JFrog Ltd. (FROG) Earnings Call Transcript & Summary

Hey, everyone. Thanks for joining this session with JFrog. We've got Ed Grabsheid, the CFO; as well as Jeff Schreiner, the Head of Investor Relations there. Just as a reminder, there are QR codes in front of you. So if you have any questions, you can feel free to scan the QR code, type it out, and I'll just read it out up here.

But Ed, you've been in the seat now, I think, as CFO, basically since the beginning of the year. Previously, you were Head of FP&A at JFrog. I wanted to start out, maybe you could just give us, for those new to the JFrog story, a bit of what you work on, a bit of the DevOps and the progression into the security motion as well as ML and AIOps as well.

Sure. So first of all, thank you for having us. It's always great being in Arizona, especially in the wintertime to get away from those for the East Coast and even from the West Coast where it's really cold. So great to be here. First of all, JFrog, what do we do as a company? We've been around for -- since 2008. We were founded in Israel. Founders came to the Silicon Valley with the idea of taking the company public, raising money and being here in the Silicon Valley, having the stream of bringing software for developers, in particular, with the binaries and making developers more productive using a binary repository tool. Since that point, we took the company public in 2020. We've now evolved from a point solution for developers to more of a platform approach. So a platform to take software for developers from the source code. Most of you understand source code for those that are writing code to the binary, which is an open source package, bringing those into your organization and then taking those through the software development life cycle on to observability. And that's where JFrog has now evolved to a platform solution. On top of that, we've included advanced security and curation, which is an add-on product. So we acquired a company 3 years ago. We released security as an add-on feature in the second half of 2023, and we've seen great momentum with our security products. Recently, we announced during the beginning of Q3, we did an acquisition, and the acquisition was in our MLOps sector, we see a tectonic shift, similar to what we saw in terms of security, this movement going from just having point solutions to a platform in terms of securing your binaries. We see a similar tectonic shift in MLOps where large language models, which are a binary will become a driver of growth for this company in the years to come.

Got it. Very helpful. Maybe clicking in on the security add-ons that you've started to roll out. It's an exciting area for the company. It's an area you're very focused in. Could you give us an overview of just that security focus? And how much uplift can that drive, even just with your existing customer base? What does that pipeline look like, the discussions you're having? And we can touch later in the conversation about some of the large deals you've started to land.

Sure. So as you mentioned, security, which was an acquisition that we did, Vdoo was the name of the company 3 years ago. We acquired Vdoo with the idea of bringing advanced security to the company. But even before we did that, we realized that X-ray, which was a service that we provided for scanning capabilities, was not at the level that it needed to be. So security was -- X-ray was developed by developers for developers, and it certainly wasn't a product that CISOs would look at to replace existing security tools. So first step was to enhance X-rays. Next was, then building and injecting additional investments so that we can build out our security applications, advanced security and curation. As I mentioned, those products were released during the second half of 2023. We released those products. We had tens of customers, and we did that at introductory pricing. So we thought it would be very similar to what we saw in DevOps in terms of the sales cycle, start with introductory low level number of developers, number of seats and then build over time. As we enter 2024, what we actually saw was customers requesting much larger opportunity. So we saw multiyear based on the road map to replace point solutions, and this is the value of what we see in JFrog replacement of 6, 7, maybe up to 10 tools. So consolidation of these different vendors, better total cost of ownership, and therefore, what ended up happening was larger opportunities, longer sales cycles. Some of the deals that we thought maybe we would have landing in the first half of the year, those pushed out to the second half of the year because of the magnitude of the deals being much larger and having a multiyear element to it. So what we're seeing today is great momentum. We're building the pipeline. We're seeing advanced security as part of the road map. We're seeing curation as part of the road map. We're seeing these opportunities become very large, but we're also seeing elongation of the sales cycle because of these elements.

Got it. On the consolidation piece, you earlier this year announced a pretty important and tight integration with GitHub with your advanced security offerings, their advanced security offerings. When you're talking with customers about potentially squeezing down from 8 to 10 tools down to maybe a few, who are you perhaps displacing in those types of discussions? And maybe, if you could talk a bit about, too, just the GitHub partnership, how it came about? Did you both organically come together to talk with customers, joint customers? And could it be an avenue for maybe new logo growth as well?

Sure. I'll go ahead and start with that, and I have Jeff here that can talk a little bit more about the efforts with GitHub and the integration with GitHub. But what we're seeing, the vendor consolidation are the point solutions. Snyk, [indiscernible], Aqua, Veracode, these are the type of companies. These are point solutions that we're displacing with the platform approach. Now the GitHub integration and the co-marketing was being led by our customers. And the customer coming to us saying that, a, 70% of our customers today use GitHub. They see it as the best of breed in terms of their source code. JFrog is the best of breed in terms of the binary. Let's bring the two together. And that's where the discussion started, maybe.

Yes. And I think picking it up from there, what you really saw is to Ed's point is customers saying that I'm standardizing on GitHub. I'm standardizing on JFrog. Eventually, there may be some type of observability buying as well. And I'd really like to see the two platforms integrate more to create more value for us. And so the team started working together late last year on a co-marketing, co-engineering basis. And I think from there, we started to see that there would be opportunities to bring various features from each side, combine those features to add value to the customers we have today. I think key aspects of that agreement as we look at it today, some of the key features that were just released at GitHub Universe is the integration with Copilot and Artifactory. Before, if you had gone out and many of you have talked to your friends in software development and they said, JFrog, who? Now we've possibly been running as a service in the background, wasn't present on their workstation. Now we'll be present on that GitHub workstation where that developer can say, go into Copilot, say, here's my build, show me the last 5 builds, what were the packages used in those builds? And then pull that in and become a more efficient developer. And I think overall, the opportunity as it relates to GitHub is, as Ed talked about, the consolidation of point solutions. And instead of an if/or discussion, which I think it might have been 6, 12 months ago with, do I start at source code and use GitHub, because they're a very large company. They do source code very well. Do I go with JFrog? They do static code analysis, but they also cover a lot more technologies and software supply chain. Now, it becomes, I can buy both JFrog and GitHub, manage it in one pane of glass, all vulnerabilities, all remediations and essentially replace, as Ed said, 7 to 10 tools with just those two vendors acting as one.

Are there any potential future opportunities to expand your integrations with GitHub? Or it's been interesting just throughout the year, you've announced more and more over time. This has not been just one thing.

Well, I think there's more to come. But I think that right now, we want to use 25 as a proving ground, right? In order to move into the next, let's call it, iteration, which would possibly involve a co-sell, I think that both companies, GitHub and JFrog in '25 need to demonstrate the value that we can create together, to then bring attention to the sales organizations that there's something here that they're not capturing yet today. So I think there's still going to be a lot of co-engineering working on, but the next genesis of this would be possibly moving to a full co-sell, but that would be more with Microsoft, not just with GitHub.

Got it. Shifting back, you talked about the large deals and how that has also seen some elongated sales cycles. These are just big chunkier deals. They can take a very long time to work through. I believe you closed some of the largest deals in company history, basically just a few months ago. As we're sitting now in December, and obviously, you can't give us too clean of insight into Q4, in general. But just curious, last year, I think a lot of software investors saw a bit of dynamics of budget flush, and JFrog historically seems to be more of an H2 tilted company. I was curious if you could provide just additional color on that. Like is it really just even historically, you just have more deals tilted towards the second half of the year? And should we expect this to continue even into something like 2025?

Yes. Let me actually start with Q3. I think it warrants a discussion on its own, it was an exceptional quarter. As you mentioned, we had some of the largest deals in the history of the company closed during the quarter. First, we had a deal, which we talked about during Q2 that we decided to pause the discussions, and we got questioned around that, did we lose that deal? And I'm happy to report that, in fact, not only did we lose that deal, we closed that deal, which was the largest deal in the history of the company in the beginning part of Q3. And not only did we close it, we closed it with better terms than what was originally negotiated. So we knew that JFrog was critical to this customer. The interesting thing about this deal, in particular, was that it was led by security. So the decision in order to come to JFrog was brought to JFrog from the CISO. It's the first time we've had a deal led by security. Once that deal was brought around security, then the discussion became how do we now migrate our self-hosted opportunity to cloud. So this opened the door for a massive deal for JFrog. So that was deal number one. The second deal, which was an automotive company, we closed in the middle of the quarter -- which -- sorry, was tech deal, which we closed in the middle of the quarter, thank you. And that was the largest deal in the history of the company, followed by the largest deal in the history of the company, which was at the end of the quarter, which was an automotive deal. So it was an exceptional quarter in terms of a lot of big deals closing in the quarter. Additionally, two of those deals were security. One of them had IoT Connect attached to that. So, a, that was important. The second piece you talk about is being a second half company. You're absolutely right. What we see is with these large deals, they tend to fall towards the second half of the year. Now these deals don't happen and are not born within one quarter. It typically takes anywhere from 9 months to a year, in some cases, even longer. But what we tend to see is those close in the second half of the year. Last question that you had was regarding Q4 and what we saw in terms of the behavior in Q4. So I want to remind everybody, last year, Q4 in 2023, we had a onetime benefit. This was a true-up for customers in the cloud that had annual contract commitments, and those unused budgets were trued up at the end of the contract. And this was due to the mechanism that we had, which the unused portion was then recognized at the time of the renewal. We've, over the last 18 months, have moved customers from annual commitments to monthly use it or lose it. So we would not expect that we would have the same level of true-up in Q4 of 2024 that we did in 2023. What we also see is that customers today are not spending above their commitments. So the dynamics of what's happening in 2024 is very different than 2023. From a budget flush perspective, what we see is that most customers are very disciplined. They understand how to manage their budgets in the way that they align their usage patterns more towards commitment and to get an additional dollar above commit is very difficult today, unlike what we saw in 2023 and certainly unlike what we saw in 2022.

Makes sense. And I don't think that's unique to you. Historically, just thinking about go-to-market, obviously, the roots of Artifactory as an open source developer tool, saw a lot of bottoms-up just groundswell adoption, and there's been a lot more focus from JFrog in the past several years to shift more towards a top-down C-suite selling motion. What have been the key learnings just organizationally, internally as you've gone through that progression? And how do those learnings tie into now trying to sell to CISOs as opposed to a developer audience?

Yes. So the company was founded as a developer tool for the developer, and we started a bottoms-up motion. It was a product-led strategy, and that's what the developers wanted, and we serve that through the open source and through the developer. It gave us the foot in the door. And what we saw is most companies started at a very low subscription level and then over time, worked through either additional servers as we monetized self-hosted through the number of servers, or by adding additional usage in terms of data consumption and storage on the cloud side. This is how it started. Over the last 3 years, we've invested heavily in more of the downstream enterprise go-to-market. So that's meant bringing in the right sales organization, bringing in the teams that understand how to close very large deals, the infrastructure around that solution engineers, architecture and systems in order to manage that. So we've done that over the last 3 years. Now what we're seeing as we move forward is, a, we know that developers don't have the budget to sign very large 6-figure, 7-figure deals. So naturally, you start going into the C-suite. The decision is being made by the CIO. Security on top of that brings in a different persona, -- it brings in the CISO. That's another element that's brought into the whole discussion and negotiation. So you have two different personas in the negotiation. The duration in terms of the deal cycle and how long it takes to close the deal is elongated. The size of the deal becomes much larger. And additionally, what enterprises, they don't want to come back to the table and have another negotiation in a year, they want to have a multiyear. In some cases, they're even asking for 5 years. Today, we're limiting it to 3 years, but the discussion becomes around multiyear. It becomes around adding security on top of the platform. It's also step up. So they're considering what the budgets are going to be in years 2 and years 3, and how much usage and how many seats are going to be required from a security perspective. All of this creates complexity. We're still learning. We're building the playbook. We've now shown that we can close these type of deals. We did that with three very large deals in Q3. We continue to build that playbook, and we're learning quite a bit from each one of these deals that has a unique flavor to it.

I would just quickly add, Jeff. I think it's also maybe a reflection of the industry, whereas several years back, it was much more developer-led. Developers got to try out all the new tools and kind of organically bring those into the organization. Now in the large enterprise, it's much more top-down dictated, as to we're going with the platform, here's the tools you will use in this organization. And so I think there's been somewhat of a change in the customer base and how they're viewing things as well.

Perfect. Shifting gears, like you brought up self-managed and obviously, a big driver to the cloud growth rate is just the pace of migrations from self-managed customers over to the cloud. That's been an area you've been focal has not been at the same level of -- the same trajectory relative to a couple of years ago. Just thinking maybe into 2025, what level of visibility do you have in some of your larger customers actually doing migrations from self-managed to the cloud? And is there anything else you could do or you're thinking from either like a sales incentive standpoint or just a product functionality standpoint that you could deploy to try to juice some more migrations?

Yes. Yes. So the visibility comes from the pipeline. I have really good visibility into the pipeline, and I know that there are many customers that are looking to migrate. I also know that I don't have a crystal ball of when that is going to happen, and that became very evident in Q2, and it's becoming more and more evident as we start to look at the pipeline, and we see movement in our pipeline. I also know that I'm a second half company, and we've seen that now for the last couple of years. So my visibility is typically anywhere from 6 to 8 months, and that's where I have clarity. These larger deals tend to move around based on a couple of factors. Number one, I think the macro is certainly contributing to that. Number two is, the magnitude of these deals and the resources that are required, not only from a budgetary perspective, but from the number of people that are required in order to make this happen. So what do we do to help incentivize this? Number one is, that we run parallel your self-hosted instance with your cloud instance, giving you the opportunity to seamlessly migrate. Number two is we provide you with tools to allow you to move your workloads from self-hosted to cloud as well. And we provide the professional services and the team to help do that. We also understand that we are not going to force you, especially in this macro environment to do a migration. Understanding the magnitude of the budgetary and resource requirements, you'll make the decision. What we see is that once the customer is committed, 99.9% of the time, they do it. The timing of that is uncertain. We certainly provide kickers and incentives for the sales team to help kind of motivate and incentivize them to get the fire going in terms of the migration, but it will entirely be up to the customer in terms of the timing. We'll continue to show the value of why it makes sense to move from self-hosted to cloud.

And could you also talk about just structure around sales incentives when it comes to selling security. That's obviously a big area you've talked about becoming more of a driver in 2025. Could you potentially see yourselves making any tweaks to just the seller compensation incentive models or any other areas?

Yes. So 2024 was the first year that every single enterprise sales rep had a security target, regardless if you were brought in as an overlay to sell security or you were previously a DevOps rep, meaning that you sold the platform, now you'll have both targets. That means that if you only sold DevOps, you would not get 100% of your incentive, because you had a security target on top of that. We will also carry that forward into 2025. Every sales rep will be required to sell security. We see that, a, it gives you line of sight into your target strategically and it creates accountability. And we see it as the right structure to drive what is a strategic driver for JFrog, and we'll continue to motivate the sales organization through giving kickers and making sure that they're targeted, based on the security.

Got it. Digging into just some of the numbers, you most recently posted net dollar retention of 117%, pairing up with 22%, 23% revenue growth. Could you help us just understand what the underlying drivers of that 117 are, and how we should think about the sensitivity of those moving forward, maybe from a standpoint of DevOps/Artifactory as well as security as well as just self-managed SaaS migration?

Yes. So the $117 million, we're very happy with the $117 million. We -- our guidance was around the mid-teens. And so we're very pleased with delivering $117 million during Q3. That's driven off of, obviously, the large deals that were closed during Q3 and the migrations that we see from self-hosted to cloud as a primary driver. Anytime you have a self-hosted instance, to cloud, we see somewhere between 20% to 80% uplift in the first year, and then it continues to grow from there based on how we monetize. We also see existing customers in cloud, based on their commitments, driving the net dollar retention and to a lesser extent right now, security. So the security add-on is also driving some of that net dollar retention. Now as we move forward, we believe that the stabilization right now in the mid-teens is probably the level that we'll be at, going forward. What will drive that is going to be continuation of these large customers and what we see in our pipeline and the conversion of those deals from self-hosted to cloud, the continuation of the commitments. And again, security will be a driver. What would accelerate that, is going to be the pace of migrations improving and then any spend above the commitment. So going back to what we saw maybe in 2022 and the first half of 2023, where you saw usage patterns that were above commit -- that would help drive net dollar retention above the mid-teens.

And I would just add that, that point that Ed just made is that this year has been a headwind for us. That we are comping over a year that saw significant customer over usage. And in this environment now or at least in '24, and Ed and I, I think, both agree that for the near term, we don't see anything changing yet, is that the customer is being very disciplined and staying within the budget and not exceeding the budget. And so to that extent, it's been somewhat of a headwind in '24. But in '25, you'll be comping on a similar year in our opinion. So that could be a stabilizing factor as well.

Got it. That's helpful. Thinking about 2025, you've been more vocal recently about just maybe your approach to guidance, maybe being a bit more conservative, guiding to what you can truly see. Just given the large deal variability you saw in Q3, how will that influence your guidance philosophy moving forward? Maybe you can just elaborate on that.

Yes. There's actually a couple of factors. The large deals certainly play a big part of that because the magnitude of those deals have significant impact based on the revenue [indiscernible] in any given quarter. So today, it's very different than what we saw 2 years ago, where I have deals that are in 8 figures, whereas when I have a deal that pushes out in a quarter, not only does it impact my quarter from a revenue perspective, but it's a deal that I cannot replace. So if I push a deal out, I don't have similar deals that I can pull in and replace that. Unlike maybe 2 years ago where you have a smaller or multiple small deals push out, I can certainly incentivize a customer to pull deals in and replace that. So that leads me to kind of change my philosophy. That's number one. Number two is that, what we saw in the past, and in particular, this year is that when you try and peg the full year, and we know we're a second half company, and you start to see maybe a deceleration because you have seasonality in Q1, you're questioned and maybe even punished for very good results because they're looking at the full year. So what we did is we took an approach, be very conservative now. We have visibility into the first half. There will most likely be an acceleration in the second half, and then we can always increase the guidance. But it's harder to bring the guidance back, if, for whatever reason, things did not play out as expected. So therefore, we're much more conservative in the approach. It's certainly different than what my predecessor did. And going forward, that is the approach that I'm going to take. I think most investors and analysts got used to JFrog anywhere between 1% to 1.5% deviation in the beat. I'm not going to peg a number, but it will certainly be higher than what you've seen in the past.

That's very helpful. One coming from the audience, thinking through the Qwak ML acquisition and ML AI Ops, -- how does that compete in the marketplace? And how can that, in a sense, in any way, be differentiated with your GitHub partnership? And obviously, a lot of these DevOps players are also rolling out MLOps functionalities.

Well, I think that one thing that we feel we differentiate, Jeff, is that the LLM is a binary. From Genesis to finish, it's a binary. And so it's something that we feel we have an inherent advantage given that we feel we are, in fact, a binary experts -- where we see MLOps going, and I think Ed may have alluded to this earlier, is that it's another tectonic shift, much like the Vdoo acquisition, where I wasn't here in '21 when they did the Vdoo acquisition, spoke with Jacob a lot about it at the time, but there was pushback as to why is a DevOps company buying security. There are security companies, they'll do security, you'll do DevOps. We had a different vision, a vision that security would be layered on top of a platform. And that's what you see is coming into play today and what's benefiting us for following that strategy. And if we hadn't had done that, then we would be behind the eight ball as a platform, not having security on top of it. In the same aspect in MLOps, we see something that is going to be integrated with JFrog, and then likely fully integrated in the software development process within an enterprise. So being a platform, we feel we need to acquire the technology, have it developed and ready for our customers to use, because we eventually see that data scientist organization moving in with their LLMs and becoming much more of the generator of code 3 to 5 years from now than the individual developer sitting in the seat today.

Got it. I think we maybe have time for one more question or maybe a couple if we can squeeze in. But I wanted to ask just within your customer cohort comparing smaller and larger customers, if you could give us a bit more color on what you're seeing with those monthly customers, and you've called out slower free-to-pay conversions. That's something we've heard from other DevOps vendors like Atlassian over the past several quarters. Are you seeing a significant divergence in the spending appetite between the largest customers you have and smaller ones? Or are they more impacted by macro?

It's a very good question, Jeff. And first, this is very much aligned with our strategy. We started the year with a strategic view of going after large enterprise and landing larger deals, and getting those dollars, because we see it as more durable. So that was number one. Now what we see in terms of our monthly pay-as-you-go customers. 3 years ago, that was 1/3 of our business. Last year, it was 1/4 of our business. Today, it's less than 20% of our business. There's 2 reasons for that. Number one is that, a, we see it as top of funnel, and we take those customers once it becomes economically beneficial to move them to an annual commitment. Number two is that they tend to be SMB. And today, SMB dollars tend to be a little bit tighter. We don't see as many SMB dollars acquiring infrastructure today. It's more of the larger enterprises that are, again, deeper pockets, more durable, and that's where the focus has been. It doesn't mean that we've abandoned that strategy. In fact, there is an opportunity with products to go after the SMB. And we also understand that today's SMB is tomorrow's enterprises. So once the timing is right, we'll reengage and refocus on the SMB.

Well, I think we're at time, unfortunately. But thank you both. Thank you, Ed. Thank you, Jeff, for sitting with us today. Yes. Thank you all.