JFrog Ltd. (FROG) Earnings Call Transcript & Summary

Everybody. My name is Koji Ikeda. I am one of the software analysts here at Bank of America. Welcome to day 3 of our technology conference. I am absolutely thrilled to have JFrog doing a fireside chat with us. We have the CFO, Ed Grabscheid. And we also have IR, Jeff Schreiner here. So thank you so much for being here. We appreciate it. I always ask the obligatory introductory comments or a question of what is JFrog? What do you guys do? What problems are you addressing today? And what problems are you addressing for the future?

Well, first of all, thank you for having us. It's great to be back here in San Francisco. I see some new faces in the audience here. So I'll give a background at JFrog. JFrog was brought to this world to make developers more efficient. So as code, source code becomes a machine language, that's a binary. JFrog manages the binary. So today, we are the only company in the world that has binary and Artifactory as a platform. We also have DevSecOps, which is our security product and now JFrog ML. So 3 applications in a platform, only company in the world to be able to do that. We're focused today primarily on managing those assets, ensuring that they are brought into your organization, they are secure and then they are delivered in the form of an update. We also will start working in the future with large language models. It's very nascent technology today, but the focus is on delivering value for the AI and large language model world in the future.

You guys dub yourselves as the one of the disruptors and protectors of the supply chain of software. What exactly does that mean for being the supply chain of software?

Yes. The supply chain of software is really the motion of taking a language that's written in a source code in English or Spanish or German and putting that into machine language. And what is different today than what we saw maybe a decade or 2 decades ago was the pace of updates. So if you recall, maybe if you use Microsoft and you did an update in Microsoft, you would do that once a year or every other year, they would do an update. They can manage that update. Somebody would write the code, they would turn it into a language, they would test it. They'd bring it to market. There might be an error that's found, they would fix that and maybe 6 months down the road, they would update that again. Today, updates are being done 10, 20, even 100 times per day. The pace of those updates because of open source packages coming into your organization today source code, let's say, 80% to 90% of that is an open source package. You're only writing 10% to 20% of your code, but it has to convert into a binary. Software supply chain and the management of that binary was brought to this world because of these open source packages, and this is what JFrog does. It manages the process of taking those binaries, those updates and bringing them through your organization, testing them, securing them and distributing those binaries, those updates.

When I was preparing for the conference, and I was kind of looking at the first quarter -- my first quarter result notes, I was kind of reviewing them, I'm like, man, you guys had a pretty good quarter. And so tell me a little bit about the quarter. What was kind of the highlights of the quarters? And what have investors have been kind of asking about the quarter that they've been pointing to from a bull case.

Yes. So Q1 was a culmination of not just one quarter. It was a culmination of many quarters that we built to the results that you saw during Q1. So we really saw this transformation that was happening early on where we wanted to penetrate at the C-suite. We saw there was an opportunity to move from a developer sale into the enterprise. We invested heavily 2 to 3 years ago with secure -- I'm sorry, with enterprise, with strategic sales, with building the infrastructure around that architects and solution engineers. Now Q1 is a result of those efforts, the efforts of the acquisition of VDoo, where we have security and security going from a point solution to a platform and adding that on top of Artifactory. And then in Q3 of last year, closing 3 of the largest deals in the history of the company. 3 or 4 years ago, if we did a $0.5 million deal, that was considered a mega deal within JFrog. Today, we've closed deals that are 8 figures. We have a customer that's over $30 million on an ACV value. So when you say Q1 was a great result, that wasn't because it was just one quarter. These were multiple quarter efforts, and we really started to see that momentum happening in Q3 of last year with these large wins with security. If you recall at the end of 2024, we disclosed the metrics in security. We delivered more than -- or we delivered 3% revenue, 5% of ARR and 12% of our RPO, which is coming from security, where we had essentially 0 in the year before. So we've really started to penetrate the security budgets as well. And then the last piece of what we saw during Q1, which was a bit of a surprise to us was the amount of usage in our cloud. So we have customers that commit to JFrog minimum commitments in data consumption. So they may commit to 2 petabytes, 10 petabytes, 15 petabytes, whatever that usage is, and we take that revenue ratably. When the customer exceeds those minimum commitments of usage, then we have an overage. In 2024, the vast majority of our customers were not spending or using above the minimum commitments. In Q1, we had this robust usage across a diverse set of our customers in our portfolio across multiple geographies and distributed linearly across all 3 months of the quarter. So this was something that was not expected. It's historically a slow quarter, Q1 as many budgets are being built, as sales kickoffs are happening. So it was a bit of a surprise to us, but it ended up being a great result for JFrog.

I want to focus on the large deals were signed in. Just a point of clarification, make sure I heard it right? You said $30, you have customers that are $30 million in size on an ACV basis. That's...

We have one customer that's $30 million in size on an ACV basis.

Wow. Okay. Okay. And then on the cloud usage front, got asked the question, right? I'm sure you've been getting the question a lot. AI coming into play with that? I mean, is there any sort of -- you guys should be a beneficiary of AI driving more binaries good for JFrog? I mean I don't want to get ahead of my skis here, but it does feel like is AI playing into that just a little bit.

Well, we just -- we're going through the circuit. This -- we were telling you before the fireside chat, how many of the fireside chats we've had. So you're not getting ahead of your skis because this is the third question. We typically get it on the first or the second around AI.

So waited a little bit.

Yes. Well, let me tell you a little bit about the usage. We -- well, first off, AI. What we believe and why we're so excited about this opportunity. When you bring a large language model into your organization, it's a binary. And we are the company that manages the binaries. So we believe we should win this market. We made an acquisition at the end of Q2, we acquired a company called Qwak AI. That is the platform that manages large language models to bring those models into your organization to train, to secure and distribute large language models. We released the first phase of the product, which is on the cloud in Q1. And we're planning to release the self-hosted version at the end of this quarter. Now what are we seeing? I'll be honest, we're not a company that's going to deliver a message of fluffiness. It's very early. If we talk about a baseball game, we're singing the national Anthem at this point. We're not even exiting the dug out to start playing the game. We see some things that would believe -- lead us to believe that there could be a tailwind. And the thesis around it is that more binaries means more code means more binaries and more binaries is going to be beneficial to Jfrog. Now in Q1, during this overusage period, we did track the packages that were being used by the customers. And we saw 3 packages that seem to have the most significant usage on a sequential basis. That was Docker, Hugging Face and Python, PyFi. So when you think about what the developers are using, you could make some assumptions that there's experimentation that's going on right now with AI.

You mentioned Hugging Face. I believe that's a customer or a relationship that you highlighted on the last quarter call, you mentioned it right there. What's going on with Hugging Face? Why did you guys talk about it so much on the call?

Yes. So, I'll take that question, Koji. I think the Hugging Face relationship is unique in the sense that it's a repository for large language models, much in the same fashion that you would garner a repository for NPM Maven on the package side that we've already been doing with Artifactory today. And so when you look at what we've been doing here and what was the -- I apologize, what was the topic again?

It was the Hugging Face...

I apologize guys, a long week. I apologize. Hugging Face is a relationship in which they came to us, Koji. They had another company that was reviewing the repository and securing that repository, but that company had told them that 80-plus percent of the models were malicious, okay? And so they asked JFrog to come in and scan those models. And we said that those were false positives. So in essence, maybe some of that Hugging Face traffic that Ed alluded to could be that JFrog customers felt that this was a more secure repository from which they could pull from. So the Hugging Face relationship is us supporting the community today and supporting that repository. But obviously, there could be indirect benefits as customers start to utilize that Hugging Face repository and use the proxy function that's within JFrog Artifactory today. So we view that as kind of the first motion of what you're seeing, where the repository is more focused on an LLM than it is on an individual package technology.

And I think there -- I'm going to just jump in real quick. I think there was something very important that Jeff mentioned was that Hugging Face came to us, JFrog to scan and ensure the confidence that the models that are being stored in Hugging Face to pull into your organization are secure. So that brings a lot of confidence to the community that JFrog is the system of record in terms of the scanning and the level of confidence that these models are secure. So even if you're not a customer today of JFrog, you know that JFrog is going to be the system of record in terms of the scanning capabilities. Therefore, if you're going to bring a large language model, and this is where the intangible benefit that Jeff talked about, and you're going to bring that as a data scientist into your organization, it makes sense to store that in JFrog. So we believe that there could be some opportunity coming from that. Today, it's not a monetized relationship. It's a matter of a proxy between similar, like Jeff said, let's say, Maven or NPM but it's a relationship of bringing large language models into your organization through a proxy, but we do believe it could create some intangible benefit for us.

Got it. Let's talk about the guidance for a second.

Sure.

You guys -- we just talked about big deals. We talked about cloud usage. But how does that I mean I know -- let's talk about it. We know it's not incorporated into the guide, right? You guys are not including big self-managed migrations to the cloud in the guide, and you're not including usage, upside usage in the guide. So why is that not included in the guide this year?

Yes. Look, first, let me explain why we chose to do this. And I talked a little bit about the transformation of the company 4 or 5 years ago when we went public to where it is today. A deal of $0.5 million, if that deal pushed out, I could pull 2 or 3 deals from an out quarter into the quarter, and it didn't have a significant impact on my revenue. Today, when I take an 8-figure deal and that deal, because of the complexity of the deal, if I forecast for that deal to happen in a quarter and it pushes out, I don't have deals tens of deals that I can pull into the quarter to backfill that push. And so what we see with these large complex deals that you're talking about that are a migration that have security elements on top of it, it's not a matter of if. but a matter of when. And we must be patient. We saw this in Q2 of last year, where we had forecasted a deal that was 99% of the time would close. It didn't, and it had a significant impact to our ability to overachieve on the revenue side. Therefore, we took a very cautious approach by derisking those deals and allowing those deals to mature and then come in as upside potential. The second piece is the usage. And why don't we include the usage? Well, we saw this in Q1. The usage created a tailwind for us. It created a significant outperformance in our revenue, but they can turn it off as well very quickly because it is not a commitment. So today, we have a bit of a disconnect between the developer that's been pushed to innovate to bring in new technology. And the other side, my office of the CFO and procurement that say, hold on, I don't necessarily have the budget yet. So let's maybe ratchet down the usage until we can secure the budget. And so those discussions right now are a bit of a tug of war. Innovation that's happening, budgets and a very tight rigid purchasing environment that's pushing back. So it doesn't make sense for us to put that type of assumption into our guidance. So we exclude that. The last piece is, as we stepped into Q2 coming off of our guidance in February, it became incrementally uncertain. The market changed. You had tariffs on, tariffs not, the liberation date. There was all kinds of things that were happening. We had to take a more cautious approach, and we balanced the overperformance in Q1 with our prudence, and this is why we took a more conservative approach going forward. And we believe that, that's the best approach, not only for us but for investors and shareholders.

I'm going to try. It is June. So it's been a while since you guys reported. Any sort of update in the demand environment you could share with us?

It's worth the effort to try because you will never know unless you try, but no, I will provide an update after we close Q2.

That's right Yes. Competition, I wanted to ask you a bit about that. You guys are -- we consider you guys next generation. But JFrog is not new. You guys were made last year, year before, 5 year you've been around. And whenever we do our checks, it seems like the pool of competition is quite small for you guys, and you guys are one of the disruptors and leaders there. And so why hasn't another competitor emerged? What is it about the category that is difficult?

Yes. That's a great question. So let me give the competitor landscape first, and then we can talk about the differentiators. We are the only publicly traded company in that DevOps binary management tool infrastructure space. The closest competitor is a private company, a PE-backed company called Sonotype. We also compete with a very, very small start-up that is a cloud-native tool. We don't see them often not even worth mentioning the name, but that they are sub-$10 million. So we've seen them kind of pop up. We're not naive to think that somebody could come into that market. We also have the hyperscalers. They offer some type of container registry, very basic container registry technology as well. So what is the differentiator for JFrog and how we built the moat and actually probably widen the moat is through our technology and the number of languages we support. We have a very deep technology stack in terms of the languages that we support, the security elements. At the end of the day, when you own the most critical asset, which is the binary. So JFrog owns that binary. It's being stored with Artifactory. You are the company that can secure that asset as well. And so now we've created a differentiator with our platform in security. Point solutions today cannot operate on the security of binaries without having a proxy to JFrog. So we want to please the community and continue to delight the community. So therefore, you maintain those relationships, but essentially, you could cut them off. You could cut the oxygen off to these point solutions. We choose not to do that, but most customers see advantage to 2 things: consolidation, and to secure the most -- the critical asset, which is your binary. And so as we continue to add more technology like MLOps, that moat becomes deeper and wider.

And I'll just add quickly, Koji, I think on your question about why there haven't been more. This is a fairly new technology. And I think the time that I've been at JFrog now almost over 3 years, I think the importance of the binary has grown. And so I think part of that is that it's taken time to get to a level of sophistication and software development, where individuals that are working on this technology are realizing the importance of the binary asset. And so I think that's the unique part because I think binaries are the newest form of the software development software supply chain [indiscernible] been there, observability production environments have been there. This is kind of a new aspect to the whole development process.

You mentioned 2 things in your answer there that I wanted to touch upon. One MLOps. But two, you mentioned the hyperscalers and container registry. And so maybe good knowledge for me. I just kind of want to understand when we think about the hyperscalers do customers sometimes start with the hyperscaler option and then eventually graduate to JFrog? Or do they start with JFrog from the beginning and the ones that are on that container registry from an AWS or a hyperscaler, they just kind of stick with it over time?

Yes. We don't necessarily see migrations coming from the hyperscalers to JFrog. What we would typically see if they're sophisticated, they're coming either from a competitor like Sonatype that have scalability issues or want to migrate to the cloud and are unable to do that or they're coming from a homegrown tool where they've built something to manage their binary -- manage their binaries and distribute the binaries. They have a large organization. They're unable to scale on the homegrown tools. So they come to an automated tool like JFrog provides. You probably have smaller organizations that are using the hyperscalers for container registry that maybe want to operate on 1 or 2 languages. Those are not necessarily the right customers for JFrog. We'd happily take them, but because of the depth of our technology, the number of languages that we support, the complexities that we support. So less sophisticated organizations typically go to the Hyperscalers. They have different metrics in us. They're looking at trying to generate as much traffic as possible. So they -- by the way, we operate and work on the marketplaces of all 3 of the hyperscalers, and we work very closely in a partnership with those hyperscalers. They're really looking for traffic. They're not looking to take the business from us, but they would happily bring a customer into their container registry solution if it's a very simple basic case.

Okay. What's the opportunity with MLOps for you guys? Tell us a little bit about that?

Yes. I'll start, and then Jeff, you can talk about the technology piece sure. As I mentioned in the beginning, we acquired Qwak AI in Q3 of last year. We saw this as a huge opportunity for JFrog at that time because we said, as this market is shifting more towards large language models, we're creating -- there's a new buyer here in the data scientists. The data scientist is now creating these large language models. In order to deploy those large language models, they become a binary. So they have to train them, they have to secure them, they have to deploy them as a binary. And we wanted to win that market. We saw it shifting, and we made that acquisition in Q2 of last year. We also saw that we wanted to get ahead of it because we were worried that valuations could change very, very quickly, which they have. So when we did the acquisition, maybe there was questions around it, why are you doing the acquisition now? We did not get questioned at all around valuation, around the decision to acquire, I'm sorry, Qwak AI. And the last piece of that is we saw an opportunity here with a product that we can integrate into our platform very quickly. Unlike the acquisition we did with Vdoo on the security side, where it took a significant investment in terms of building the application to be a platform and integrate. With JFrog, this was a product that we could add to our platform very quickly. As you saw, we released the cloud native version in Q1, and we're getting ready to release the self-hosted version this quarter. So it was the right decision from us. And we believe we should win that based on the binaries.

Yes. And to Ed's point, when we talked about singing the National Anthem as a comparison to the baseball game of where we're at. What we have right now is that a lot of companies are tinkering and experimenting with ML in their organization. Perhaps we think that's some of what we saw in the overusage in Q1. And what they would really like to do is look at the various platforms that they could use within their organization. So to Ed's point, I think another key aspect there is that within 6 months, we were able to take this technology and meet the market when it's ready to start utilizing and bringing this into organizations. I would say that we view that there are 2 gating factors right now before we see mass adoption of this technology across many enterprises. And that's within the industry determining what the monetization will be, how will JFrog be compensated for the value we provide and what is the buyer willing to pay for that value. And on top of that, given the rapid change, the speed of innovation that you're seeing on the MLSecOps side and what AI can allow that hacker to try to do and bring into the organization, that will be another gating factor to a much more broader adoption. So we think that there's people that are working within this today, but I don't think that we're really at a mass scale yet until some of these other broader gating factors are really relieved.

Got it. Maybe a question here on the M&A strategy going forward. I mean you guys did buy Qwak last year, you bought Vdoo couple of years ago. I think there's a couple of other acquisitions in between. Keep me honest there, I can't remember. Yes, how do we think about your M&A strategy going forward?

Even before I talk about the M&A strategy, one of the strategies that we have is to focus on delivering free cash flow so that we have the capability of being able to react quickly. So we delivered 26% free cash flow margin in Q1. We continue to generate a significant amount of cash. This gives us that flexibility as when to a shift in the market that we can react very quickly and do a transformational or even a tuck-in type M&A acquisition. So we continue to focus on that to ensure that we're nimble and agile. We're always looking at the market. I don't know that we'll do something transformational per se. But as we release JFrog ML and customers begin to use the platform, feedback will start to come back to our engineering team. We'll identify if there's holes in the platform and see how we would go and address that. That could be with the tuck-in. But most of the focus today would be on ML and AI, not so much on the security side. We believe we're well positioned in the security side. We've invested heavily over that. in that domain over the last 3-plus years and the focus will really be about delivering AI technology.

Let's talk about security for a second. So you guys have delivered good revenue from security from essentially 0, right? And so how do we think about security as a growth vector over the next 12 to 24 months?

It's a big opportunity for us. There's big budgets in security, and we want to continue to penetrate that, but we're still at the early stages of penetration. We don't have -- we have thousands of customers, over 7,000 customers today. We've got more than half of those customers using JFrog X-ray which is our Tier 0 security product. So we have an opportunity to penetrate through those customers that we know today are using X-ray. You need to use X-ray to be able to use our advanced security products. So our focus is on that. We believe we have a long runway. It should be a huge growth driver for us going forward, and we continue to see that as a big piece of our business in the future.

Okay. How do we think about how you're selling security? One of the things that we is often debated within DevOps is the ability for a dev tool to sell into ops or security, security tool to sell the other way, Ops, you get where I'm going. So how are you selling security?

Yes. It's interesting. 3 years ago, when we started to build our security team, we built a security overlay team. We brought security-based architecture and solution engineers, and we've integrated those into our process. So we have that overlay team. But we also saw a shift in the way that the customer is buying. Before you had the DevOps side, you had the CISO and the CIO, 2 separate budgets. You're now starting to see that come together as a panel. So when we sell, it's a matter of selling to a panel. You've got the developer that you're selling to. You've got the CIO and the CISO budget. Those are coming together to make a decision. So you have one point of contact in terms of your sales now that is selling an opportunity, the value proposition of JFrog, the DevOps side, the DevSecOps side brought together as one value.

Got it. Got it. got about 1.5 minutes here, and we briefly touched upon free cash flow margins. You talked about how you guys think about free cash flow and M&A. But how do we think about free cash flow overall? I mean you guys just did 26%. Your targets are 26% to 29%, right, you're kind of there. So how do we think about free cash flow generation and balancing that against growth, growth potential?

Yes. That's a great point, balance. I'm going to focus on that word. We've always had a focus on profitability and free cash flow. This was not something that was outside of this year or last year. Today the shift is going to be now on profitability and free cash flow. That's always been part of our DNA. In fact, 3 or 4 years ago, when the focus was around profitable growth and durable growth, we were being questioned about that. Today, there is no question. Companies are focused on profitability. We continue to balance innovation with profitability. I'm not going to spend $3 to earn $1. That's never been part of the way that we operate as a company. I've been with the company for 6 years, CFO for 1.5. That will remain part of my DNA, and we will continue to look at generating value through free cash flow and profitability.

Yes. And I'd just add quickly, Koji, we think that as a Rule of 40 that is driving what Ed and I and the management team at JFrog are trying to do that now that portion of the Rule of 40, a greater portion of that is coming from the free cash flow margin. And so that was something that we thought would happen over time a few years back and the focus that we've put on that metric.

Got it. Jeff, Ed, we are all out of time. Thank you so much for doing this. This has been great, fun conversation. Thanks so much for being here. Thank you.

Thank you for having us. Thank you. Of course.

Thank you.