JFrog Ltd. (FROG) Earnings Call Transcript & Summary

Awesome. I think we'll get started. Thank you, everyone, for being here today at the UBS Global Technology and AI Conference. My name is Radi Sultan. I cover the SMID cap infrastructure software stocks here at UBS. Next up, we have JFrog, Ed, CFO; Jeff runs IR. So first of all, thank you very much for being here today.

Yes. Absolutely. Thank you for having us.

Awesome. Maybe just to kick it off. You guys have seen one of the strongest accelerations in the software group over the past few quarters, 6-point [ accel ] to 26% in the most recent quarter. So maybe just to level set what's changed? What have been the biggest growth drivers behind that acceleration?

Yes. So first of all, nothing has really changed in our strategy. We've seen tremendous execution during 2025. What we've seen though, which is different than what we saw in 2024 is usage over minimum commit. So we have very strong and robust cloud growth. 50% year-over-year in the cloud. Much of that, again, is being driven by the fact that we saw usage over the minimum commit. Unlike 2024, where we had three of the largest deals in the history of the company, what we're seeing this year is more large deals. So we see increase in our ASPs. We see more velocity of those large deals. We're seeing expansion also in the enterprise. So we robust growth in the enterprise which is leading to higher commitments. And then lastly, security, we're seeing security being a driver of the ASPs as well. So taking all of those into consideration, we've had very robust very strong growth, and you see it in the results.

Yes. Awesome. And maybe just on that point, you reported, I believe, was the strongest top line beat ever in the most recent quarter, a little over 6% above the high end you've been vocal, your guidance excludes large deals and usage over minimum commit. So maybe just walk through those two variables, how those have been trending? And sort of what have those two sort of been the biggest driver lately?

Yes, you said something very important, variable. You said that, and that's exactly it. So the responsible guide that we do is eliminating that variable. The fact that we have usage that we can't predict, that's over the minimum commit. We derisk from that usage, and we also derisk these large deals. It's not a matter of when these deals are going to happen or if they're going to happen, but rather when they're going to happen. So it's a very responsible guidance. So understanding that first is what's very important. What we're seeing today is strong demand. That demand is being driven by security. That demand is being driven by some of the events that are taking place like NPM where it's driving pipeline and strong opportunity to execute. We're still waiting to see if budgets will align for that demand. And we're also seeing, again, robust usage. This emerging technology that's taking place with AI models and AI-driven code. We've seen an increase, although on a very, very small base, which is driving demand. But part of that is excluding that, and letting that evolve over time. And hopefully, if we can continue to execute, should be open for a very, very good outcome for the remainder of the year.

Awesome. Maybe just on that point, as we think about the outlook for Q4, a common question I got was sort of the full year cloud guide does imply a pretty steep deceleration in Q4. So maybe just -- is there any way to talk about sort of the puts and takes on the Q4 guide, specifically understanding there probably is some conservatism in there, but maybe just anything over and above that when you think about puts and takes for Q4 specifically?

Yes, sure. Absolutely. Again, and I think there's been a lot of discussion around that is that the fact that the cloud, the way that we guide and understanding how our guidance philosophy is built, it's very responsible, excluding usage over minimum commits, only guiding on the commitments. Secondly, excluding the largest deals, 8-figure deals that include migrations from self-hosted to cloud, security on top of that, excluding those. And again, only guiding on the commitment. And I want to remind everybody that last year at this time, we had three of the largest deals in the history of the company that closed. Those were cloud deals. They included migration from self-hosted to cloud or expansion in the cloud. We knew going into the second half of 2025 that it would be an increasingly more difficult compare and we called that out. But what we expect as we head into 2020 -- into Q4 of 2025, is that, again, we set it up for a very responsible guide, assuming that we can continue to execute on the momentum that we're seeing in the pipeline, it could be a very nice and attractive setup.

Awesome. And then maybe just on that cloud migration point specifically, is there any way to think about sort of the pace of those cloud migrations, how that's changed? And maybe when you think about like what has been the biggest catalyst behind those cloud migrations, it the functionality, features, et cetera?

Yes. So there is the secular trend to move from self-hosted to cloud, and we saw this robust migration taking place. Maybe in 2022. Yes. Before that, you had a bit of that pause as there was some optimization that's going on. And then we started to see that pick up a little bit during 2024, although not at the same pace that we saw previously. Today, what we're seeing is customers, specifically the largest, most sophisticated customers are pausing on their decisions to migrate to the cloud. This is being driven by maybe the concerns around what AI will do in terms of cost predictability and governance around the control of the amount of code that's coming into the organization. So there's a bit of a pause right now, and we call this fit for purpose. We're hearing this more often. So we're working very closely with customers. We're continuing to expand those customers in self-hosted and maybe taking other capabilities into the cloud like security. But for the moment, there seems to be a bit of a pause until there's this understanding around what is the cost predictability how am I going to manage the compliance and governance of the AI-driven code and large language models. And until we get past that gate, we believe that a full adoption into the cloud will probably be somewhat delayed.

Got it. Got it. And I guess -- maybe when you think about like next year, I understand you're not giving guidance, but maybe just as you think about the biggest growth drivers for next year, we talked about security, cloud migrations, usage, AI, et cetera. Like how do you think about sort of ranking the biggest growth drivers for next year?

Well, typically, migration is going to drive the biggest benefit. So when you move a workload from self-hosted to cloud, you have anywhere from 20% to 80% uplift in that same subscription type. So this is going to be the biggest driver. But if I was to look at where we head into 2026, there's two things that I'm focused on. Number one is, can I continue to see this momentum of usage over minimum commit or for that usage where I have today over the minimum commit, expanding that to a larger minimum commit, so having that expansion. And then security. Security is going to be a continuation of what we see in terms of the performance in the cloud. If I land and see uptake in security with what we're building in the pipeline today and converting that demand into an expanding opportunity, then I think that 2026 could be a very strong year for JFrog.

Got it. And maybe just dovetailing off that, at swampUP this year, you had a heavy list of product announcements really attacking like a bunch of different growth vectors, right, AppTrust, AI catalog, Fly among others. I guess which of these are you most excited about near term and long term? And maybe why?

Yes. This is one of our best swampUP since I've been at JFrog, I've been here almost 7 years, and they've been doing this for 2 years now, but the amount of innovation that we delivered and the expansion from a technology perspective to the platform, lot of great products that we delivered. You mentioned AppTrust. AppTrust is one that there's a lot of buzz and excitement in the community right now and in the market with our customers. This really addresses a pain point for our customers, where today, it's a manual process to govern the compliance of software delivery. And so we see an opportunity with AppTrust. We just released it. We're building the pipeline right now, and we're seeing good success in our pipeline. I don't know that it's going to drive any particular benefit during Q4. We'll see what happens during 2026. If we can execute on that demand that's being built in the pipeline. But certainly, there's buzz around AppTrust and governance, this [ DevGovOps ] category that we're creating today. Secondly is going to be the AI catalog. AI catalog addresses the need and security for large language models. So we talked about in the public call how we're starting to see an emerging use case large language models, in particular with Hugging Face. So Hugging Face models that are being pulled into the organization. We've seen a 100% increase since Q1 and the amount of models that are being pulled into Artifactory, you have to be able to secure that AI catalog will be the way to secure your large language models. And then Fly. Fly was another product that we introduced during swampUP. Fly addresses the need for very small teams. There's a select group of customers that we're going after. This addresses the need that tend to adopt technologies quickly. Agentic capabilities, they want to use maybe a lighter version of Artifactory. We're building that group of select customers today, we will learn from that. I think that's probably more long term. It's more of an R&D-related product. It will give us the learnings that we need in order to build the agent capabilities into the enterprise platform in the future.

Got it. Got it. I get the question a lot that like can Fly longer term, recatalyze sort of new customer growth and really start introducing that as a growth lever longer term? I mean I'm curious if you have any thoughts on that.

Yes. The intent is not necessarily to be a significant revenue growth driver. I think it's to make sure that we are bringing the small customer that is using advanced technologies or emerging technologies today. We want them to come to JFrog, and we want them to be aware of JFrog as an [ SMB ] opportunity, not go somewhere else where we then we have to wait until they become sophisticated enough to come to JFrog. So we're addressing the need. We don't see it necessarily as a revenue driver today. We see it more as an awareness and an ability to build top of funnel and ensure that all new customers, small customers that could be the largest customers in the future are coming to JFrog.

I'll just add quickly to that. I mean, I think to your point is that you're going to be working now with a new level of sophistication in startups. No longer are you going to have a team of 50 or 60 developers most likely in an Agentic world. That same team that used to be 50 or 60 developers may be three now. And so those guys are going to have a different type of profile in how they develop software, how they utilize AI, how various parts of the development pipeline are interfacing. And I think for us, we want to be able to serve at some point down the road that type of customer. But at the same time, I think that there's a lot that can be learned to Ed's point in terms of maybe extracting R&D and knowledge out of this with Fly to take to the larger enterprises and say, "Look, we've already executed it this way. Look at this implementation of XYZ, and that may be a better choice for you".

Got it. Got it. Got it. I guess maybe just drilling onto the AI growth drivers. I mean, one thing that came through my own work was there's a lot of AI tailwinds sort of impacting your business you have sort of the AI developer tool impact on sort of usage, you have model registry, governance, the actual binaries that are used in AI application development, there's a lot of different growth drivers here. Maybe you could just sort of dissect those as you think about high level which of those sort of AI growth drivers you think will be most impactful? And then maybe how you think that sort of evolves?

Yes, it's a very good question, and we're excited about this shift in the era of AI. We think it creates a big opportunity for JFrog. Clearly, when you have code being generated by machines in the pace of code that will be generated, that means more binaries, and that's exciting for JFrog. That's what we manage. And we believe thematically, as you have more code being written and more binaries that this will be a benefit to JFrog. But what we're really excited about too is the pace of code that's being written you have to secure that. We see a huge opportunity in terms of security, and we're doubling down on that because organizations are going to freak out with the amount of code that's coming into there. Into the -- our companies are going to be freaking out with the amount of code coming into the organization, they need to be able to secure that. And so there's a big opportunity from a security perspective. And again, we will double down on that ensure that we win that market.

Got it. And maybe just drilling down into that, I mean, how much of -- when you think about sort of the revenue benefit from those AI [ code gen ] tools is sort of that security angle versus just sort of court usage of pay, I need more binary to support 20%, 30% improve developer productivity.

Yes, it's probably too soon to call that out and to see that. There's multiple avenues. Here, you're going to have obviously, Artifactory will grow with the amount of code. You will have the AI ML direction as well as you bring models, models or binaries and you bring those into your organization. you'll need to train, secure and deploy those models. That's why we have JFrog ML. We did the acquisition of Qwak a year ago, and we already embedded that into our platform for the enterprise. So that's another avenue of opportunity for JFrog, but we're very, very early. We're probably in the first couple of innings right now, and it's really difficult for us to say definitively, it's going to be ML or it's going to be security or it's going to be AI workloads. It's still something that we want to be able to capture the market. We'll continue to invest in all of those technologies to make sure that JFrog is in the forefront of winning those opportunities.

Got it. Maybe just on the model registry side, you guys have talked about being the model registry of choice. So maybe you could just talk through the competitive landscape there, how that may be different from sort of the core artifact management business. but then sort of how that -- maybe how you're sort of mode around Artifactory translates into competitive edge there.

Well, we saw more than a year ago, maybe even 2 years ago, we started to see the data scientists bringing models into the organization and storing those in Artifactory. So we knew that there's an opportunity there because these models were starting to come into Artifactory. But what was missing was the ability to bring those models in and work them through the software supply chain. Develop those models, train those models and deploy those models. And that's why we did the acquisition of Qwak a year ago. This gave us the capability to do those three steps and ensure that models are being deployed in the most secure and compliant manner. And this is a differentiator for us. So we know that large language model is a binary and you can store those in any repository, but what differentiates us is the ability to take those models through the development life cycle and then go through and deploy those models. So that gives us a competitive advantage at this stage.

Yes. I think at this stage, you don't see or hear yet. And I say yet, but no one is coming at the problem that you're discussing in the way that JFrog does. We're coming at it from protecting the core asset in the binary, and that's the value add that we bring to you as the organization. I think that there certainly will be probably evolving emerging competitors for the ML landscape. It's just so nascent yet that we haven't necessarily seen even in presale activities that are somewhat still nascent for us with JFrog ML. We're not seeing a lot of alternatives being brought up as, hey, I've got you versus company X. So it's not there today, but neither is AI and ML. And I think as that starts to explode and take off, I think we'll see a shift in competitive landscape from what we've seen in the traditional DevOps or security type offerings.

Got it. And actually, one growth driver you did call on the most recent call was sort of the supporting the binaries used in AI application development, like Docker and NPM they're sort of getting pulled along as well. So maybe you could just talk through what you're seeing there, how much usage today is actually associated with those binaries to support AI application development.

Yes. What we actually see today and Jeff, feel free to jump in after this. What we see today is there's a lot of experimentation. So what we called out specifically around the usage coming from packages like Hugging Face, Python, which we know specifically are being used for AI workloads. We see those going into this -- coming into JFrog and doing some experimentation. What we don't see is a correlation between those package types and Docker, meaning that it's going into production. So we haven't seen that yet. Now what we're seeing in terms of the robust growth that we had in the cloud during Q3 was specifically around our conventional package types. Docker, also Maven and NPM.

Yes. And I would just say, I think that it's a two-fold answer to Ed's point. We're benefiting certainly Q1 was benefiting from an experimentation in which we believe in AI and ML. I think that some of that's probably continue to go on. In Q3, we certainly saw the benefit, albeit maybe for a few weeks, but the first NPM incident happened at our swap-up event ironically, right? And customers were obviously having to do a lot of scanning of traditional packages of NPM to do updates and find the updates from the repositories and make sure that all the packages that they were using were in fact, the correct updates for the NPM language.

Got it. Got it. Got it. I guess maybe just switching gears. You mentioned the Hugging Face integration. I mean, could you just talk to that relationship. I do get quite a bit of questions sort of how that works, what the dynamic is there and sort of how that pulls through to your business?

Yes. I mean -- so the Hugging Face partnership is very unique in the sense that we look at the hugging face organization is similar to an NPM repository. They are just a repository for large language models. Now that relationship, I think, has been around. I think we've been working with them for about 1.5 years, but it's evolved even in that time. Initially, it was having the interface to bring in the open models like a Facebook, Llama 4 or such Hugging Face into my organization and start to make it proprietary. The problem being about a year ago, Hugging Face had some other vendors doing some security work for that repository. And that particular vendor told them, 90% of these models are vulnerable. You're going to have to shut this. We're going to have to pump the brakes here. They asked us to come in and secure that repository, and we said, no, that's not the case, everything is okay. And so that will also correlate I would think to what Ed and I have talked about that around the time that we began to secure the repository and say, "Hey, no, guys, it's safe". You started to see an increase in the downloads of Hugging Face packages. I don't know if there's a correlation, but there's some time in there in terms of the timing and such. And so for us, it's not a revenue generator per se. It's a community engagement in the large language community. And we allow for the securing of that repository so you know that what you're working with from that repository is secure, but then the interface allows you to move back and forth, updates of those models as you bring in and out of the organization.

I think it's a very important point that Jeff brought up. This is not a revenue-generating partnership. It is a community trust and so once you have that trust that the models are secure, then they feel comfortable to pull those into JFrog. It's an intangible benefit. Once you pull these models in, these models are very large models. And as you move those through your software supply chain, that's generating traffic for JFrog and we should benefit off of that traffic.

I said earlier, I mean it just ties back into the two gating factors. I think we're all waiting for when the floodgates open. And I think the floodgates are still holding back right now due to cost predictability and security. And security of large language models and what I'm bringing in the organization or if I'm even advanced enough to be using [ MCP ] servers to interface with other companies and share data to help train their models as well. So I think that those are two remaining gating factors, I think, that are holding back this kind of flood of adoption of AI development. .

Got it. Got it. Maybe just a related topic on a different integration you announced was the ServiceNow integration, I kind of stood out to me as an interesting growth angle. I don't think people like investors traditionally think about you guys as being sort of partners are sort of integrated. And so maybe you could just talk through, should maybe any early wins there, the dynamic behind that integration.

Let me take that. Yes. Well, we love to use the phrase to integrated to fail, that we are integrated with almost all the tools in the software supply chain. I think as it relates to the ServiceNow announcement, and it relates primarily to AppTrust. It's us helping the ops organization do their job, as Ed alluded to earlier, something that's being done on a spreadsheet today or I'll just sign DocuSign and say it's safe. Now I can interface with JFrog Artifactory, through the ServiceNow platform and know that each of the gates that needed to be achieved has, in fact, they achieved. I have a record of that. So when things go sideways, I can go back and find that information quickly through my interface with the ServiceNow and Artifactory platforms. And so we do think that there could be more to come from that. We're very excited about working with ServiceNow. But we think what it does is it helps to continue because where we've sat obviously, is between developers and operations. And so we're now continuing to serve the operations side and bringing more integration into the platform for the operations side of software development.

Got it. Got it. I guess maybe just shifting gears to sort of the dynamic between GitHub and GitLab and you guys sort of where you sit within the ecosystem. I mean how has that relationship evolved? I know you guys have invested heavily in the GitHub integration, deprecated pipelines, right? And I think that's kind of brought closer to GitHub. So maybe you could just talk through sort of the competitive dynamic or the relationship there.

Yes. So I think that when I got here over 4 years ago, it was -- the [ Git ] are going to walk right and just mud stomp JFrog because binaries are just something you do and everybody can do it. And what we've seen is that there's actually been a change to where we're seeing the machines move less now. And I think that what has changed for us, and I think Shlomi would say the same thing, is that when we first announced the integration with GitHub, it started to change the dynamics, not only in the industry, but I think, amongst investors as well that there were defined lines within software development. And that GitHub was the best of breed in source code. JFrog is the best of breed and binaries, and those are two separate parts of software development. There's going to be a best of breed and observability at some point, who that may be, I don't know, but that seems likely as well. And so I think that there's always a misconception that we were competing directly with those guys. And realistically, we really don't see them in presale activity at all. And so that wasn't a competitive alternative that customers were really using in an enterprise level deployment we're looking at, let's say, a [ Git ] versus JFrog for binary management. That wasn't the case. And so I think that there's the competitive differentiation has been illuminated since we've been working closer with GitHub and you continue to see more and more engineering coming out of that relationship even at swampUP as we announced here in early September.

Yes. No, I mean, it seems like the sort of fear that GitHub one day is in a wake up and try and build an artifact repository, just isn't -- that's been a sort of fear for a long time, has it come to form.

It hasn't come yet. And I'm not going to sit here on a stage and say that if Microsoft somehow integrates GitHub and [ Bayside ] one day wake up and say, Satya says, today is the day we're taking binaries. I mean it's a big budget to fight. But I think that they've seen -- I think if you were just a GitHub universe about a month or so ago, they're not raising a white flag and saying binaries are JFrog biting me. But I think the overall topic that was being discussed, I want to GitHub employees was that we realized that JFrog does binaries very well. and that allows us to focus on our core market source code.

Got it. Maybe just shifting gears to security. At least in my own customer conversations, curation has sort of been the biggest standout where I've heard the most traction. Maybe you could just speak to sort of where within the securities suite you're seeing the most pull-through where you think there's still room to grow and sort of the biggest growth vectors there.

Yes. So historically, we've seen about a 50-50 split between advanced security, JFrog Advanced Security and Curation. And that's kind of how the pipeline was built over the last 4 or 5 quarters since we've really gone pedal to the metal with security. But over the last quarter or so, we're starting to see this groundswell being driven by the NPM events, and it's really around curation. There's no competitive alternative when it comes to curation. We're very well positioned, and I think customers are now recognizing that they need to protect the castle. And the best way to do that is through curation. This allows you to curate what comes into your organization. So the NPM event certainly opened the eyes of the customer, and we're starting to see demand being driven there in the pipeline. I also want to highlight, though, that this demand, we're still trying to see if the budgets are available. So we're hearing, yes, this is a very cool product. We want this, but we're getting a little bit of the straight arm saying, I don't have the budget yet, so I need to work with the office of the CFO, procurement, make sure that I can align the budget. And assuming that we can get prioritization around budget, I think curation could be a really good growth driver for JFrog in the future.

I guess when you think about sort of the -- where that growth is actually coming from, like how much is sort of consolidation of stand-alone DevSecOp vendors? Because it does seem like at least in my own customer conversations, those guys are under a little bit of pressure to sort of consolidate away from them towards a platform like JFrog maybe how much is coming from sort of platform consolidation versus different growth driver?

Yes. So the platform consolidation or vendor consolidation is really -- it's been a discussion for the last 2 years. and we see it as an opportunity. This is the reason why we brought advanced security into the market because it's consolidating 6, 7-point solutions. But we also know that you have a budget today that you're utilizing on these point solutions. We need to take that budget and we need to consolidate that onto JFrog. And that's not always the easiest thing to do. You have tools that are working. You have an organization that tends to be very conservative, the CISO and the CIO and to rip and replace a tool or multiple tools is not always easy. This is why we're seeing customers take 3-year opportunities in security. They build a road map to replace maybe 1 or 2-point solutions in year 1, then a few more in year 2 and hopefully replace all of them in year 3. Today, we see 1 or 2-point solutions being replaced. Typically, it's infrastructure as code. Secrets detection, those tend to be the two. And contextual analysis as well, maybe three that we see customers adopting on the JFrog Advanced Security and replacing right now on the point solutions.

Got it. Got it. Maybe just switching gears to go-to-market. When we think about sort of the usage above minimum commit, which is sort of been a key part of how you guys guide and a key part of the go-to-market strategy right is attacking those customers that have usage over the minimum commit. So maybe you could just talk through sort of the trend you're seeing there in that usage above minimum commit. What has been the biggest driver? And how are you architecting the go-to-market to go and get those guys on over term commence?

Yes. Again, I'll say that the driver of the usage over the minimum commit is conventional package types. So this is going to be your doctors, your NPM and your Maven. It's not necessarily AI workloads yet. We're all waiting for that to happen. I know everybody here in the room, and it's great to see a packed room, is excited about what's happening in AI. We're still very, very early, and we're not a company that's going to give you a bunch of fluff saying I have a huge amount of growth coming from AI we're prepared to take that market, that there's no doubt about it. But again, we see this from conventional package types. We work very, very closely with the customer. We align their demand with -- and their needs with long-term commitments. Now we're seeing multiyear commitments and making sure that they have the opportunity to flex up and down as they need by taking a minimum commitment with JFrog. We also know that the sales organization, they're motivated to ensure that they're landing the biggest and best opportunity for both JFrog and the customer, but we also know that we don't want to put them in a package that's going to be too large, and then we start to see churn. So having usage over the minimum commit is not bad for JFrog. We actually see this as an opportunity to go back to the customer and further expand their opportunities in the future. Our sales organization is not incentivized based on usage over the minimum commit. They're incentivized on commitments. So they have an opportunity to go there based on driving usage over the minimum commit and converting that to a higher commitment in the future, and they'll be incentivized based on doing that.

Got it. Maybe just one to wrap it up, high-level question. I think I've been surprised, and I think most investors have been surprised at the durability of the competitive moat around the core Artifactory business as the DevOps space, in general, has gotten more competitive. So maybe just longer term, as you think out over the next several years, how do you think about sort of the investments you're making to maintain that competitive moat over the next couple of years?

It's a very good question, and we're always looking around the corner and who's coming after our market because binaries several years ago, there wasn't as much interest today. Everybody is recognizing that binary is the key to software updates. So for us, it's a continuation of expanding the platform. So [ DevGovOps ] is one example. The JFrog ML opportunity and as well as security. Having all of those, we're the only company in the world today that offers not only DevOps, but DevSecOps, MLOps and now DevGovOps. And as long as you continue to widen that moat and continue to add new technology to the platform, we believe we'll have a competitive advantage over anybody.

SP1 Yes. And I know we're at time. I'll keep it tight. It's a Lego strategy, right? DevOps is your first Lego, then you start stacking value on top of that to retain the customer because you continue to add value at their infrastructure layer solution. Awesome. Thank you guys so much for being here. .

Thank you for having us.