10 years ago, it could be a developer without caring about your security. Today, it comes together. And therefore, you also saw the CIO survey saying now find a solution for AI security, ML SecOps. And our customers started to inquire about enterprise models coming from NVIDIA. This is where this collaboration started with few of our biggest customers and with a very strong relationship with the NVIDIA team co-engineering, working on a solution that NIM models from the NVIDIA public repository will land on a secured registry for the -- for all models of your organization. So basically, a single source of record for your models as well, including NIM models coming from NVIDIA. If you put together what we have built in the past few years, we actually brought JFrog to a level that all ops are supported in 1 place, DevOps, DevSecOps, MLOps and the reason is actually split to 2. One, there is only 1 asset that we keep saying in JFrog. I know that sometimes we say it a lot and too much. There is 1 asset, which is the primary asset, ask every engineer outside this room. What is it that you spend most of your time and they will tell you, 80% of software supply chain is about software package management. This is what I create. This is what I comply. This is what compiled. This is what I test. This is what I deploy. This is what I secure. And this is also the assets they have in runtime. So this is a -- and the second thing is that we know that the world is consolidating around best-of-breed platform and there will be no vendor that will just provide everything. We heard in the past that there will be vendor that said that they will do DevOps and security and a class in and Datadog they will be everything. It's not happening. And Cloud-only, also not happening, therefore, the hybrid. So we feel that we got to a point that we now can serve our community after very intensive investment, we can serve our community with an every-Op solution. And those of you who follow the past few years know that we are very serious about what we promise and when we deliver it.

We'll open up the Q&A session. I will bring the mic around if you can utilize the mic for the questions so that the webcast participants can hear. It'd be much appreciated.

Sanjit Singh, Morgan Stanley. Thank you, Shlomi, for the great session today. And a lot of announcements. And I think from my perspective, since the kind of higher rate environment has taken hold, I've seen JFrog's product velocity enormously accelerate. And that's the good thing. I think what a lot of investors are trying to figure out is the go-to-market motion behind that. So let's take the GitHub announcement, the native integration today. So your -- it sounds like you're natively integrating the platform from the product side. It sounds like from a developer perspective, the workflows are going to be much more seamless. What can you tell us on the go-to-market side with GitHub? Are there any sort of financial incentives for their sales people behind it or any sort of other sort of -- what's the go-to-market strategy for those joint JFrog-GitHub customers to drive that consolidation opportunity that you were speaking to?

Yes. Thank you, Sanjit. Good question. What we have learned in the past 15 years that when you sell from the bottom up or top down but you sell developer tools, first thing you should do is to build your credibility and first thing is to avoid any fluff about integration of features. And when you say a real platform experience, you should stand behind your world. So we build it in tiers and we want to deliver it. Next month, GitHub Universe will kind of cover also the beta program of Copilot. And once it will be adopted, this will be, for me, the trigger to start and speak about CoSell. We already have co-marketing, everything we do here, as you saw, is in full collaboration with GitHub and with Microsoft. But when it comes to joint packages, joint subscription, same offering offered by different salespeople. This is too early. We will wait for the adoption, and we will see it happening. But as you know, net new is not only coming from prospect and new customers. It's also coming from the renewals. And I can already say that from what I hear, and it's too early. This is also a tool for retention. We have 97% retention rate, which is amazing. I'm very honored, but I know that I have -- as we grow and as we expand and as we cover more and more persona, I have to invest not only in net new and new offering, but also in retention. And the GitHub integration, once you chose GitHub and JFrog, especially if you migrate it to solutions like that and especially when you combine security on that, it would be a very important investment that you do. You don't just move 2 years after or 3 years after. So retention is also very important.

Just one quick question on Runtime Security. What's the sort of the monetization strategy around that? Is that going to be included as part of Advanced Security? Or is that going to be another add-on for customers?

Runtime Security is going to be offered as an add-on available only to our Enterprise X and Enterprise Plus customers On-prem and Cloud. As you know, Curation and JAS is already there. Runtime security requires JAS and Curation. So we see 2 paths of goals. A, customers that are not yet on Enterprise X and Enterprise Plus will see enough value to upgrade themselves. And then to take on top of it, JFrog Curation and JFrog Advanced Security to enable Runtime Security. Runtime Security also come with 2 different capabilities. Enterprise X enjoys the integrity piece of it. And Enterprise Plus is the only subscription. This is the foot platform, the only subscription that will also have an impact -- runtime impact to what we call to provide you with the full information that we presented today.

Pinjalim Bora, JPMorgan. When I was walking around and I was talking to a lot of investors, it seems like there's a little bit of a skepticism around JFrog getting into the security budgets. And obviously, with Runtime, you are diving deep into the security budget. So help us understand, and you have had some time now with Advanced Security, right? So help us understand what are you hearing from customers around that, your ability to get into the security budgets?

Well, skeptic people are part of my life since I was 2 years old, that's fine. We build for the long run. And what we've seen a few years ago is that whether people like to admit or not, the landscape of security is changing. And don't take my word for it. Look at the big security companies and look at the companies that they are acquiring. They are shifting left because they know that they have a blind spot. And if they will not shift left, they will try to recover on the runtime environment and try to find out what happened like 2 weeks ago when someone released the last software update. So we took advantage of the fact that we own the single source of record for all of our customers. And we started with Xray securing that. And then people started to be skeptic because Xray is just protecting your Artifactory. And when 3 years ago, we started to heavily invest. This is not hiring 6 people, 5 people, to build your security solution. We acquired a company, a leading company with its very strong research team. This team, I don't know if you noticed what we said there about the Python package. This team saved the world few weeks ago. Don't ask me, go to LinkedIn and see what the community is saying. And then on top of it, we started to build the solution that enables a, automation and b, quality and c, traceability that no one else in the market can offer. Now let's say that other security providers will say, we can offer it as well, ask them if they have an integration with Artifactory. And the answer is yes. And if they don't, they're blind to whatever happened to your binaries. Now listen, when Tesla came out with this idea of building a radio, I'm sure we didn't do a market pitch and ask how many people would believe that there will be a box in their kitchen listening to the radio. We speak about binaries, and you've been with us from the beginning. JFrog is the first company that said, this is what you should be focused on. So I'm quite happy that we have over 100 customers that signed up this year for the full stock, and I see these customers coming and you have shared some of the logo on this slide. And it will take time. And skeptic people, they are part of my community and my life. And then we will have the proof on us to prove that our philosophy about software supply chain security is the right thing.

I want to add to that, that the shift in security that happens is from detection to remediation. And I don't know if you saw the whole keynote to them, but what we're giving you with Runtime -- So if you find about I have a vulnerability and runtime, and you don't know how to relate it back to your software supply chain and how to fix it, it's only part of the job. So you become unproductive and you kind of persist the risk. And this is the big change because once you get the visibility, once you have a finding and you know exactly how to tie it up to your software supply chain process and fix the vulnerability, that changes the whole picture and the generation of tools that are only alerting you and beeping and giving you this bleeping alert, it's -- they are the old-style tools.

Yes. Yes. The image integrity part, I think, was phenomenal on the Runtime Security that you were showing. I think that seems like a big differentiator. I want to ask you one last question on MLOps. I was talking to some of your customers, and this is not really related to ML, but I'm extrapolating to ML. There were some customers who were basically saying, on the Cloud version, they don't like the pricing because there's a transfer element to it and it becomes very costly for them, right? So they are not putting everything on JFrog Cloud. They're putting some On-premise, maybe using some open source stuff. But I'm thinking, as you move in more into MLOps and you're talking about bringing in models, which are 2 gigs, 1.5 gigs, right? How do you kind of get over that pricing hump?

Well, it's a great question. I guess that the customers that you quoted are not yet using MLops. They are using JFrog Cloud and they say it's too expensive for us. We hear that, but you have to divide it to 2 different practices in the journey of our users, what they build and run in the development environment and what they deploy. Now when it comes to data transfer, millions of Docker containers that are pushed from Artifactory to the Cloud. This is the deployment piece. This is the distribution of software piece. This is where sometimes they are challenged by the price because some registries that are just plain container registries can offer it for a different price, sometimes lower. When we look at the platform, we look at the full value of the platform. And don't get me wrong. We are working on the benchmark, understanding who are the competitors, what changes, who's doing what, everyone said that they have a Docker registry somewhere. And then when it comes to scale, I gave an example of Cisco today, but all of these customers, these are hundreds of millions of artifact, not every container registry scale to Artifactory. Some of them moved back to JFrog. Some of them moved some of the workload to JFrog, but we are very well aware to it. And look at the prices, then sometimes some changes need to be changed, especially when you look at deals that are few millions of dollars the consumption. Specifically on the MLOps. First off, our MLOps offering will be part of the enterprise to start with. And this offering is going to be available for our customers on a model that comes with a base included in the subscription and then the GPU unit, like that's the world of AI, and this is how you -- this is the unit price that you use.When I look at the MLOps landscape and the competitive landscape of MLOps, and I'm looking at the players, first of all, it's a different market, completely different market, not mature yet, very evolving. And second, most of the players there are startup companies, some of them are more successful and some of them are less. So I think that the fact that JFrog is the only company in the universe that provide all 3 practices, DevOps, Security and MLOps in 1 platform will be appreciated by our customers. And we'll see about the final prices. We will go out with introductory prices for the MLOps. And then we'll see, based on the adoption, how it goes.

Jason Celino from KeyBanc Capital Markets. Keeping on kind of the Runtime theme, it seems very logical to verify images in production, nice logical step for your platform. What else what might we -- like the next step without giving like any -- like the roadmap, but help us understand like where you're going?

For Runtime, first of all, integrity is one part of the deal. I think the most critical part is actually being able to recall an image in Runtime. It's not just the image. If you speak about the Log4j incidents, for instance, it's really knowing that this Log4j library is embedded in a container that is currently active in Runtime loaded into memory. We didn't get into the fine details in the keynote, but we can actually tell you whether it's applicable. It's loaded into memory, whether it's effective. When Log4j happened, we had many customers that were freaking out about Log4j and they had some tools that were alerting them about, yes, this Log4j actually on disk in production, but it was not even loaded. So the impact analysis, Shlomi mentioned, the higher tier, the impact tier this is a big deal for Runtime. We're going to invest without -- I'm not going to reveal the roadmap naturally, but we're going to invest a lot more about policies and alerting and the whole remediation, the ease of remediation for your findings in Runtime. So that's going to be the next direction.

And then user conferences like this is always great to talk to customers. We've had a chance to speak with a few self-hosted folks. As we think about migrations and kind of the path to migrations, what do you hope your self-hosted customers walk away from the conference today?

So as all of you know, some macro challenges stopped, freezed, put on hold all type of big projects that were planned in 2024 to migrate DevOps and DevSecOps workloads to the Cloud or to the public Cloud. One of the repeated question we get outside at the booth is about Cloud migration practices, how you do it. It's not just, okay, move your repository from self-hosted to Cloud. You do it in different stages and different projects and different technologies. I think that when the market will start to recover, I don't think that we are yet out of the woods. But when the market will start to recover, our customers will first look at the -- at where they left the decisions moving back to the Cloud. Now remember, these guys that you speak with, if they are planning strategically to move workloads to the cloud, they are also paralyzed in terms of what they invest in the self-hosted. They don't invest anything. They know that they are going to move. It's just a matter of maybe a year more. But therefore, they are in what we call the twilight zone, which is they are not investing in the self-hosted, but on the other hand, they didn't start yet the migration to the Cloud. So Cloud practices, if you speak about the migration to the Cloud, there are customers that did it here with us and customers that not yet. And this is one of the top in mind. They are very, very unsafe when they are moving their environment from self-hosted to Cloud.

This is Yi Fu Lee from Cantor Fitzgerald. So I guess the first question is going back to the GitHub partnership, would you say, Shlomi, like this is another way of saying, "Hey, look, stay in the lanes." Because I remember like when I cover cybersecurity, you have Okta and Identity Space, CyberArk and the PAM Space, right? How would the relationship change, I guess, right? Because you guys obviously dominate in the artifact and then in the source code management as well as advanced security in the respective area. So if, let's say, they were to branch out or vice versa, how would that dynamic change?

From a technology perspective, you mean?

From the partnership perspective.

From what they have already?

From what they have already.

Well, listen, it -- there is overlap between all vendors. There is no vendor that you would tell me. Like I'm collaborating, I'm deeply invested in AWS, Azure and Google Cloud, right? But all of them also offer container registry and all type of developer tools, there are overlaps. With GitHub, we have some overlaps, with GitLab we have some overlap, with Atlassian we have some overlap. But I think that what counts is, a, what level of sponsorship you get from your partner? Is it like developer-to-developer with all the respect or is it CEO-to-CEO. And second -- or maybe this is the first thing is what your customers are choosing. And if our customers are telling us -- and I'm talking about customers at the size of AT&T and Morgan Stanley and Fidelity, these are the customers that came to us and said, "Guys, we chose you for this, and we chose you for that. Thomas start work with Shlomi, Shlomi start work with Thomas or you are both grounded." And that's it. It's like it's the customer choice and then we are driven by the customer choice, and I think it will be beneficial for both sides. I don't see GitHub Package Manager. I don't want to say anywhere, but I don't see it on presales. I don't see GitLab Package Manager on presale. People start to standardize around best-of-breed platform and Artifactory represent that.

Okay. And then my follow-up is I'm going to lump it together a 2-part question on the MLOps opportunity. What needs to happen to be showtime ready? Like do you need more integration? Do you need more work in it to get it ready? And then a follow-up for Ed is, any color on like the sizing of the opportunities, right? We talked a lot about whether it be GitHub MLOps. Can you give us a little guardrail of the upside to think about it? And obviously, NVIDIA, don't forget NVIDIA as well, right? And last year is -- from the earnings call, not asking for an intra-quarter update, right? Is the migration slowdown? Any status changed to that?

I'll start with the product side. So it's -- in terms of showtime readiness, it's already the situation. It's GA, you can start using this. This -- we showed you in the demo how you can go from Artifactory and curate only the ML models that using JFrog Curation, how you can store the models in Artifactory, how we are also supporting data sets that we didn't show. And the bidirectional navigation between JFrog ML and the JFrog platform. JFrog ML today is technically, it's not integrated into the UI of JFrog platform. So that's one of the first things that we're going to do. I don't know if you notice that there is like it opens currently in separate tab. So we're going to embed it even closer to the JFrog platform itself. Of course, there are always gaps, there are always things that we would like to be more perfect. Given that it's 2 months into the acquisition, this full level of integration that we already offer for us, we are considering GA, we are considering what you call showtime ready.

Just to put that -- I'd like to add to what you have said -- we acquired Qwak 2 months ago. We announced the integration with Qwak 9 months ago. It's not yet ready to full-blown on our portfolio. We have responsibilities, we are checking it. We want to see to where its scale. We want to know that we are ready to serve our enterprise. You don't build this trust with this enterprise and then you bring some solution, especially in the world of MLOps, which is still an evolving market. So it will take time. And we will take this time because when we will come with this solution, it will be the best solution in the market. Already today, there is no other company in the market that provide this capability as part of your software supply chain.

And regarding the financials, as you heard, we're still in the process of integrating. We just closed the acquisition 2 months ago. That takes time to integrate -- we're still learning about the company, in addition to the announcement that we made with GitHub. And now this announcement we made with NVIDIA, again, we're taking time to build that. We haven't commented on 2025 yet. But in terms of 2024, we don't have anything in our model today that would be around contribution from either of those opportunities. With regards to the end of Q2 and what we saw with the migrations and kind of this behavior change that we saw regarding these really rigid procurement practices that we called out specifically at the end of Q2 with this very, very large customer, and we said part of the reason, we de-risked these opportunities because of this constructive multiyear 7 to 8-figure deals with security embedded in those. We looked at those. And we said, okay, we understand it's very difficult in this macro uncertain environment to get those deals across the line. Therefore, we did not want to have those in our guidance going forward. We think we made the right decision, and we haven't commented on this particular customer. We will at the end of Q3, but we believe we made the right decision by doing -- pausing those discussions for now.

Nick Altmann from Scotiabank. You guys had that slide that said hundreds of customers using Advanced Security Curation and SAST. And there were some pretty impressive logos up there, large enterprise sort of tech-native customers. When you think about those products being more of a needle mover next year, pairing the fact with that's a lot of customers that are using those products, very impressive logos. Why is that? Is it they're sort of smaller deployments and they're going to ramp? Just like any comment you can make on sort of the delta between some very splashy logos, hundreds of customers, but it kind of being more of a needle mover next year.

Well, first of all, yes, we are very honored to have these customers using JFrog Curation and JFrog Advanced Security, just to make sure we understand. This is not JFrog Xray customers, which is the other arm of JFrog Security. This is just Curation and just this is also what we report during the earning. And not surprising, and going back to Pinjalim question, not surprising, all of our customers had something that is called security. And to be honest, most of them had 5 other things that is called security. And big customers with over 1,000 developers had over 10 different tools. One full static analysis, one for secret detection, one for infrastructure go. Each one of this aspect was covered or is covered by a different vendor. So I don't expect any of my customers to just switch on and switch off from one security solution to another, especially when they don't know yet how strong JFrog is in the landscape of security. This is why it takes time. Now what is my expectation for the following years? This is why we build it on a per-seat model to allow them to ramp up. And once they feel secure with what we offer them, I hope that they will go to where we see the potential, thousands and thousands of developers, and this is how we will charge. The other side of it is ramp-up in terms of number of developers is one thing, a ramp-up in terms of consolidation. JFrog also consolidate 6 different point solution in 1 solution. 6 different companies can be replaced in 1 solution. In one of the earnings, we told you that we replaced Black Duck, Sonatype and the checkbox with 1 just subscription. So consolidations also takes time. And a lot of time, they gather budget from other places. They will have to run the first year or the first 2 years paying to both of us until they fully migrated. And this is why I'm saying, have patient and going back to the skeptic people. I know that we build for the long run, and we are building right.

Ryan Mac from Barclays. I got to ask the Generative AI question. But you can tell your customers becoming more sophisticated around it, and it's more of a priority for them. So as we stand today, I guess, where would you see Generative AI adoption become more meaningful in your financial results? And any changes on the timing for that and when you can see that really start to impact?

So you're asking about whether Generative AI is going to be adopted for -- with the MLOps solution?

Just how do you think the JFrog platform will start to see more customer interest in revenue?

So we're starting slow. We're starting with just hosting your models and curating them. Obviously, GenAI is a new thing, and we are still learning. We are actually, I think, like many other players in the industry, we want to bet on the right horses. We don't want to solve pains that wouldn't be pains in a year from now. So we are speaking with customers, we are identifying the patterns that we think are there to persist, and we will add them to JFrog ML. So that's the situation for that.

You have mentioned the pain. When we are building our roadmap, we are looking at 2 aspects of pain, developers pain. A, if it's a known pain and b, if it's a major pain. If it's a known pain, but nobody cares about it, okay, a drink a glass of water, it will die. If it's a major pain, this is where enterprise will be willing in the future to invest our money. So GenAI, especially in the landscape of security is going to be a major pain. It's already known. It's already known. It will take 1 episode or 2 episode that will explode somewhere in the world that everybody will wake up. But you already saw the surveys of you guys telling us that this is where CISOs are investing a lot of money.

And just to add to that, the world today, one of the major pains that Shlomi spoke about, and it's realized pain that's validated from what customers are asking is just controlling which models are allowed to be used in the organization to the level of the version of the model. This is the situation today. Organizations are very skeptic, they are very careful in what they're allowing and this is a feature. That's a pain that we are already solving with Curation.

Andrew Sherman with TD Cowen. I wanted to come back to the major industry outage that happened this summer and any impact you've seen because of that? Has that shed more light on the software supply chain and the importance of updates? Have any existing or new customers reached out and asked you to help on that? Is it showing up in pipelines at all with JFrog, have helped prevent it from happening in the first place, that kind of thing?

It's been almost 3 months since we announced the partnership. Today, we announced the completed Stage 1, so obviously, whatever I'm sharing here is based on 3-months analysis, which is very, very early. But in over 70% of our presale call, support call, tickets, announcement, marketing, hitting map, everything that we can track, people are very excited about this partnership. I would also add that Bitbucket users are very interested asking a lot of questions about that. And I'm speaking only about JFrog customers, Bitbucket users, are also working with Artifactory and GitLab users are working with Artifactory. So Bitbucket users from Atlassian side are also very interested. And people are inquiring a lot about this collaboration and where it will be. Now we announced the security and the Copilot. We'll see. I'll keep you posted.

Miller Jump from Truist Securities. Congrats on all the announcements today. Maybe just digging into the NVIDIA one specifically. I'm just curious like how heavily demanded this was within your customer base? Just trying to get a sense of like how much of the customer base is currently leveraging NIMS and maybe just any sense of how quickly you think this could impact the actual business when it launches?

So first of all, NIM is a new thing by NVIDIA. You have to understand it's a new technology from NVIDIA. It's new for NVIDIA themselves. So we already started to have conversation with the enterprise customers because this is really targeting the enterprise level customers that want to get large language models into the organization. They have the iron to run them, and they want to get the best trusted models, but also the most fine-tuned models that they can run on this hardware that they purchased. And the initial feedback was this is awesome. We really want that. We really want to get the speed and the trust, but we need it in JFrog. We need it in Artifactory for many reasons. First of all, it's our single source of trust in the organization. It cannot leave as well. Second, it's part of a larger scope application. The model is not there living by itself. It's being packaged and integrated with the rest of the software that my organization is producing. So it doesn't make sense to put it on some kind of island and isolate it as well or keep it in the cloud. And the last reason is that when you consume the models, you mentioned these are huge files, and you don't want to be loading them all over again over the Internet. You want to serve them over the local network that's like a must for scalability. So this was like everything makes so much sense as the reasons for why you would want that in JFrog and that's the exact feedback that us and NVIDIA got from mutual customers.

If I could just ask a quick follow-up for Ed. I mean now that we're through earnings season, we heard pretty mixed messages about the software demand environment. So just curious more digging into the headwinds you called out in procurement, like do you see those as DevOps specific? Is it potentially JFrog specific? Or is it something where you saw it before others might? Just any color there would be helpful.

Yes. So we certainly saw in our monthly customers that happening earlier than what we saw from a procurement perspective. That came more towards the back end, the final few days after earnings, we've seen -- actually, it's not just the JFrog problem. This is what we're seeing across the software industry. I think you've seen now several during the earnings season that have called out specifically around challenges with large enterprise deals. We've certainly gone from a bottoms up and move more downstream with larger customers. This creates challenges around longer sales cycles, working with multiple functions and different decision-makers. So certainly, there were some challenges around that, especially in this uncertain macro environment. We believe it's temporary. We're hoping that it's temporary. I don't see this being a long term challenge for us. We haven't commented obviously on Q3, and we will at the end of the quarter. But certainly, from the standpoint of how it's impacted JFrog, I think it's not just a JFrog issue. I think it goes beyond JFrog and more in the software industry.

Kingsley Crane from Canaccord. So I want to return back to the twilight zone comment when the customers pause the Cloud transition and therefore, also pausing investments On-prem. I know macro is involved, but how long might that be sustainable because customers are still going to need to consume more over time?

So obviously, there's an incentive to move from self-hosted to Cloud. It's better return on investment for the customer. We take the infrastructure. They do not have to invest as much. It creates standardization across their organization. So over a long term, it's the right decision and the right move. When you're in a in a macro environment such that we are right now, these are customers today that are utilizing JFrog on a self-hosted instance. They see the benefits, they see the value. But as we talked about, this is kind of a dead zone. They don't invest. They're not expanding. But the incentive is still there to move to the Cloud. This is very much macro-driven. So when the macro improves, these customers are committed to JFrog to move their instance from self-hosted to Cloud. And 99% of the time, once we get past the POC and the technical gate, those customers are committed and move from self-hosted to Cloud. Therefore, once we start to see budgets being unlocked and the macro environment improving, we think it will go back to what we saw previously.

And maybe the way -- I might add to it, it's that when we spoke about de-risking opportunities and especially big opportunities in our pipeline. Some of it has to do with migration that even though the customer is saying, yes, we are scheduled to do it this year, we were very, very conservative about the pipeline, knowing that this is going to be very big accounts.

All right. We want to thank everyone. We've got time for one last question today, and then we're going to wrap up today.

This is Shrenik Kothari from Baird. Again, come from the security background and not a skeptic at all. And not coming from a skeptical angle. But to your point, Shlomi, you mentioned, of course, the traditional security vendors are consolidating and moving more and more towards the left. You touched upon, of course, [Cisco] and the likes of that. But when it comes to like Palo Alto Networks and CrowdStrike as you said, right, those guys are trying to invest more and more on the shift left. How do you view the competitive positioning from the larger traditional security vendor perspective? And how do you see, of course, advanced security tools, the Curation, Runtime in light of that? And then I have a follow-up for Ed.

Yes. So in terms of differentiation from the big security guys, if you look at Palo Alto, Check Point, CrowdStrike, those companies, they are great. Some of them started to shift left, and we are opening like our big frog eyes on them to make sure that they are not shifting too left. But now even if Palo Alto Prisma would like to provide you with the full traceability,, all the way to your image, to your Docker registry. What is the Docker Registry? Artifactory. So I think that we are coming with a very solid, strong differentiator. And to be very humble with my foot on the ground, there are a much more savvy security company that are protecting your network in cyber. We are talking about software supply chain, and it's a different landscape. And I think it's evolving and evolving fast.

Got it. And then, Ed, please chime in on the go-to-market strategy, right, as you said, of course, the advanced security tools and, of course, Curation, Runtime all kind of part of, of course, enterprise class, and that's kind of gaining more traction. More, I would say, larger lands upfront. Of course, this macro aspect, but like how do you view the expansion strategy, right, going forward? Is it more built around seat expansion, more and more data on your tools or kind of adding more and more security features going forward?

Yes. So we actually see opportunity in 2 different areas. Number one, is the migrations moving from a self-hosted instance to a Cloud. You have over 60% of your assets today still sitting and self-hosted, you can migrate those to the Cloud. And when you have a migration, you have anywhere from 20% to 80% uplift on a like-for-like subscription and in addition to that, you bring them over on the full platform. Only today, 10% of our customers are in the full platform and contributes 50% of our revenue. So there's a huge opportunity there. Secondly, leading with security. Security will be a significant driver of growth for us. Security is monetized by seats. We started with the general availability in the second half of 2023. We said we had tens of customers. As you saw today in the keynote, we now have over 100 customers and some very big names. And we're maybe even a little naive to think that we would bring these customers in at a very low introductory pricing with few developers. And today, what we're seeing actually is quite the opposite. We're seeing customers want to come in, negotiate now for a much larger opportunity over multiple years replacing the point solutions. It's not just a sale of a 1-year POC type sale. This is truly a value that they see by coming to JFrog for more of a replacement and consolidation of their tools, and that will take time. And they're willing to invest with us. And by doing that, they're coming with a much larger opportunity over multiple years. And this takes time to build that, as Shlomi had mentioned, there are skeptics out there, but we believe in this, and we see the opportunity.

All right. We want to thank everyone who joined on the webcast and the participants here that joined us live today. Shlomi, would you like to give some closing remarks, please?

Yes. Well, first of all, we are honored and we are excited to have you at swampUp. If you guys want to hear the real story of the Frog, if you want to really know what's the value of JFrog to our customers, you have over 500 of them outside. Feel free to speak with them. Feel free to share with us the feedback. We are looking forward not only to leap -- keep leaping forward but also to meet you next swampUp in [ Napa ] next year. Thank you very much, everyone.