JFrog Ltd. (FROG) Earnings Call Transcript & Summary

Hi, everyone. Welcome to the Barclays 2025 TMT Conference. I'm Eamon Coughlin, software research analyst here at Barclays. Very excited to have Jeff Schreiner, Head of Investor Relations at JFrog. Thanks for being here, Jeff.

Thank you. Thank you for having us.

I guess just to set the stage, JFrog has been quite an incredible story for 2025. I guess set the stage for anyone in the room that maybe is new to the story, like how has the year been? What are the key takeaways for you? What have been the key drivers for growth acceleration throughout the year? Anything maybe you'd point out?

Yes. So I think as it relates to JFrog and '25, it certainly, as it relates to the stock price and certainly the execution we've been able to deliver has been quite strong. And those are all great things that coincide with one another. I think that when you look at '25, it's been somewhat unique for us as relative to the last few years, where within our cloud business, there's 2 ways in which we can really grow. There's either migration or consumption. And over the last 2 years in '23 and '24, it was very heavily weighted to winning a few big deals to make the year related to very large customer migration activity. Whereas in '25, what we've seen is we've seen much more of a consumption-driven contribution to revenue. There we go. Technical aspects solved. All right. Now you guys can hear me better. But -- so I think that the drivers this year have been different than the drivers we've seen in the past. Migrations have played some role, but not the role of the magnitude that we saw, let's say, in Q3 of last year, where the 3 biggest deals in the company's history were signed and then the full value of those recognized in Q4. This year has been a year of increasing consumption as our customers look and experiment with AI and ML and also are starting in our view to experiment with the use of coding assistant tools, which then use more of the traditional type of open source packages. And the fact that we're seeing a strong interest and adoption in a lot of our security offerings. And as we've moved through the year, and I'm sure we'll talk about some incidents that happened in the industry. But as of a recent industry attack on a repository has generated a significant amount of interest in one of our security products to protect those organizations.

I guess just unpacking there's a lot to unpack there. But as you think about like the right pricing model for some of the influx of demand that you're seeing from your customer base, is consumption the right pricing model? Is it more -- I don't know if there's like a server model that you may move to across your platform. But I guess I guess how do you think about that going forward?

Yes. So today, JFrog monetize it in 2 ways. So we have self-managed or self-hosted in which you're having a team of IT professionals manage your software development organization, which is probably on the cloud, but you're managing that or there's our cloud offering in which you're turning that management over to JFrog and putting that stuff into our cloud. And as it relates to the monetization of each of those methodologies in the cloud, it's based on data transfer or consumption of the data package that you commit to JFrog in which you get a pricing benefit for doing so. In self-hosted, it's based on an incremental server, generally project-based to where I take that server. I've now increased my usage or increased the development team, so I need another new server. In the world of AI and ML, we found that, obviously, a seat-based model may not work. We've seen the head count reductions talked about. Obviously, there's a lot of bug a boo concern. I think this year for some of those more exposed to seat-based models. We know the consumption works for JFrog in the sense that if you're now using JFrog and your cloud consumption contract and move large language models that can be the 10x the size of packages you move before, you're quickly starting to consume at a higher rate, the amount of data consumption that you've committed to JFrog. So I think it's begun a discussion, at least an initial sense, there's nothing that JFrog is going to lead, but I think in an initial sense, there may be a discussion amongst the titans of the industry, the hyperscalers that is there another way, and we could go 100 different variables with what that may be of monetizing the AI/ML world that may not be consumption based. But that's to be determined. It's something that will be discussed. And I think what JFrog will do is look to how the industry handles any changes and try to tailor that model to our own model.

Absolutely. I think over time, especially over the last 3 quarters, you've seen that increased commitment from some of the overages from consumption. Can you just walk through maybe how you saw those overages in 1Q, 2Q, 3Q? How they play throughout the year and how they might impact the fourth quarter?

Sure. So as you noted, we get the benefit typically if you are a customer, you come to us and the benefit to JFrog versus working with other maybe consumption model guys out there that are pure consumption based. You're coming to us and you're committing to a usage level in which that we will then give you a better pricing mechanism for the more consumption you commit to. And of that commitment, you are ratably recognizing that on a, let's say, if it's a 12-month contract to be quite simple to use round numbers for everyone here, if I have a $1.2 million contract with customer X, I'm ratably recognizing that at about $100,000 a month until they use above that commitment. Now this use it or lose it mechanism that Eamon's is talking about tends to be the fact that I'm committing to you annually for, let's say, 10 petabytes. But then that's recognized on a user it or lose it basis each month. And so to the extent that I start to accelerate my usage and go over commitment, I start to pay a penalty rate that can be somewhere anywhere between 20% to 25% higher than the negotiated rate that you may have with JFrog and what that leads to is as you're building into that, we certainly try to approach you and engage with you to say, hey, look, your usage is starting to climb, good for you. We hope things are working well with the organization. But you may want to look at upping your commitment with JFrog. And so you can see aspects that happened where Q1, we saw strong usage that we felt was really driven from experimentation of AI and ML. The reason we say that is we saw a strong increase off a small base in packages such as Hugging Face and PyPi and Conda. Q2, the usage kind of flattened out, but the benefit was that we captured some of that over usage into higher committed contracts from some of those customers. In Q3, we saw an influx now again in usage and the revenue generation that it delivered, but we haven't yet been able to reflect the benefit of what we may be able to do in signing higher committed contracts which once those are signed, then they have become something in our CRPO, whereas the overusage is just recognized in revenue and is not something that's captured in CRPO.

So a little bit of a lag?

It can be. Yes. It can be a quarter or 2 quarters. It also ties very well with where you are in your renewal cycle. With the resources we have, we typically talk about the fact that we go after the guys that are 3, 6, maybe 9 months at the longest away from their renewal who may be over users because they are most likely the ones to be most acquiesce to say, yes, okay, I see I'm overusing. I have a vision that I'm going to continue using at this level or higher. Let's go ahead and renegotiate.

Let's take a step back at something you said earlier. Just understanding like why JFrog has a right to win in security. And then maybe some of the recent news with the NPM attack. Maybe just dive into the first question and then some of the takeaways that you have from the recent NPM attack.

Sure. So security was something that is new to JFrog. Last year was the first year that we disclosed the contribution from security, and it was really the first year that we saw really meaningful acceleration of that product. And that was a product brought about by an acquisition that was done in 2021. Then initially when done, I think the Street had looked at it kind of skeptically saying, at that time, hey, you're a DevOps company, they're security companies. Why don't you just stay in DevOps and didn't see the vision we saw that eventually the world was going to be much more based on core platforms and core assets that they needed to be secured. And that's the reason we feel the reason that we have the right to win, let's say, in security and as it relates really to the security of the software supply chain and binaries is because we are the core manager of that asset. It's what we do, it's all we do. And so when you are a CISO and you've brought on all these disparate point solutions to possibly protect your software supply chain in your development organization. You've got many disparate databases that are all signaling different vulnerabilities for you. You're almost frozen in place as to what to do. With JFrog, what you're able to do is consolidate the 7 of those tools within the technologies we offer, into 1 solution. And if you combine it with our relationship with GitHub and utilize their GitHub advanced security for, let's say, source code and static code analysis, you basically can take 7 to 10 tools consolidated it to 2, but you as the customer looks as if I'm using only 1 tool. There's 1 pane of glass in which I can interface all and receive vulnerabilities and remediate those vulnerabilities. So I think the uniqueness that we have bought and shown that we do have a right to win after the numbers we disclosed in '24, which was 3% of revenue, 5% of ARR, 12% of RPO. And we'll update those again here as we report 2025. We've shown that there is a real interest for the products that we do. And I think alluding into and transferring to your question about NPM and the impact that securities had for us there. There's been a recent coordinated attack, a very malicious attack that has had various multiple attacks over the last 2 months that began in August 28 of this year. And that was a hack of the NPM package, which is if you look at our website, at jfrog.com, we have a report called the State of the Union. I think we released it about midyear and we tell you in there a lot about what's going on with the binaries and we show you what are the most used programming languages amongst our customers and Artifactory. And NPM is 1 of the top 3 open source programming languages. So this group who must be very sophisticated, how they've developed and orchestrated this attack went after one of the leading packages out there utilized by enterprises and organizations to build software today. And they did so that created a very fear-based or fear-driven want for customers to look at one of our security products in general, and that product is curation. And the reason that is, is because curation is essentially a firewall for your software development organization. It's a centralized policy and where I, as a CISO, can set a centralized policy for that product to say, I will only interface with these repositories and these packages. And so curation is actively managing and scanning those repositories and looking for any discrepancies or vulnerabilities that may be introduced into those to protect the organization. And since this NPM event which, again, it started out as more of a basic attack where they were targeting specific repositories and looking just to steel to moving now towards the one that happened in the end of closer to Thanksgiving adjusting that attack to be random to any repository. And if there's nothing to steal, wipe everything out, it's got a fear-driven demand in our pipeline growing for our curation product. Now that being said, that demand is certainly growing, and we're excited about that, but there's a need for our customers to find budget. And I think that's the challenge that we're hearing as a pushback from our customers. I really want it but I need to find budget because many of these customers had committed to their organization and this was a product that they may, in fact, deploy in the second half of '26. We, in fact, had a customer, a large financial services company that was scheduled to deploy in Q2 or Q3 of next year, closed in 2 weeks in Q3 because of this NPM event and the need that they felt the curation brought to them. And so I would say, when you look at our security product and where it's gone, since introduction, deployment and pipeline has probably been 50-50 between our advanced security which is kind of protecting the inside of the castle and looking for good citizens gone bad and curation, the firewall or the wall around the castle, keeping the salvages out, it is about 50-50 in terms of deployment of pipeline. I think post NPM in September, it's substantially much more weighted to curation today.

And that's incredible. And when you're thinking about some of these customer base, like are they using security today for their binary management? Or are they not using any tool at all? Or like...

Everyone has security.

Are you displacing another tool that maybe is not strong enough to handle the NPM attack.

As it relates to NPM and that attack, curation has no alternative. There was not an alternative to curation. It was a product that we developed at the behest of some of our customers, because why was it created originally. It was created because I, as an organization did binaries in 1 of 2 ways. I either brought in everything and scanned them through x-ray and knew what was malicious and what wasn't malicious and then went from there or in some of these large financial institutions, I allowed nothing in. And the developer had to make an application to have this package approved and hope it was approved by the time the software that he was building was done. And they came to us and said, hey, it would be great if we could have some type of centralized control over what packages are brought in organization. And the other thing I'm kind of alluding to you guys that you should watch curation for is the fact that as code quality starts to get better from these coding assistants. And I think there was some impact from that, I can't point to it or show you what code was created by a machine or a human. But I think we know publicly some of our customers are starting to experiment in utilizing these coating assistance. If I want to start turning the machines more free in my organization, curation is certainly a step I need to go in because at that point then, I have curation. It's integrated with my IDE station, GitHub. It's integrated with AI catalog in Artifactory. And I know that to the extent the machine is building, it's only going to be building with packages that I allowed into the organization.

Interesting. Yes. We recently hosted a call with the CEO of Sonar, code quality tool. Is that -- I mean, obviously, there's a key difference between like code security and code quality. Would that ever be an interesting aspect of expansion for JFrog?

We -- one of the technologies that we offer in our advanced security is static code analysis, the SaaS technology, which is generally a source code based security. That being said, I think that our chops are still much more binary based. And in the relationship we have with GitHub, we're not conceding anything. But certainly, when 80% of our customers use GitHub and JFrog the easier lift, and I don't have -- Ed doesn't have a [ contra ] account to basically make this as a revenue equation, right? But the easier lift is to say, hey, Jose, so replace all these tools with GitHub and JFrog security and let GitHub do what it does really well in source code and let JFrog do what it does really well in binaries. And I think you heard something similar to that out of GitHub universe over the last few weeks where the GitHub employees, by no means are waiving any white flag publicly to say that we've conceded binaries to JFrog. But I think there was rumblings if you were there and you were attending and speaking to those individuals that we recognize that JFrog is, in fact, a binary expert and does those very well, which allows us to turn focus on the business that we do, which is source code.

Yes. No, actually, I was there, too, and that's the thing I heard. I guess just going back to swap up. There was a time of announcements at the conference, like definitely one of the more exciting conferences and swamp ups in JFrog's history. Maybe can you just walk through some of those announcements. So JFrog Fly, I thought was really interesting and diving to the SMB customer base, which is a little bit absent from enterprise Q historically and then maybe AppTrust and then AI catalog, maybe what could that drive in 2026? Obviously, still early on, in this customer journey with some of these products, but how do we think about some of the motions with each of those products?

Yes. No, thanks for bringing that up. I mean, I think it was a very successful swamp up. I mean let's start with Fly, where there's been a lot of questions about it. But there's -- I think that's probably the furthest from revenue contribution. And what is Fly? Why is something that we're creating so that we can better understand software development in the Agentic world. And what we mean by that is that you could now -- binaries are for companies that have very complex software development organization that become a pain point. But you could become a very -- excuse me, got a little frog on my throat. But you could very much become a complex development organization as an Agentic firm, a firm that is a start-up last year with 50 guys. That could be a startup now with 2 guys in 48 machines in the future in the world of Agentic AI. And what we want to understand is how they're utilizing interfacing with Artifactory, open source packages, are they complex in nature but only using a few programming languages. So an Artifactory light that could be tied with Fly is the right method forward. I think what Fly is going to do for us is to have real-world deployments, real-world kind of knowledge about how to handle some of these agenetic capabilities and then bring them into the enterprise and say, look, we've already done this with this customer over here. In what you're talking about trying to do, let us bring in help it to you and bring it into the Enterprise+ program. Maybe later, a few years down the road, there may be some way to monetize that as an add-on or something additional to the JFrog platform. I think that, as you know, the biggest thing that got back to me even and not being able to swap up this year, but was AppTrust and that after that presentation, the customer feedback that many of you heard in speaking with our customers about that DevGovOps product, right? It's now bringing the operations organization into the JFrog platform and putting inside the development process the checks to know that each of these gates have in fact been completed and that there's a digital record of that, not the way it's done today manually through Excel or yes, I think it's good enough. So even let me sign that DocuSign and say it's good enough. As it relates to AI catalog, that's -- you heard me talk about that earlier. Why is that important? That's going to be very important for large language models and software development in general because that's your Wikipedia of binaries. So that's an area I talked about where you integrate curation and co-piloted maybe that could be other coding assistance in the future. And that's integrated into your CI/CD flow. You're able to go into a catalog and say, okay, here's my build. What were the last 5 builds. Okay, this is the package that I was using. And so now going to Artifactory and grab that package. So basically, AI catalog is the world exploding in terms of the volume of packages used and code creation is going to give you a constant evolving database of what is going on in the world of open source packages. So as you do move to more of a machine-generated type cogeneration, this machine will have a database of which to go back and check. What is this package? What was it used for? How have we used it in the past? Is that applicable to the application I'm building today?

To my knowledge, there's no other company innovating on those types of products today. Like how should we think about the initial pipeline generation that you've seen? And then particularly for AppTrust and AI catalog, how should we think about the pricing and monetization aspect of that?

Yes, good question. We'd love your feedback on that because those are things that we're still working on right now, better trying to understand how we, in fact, monetize AppTrust to generate this groundswell that seems to be growing post-swap up for this product given there really wasn't a product such as this AppTrust product. I don't know that it's going to be a major contributor to '26. I don't think AI catalog is either. I still see '26 being very similar to the fact that as long as we continue to execute, I think the drivers remain somewhat constant. We are in a very fast-changing world. things could evolve in a quarter or 2. But as we sit here today, I think it's going to be much more consumption-driven if we're moving more to co-development through coding assistance and the adoption of our security.

Got it. Yes. I mean I think as you think about the future, maybe the next 18 to 24 months, how might that growth levers look like compared to maybe the first 3 months of this year. They were primarily driven by, I guess, security commitment above -- use above your commitment and then maybe some larger deals. Like any change in momentum that you that you expect for?

No. I think we chug along, and I came up with this, and it may be just basic, but it's our LEGO strategy, right, where you have the base platform as your core LEGO, and now you're adding on to those LEGOs to add not only new incremental revenue opportunities for JFrog, but value to the customer and incremental value to retention for us as well. So I can add on security. I can add on AppTrust. I may take MLOps out of the subscription at some point in the future and monetize that separate as an add-on. I might do that with Fly. So I think what we're trying to do is constantly evolve and become more to our customers than just the basic infrastructure level. The way that you retain and keep customers and maintain a gross retention rate of 97% like we do, is you are that core plumbing but you want to make sure there's no reason that they ever want to look to replace you because you continue to add value each year with new technology that you add to that platform.

Is that platform has been like a key driver of the strong retention that you're not just the binary management product security aspect is scanning, there's vulnerability management. Like is that the key aspect, the architectural moat that I think we talk a lot with JFrog compared to something like a lab package or even like the package of offering that GitHub has or even like a Sonatype.

I think it is. And the reason I say that is, even you know us, I mean, three years ago, it was a totally different sale process. We were selling new Artifactory into a group, and that's how the industry kind of was purchasing things to where now we had seen this evolving nature turning to a platform of the key aspects of software delivery, source code, binaries, observability run time. And I think now the difference in buying and you see it. In Q3, we landed a new oil and gas logo customer that was a 7-figure land that is a whole new world for us. And why was that? Because when customers start to buy on platforms, they already kind of have an idea of who the leaders are in each of those sectors. And they know that they're going to likely need to commit and use those leaders and they're willing to commit at a bigger land than they would have when it was a JFrog Artifactory product that I'm testing out in my group to demonstrate that it offers productivity gains -- and that's kind of what I'm buying is a product versus now I'm buying a platform. And what does platforms also done? It's recognized that you're the leader, so I'm willing to sign a 3-year deal with you as well. That has incremental step-ups for the use of either developers in terms of the seat count for security or my commitment to consumption in the cloud. That's what happens when you start centralizing on platforms and consolidating these point solutions.

Story for JFrog in the last 12 months. I guess just thinking about some of the recent momentum with like becoming a repository of record. I think you mentioned this week like 3 out of 5 of the big native companies, customers of JFrog. Can you just talk a little bit about that sale what they're adopting initially. I know that 1 of the customers doubled their license with JFrog in 2Q after signing in 1Q. I guess, just talk about that sale a little bit.

Yes. So I'll quickly try to cover that here in the time we have. And yes, we do have 3 of the 5 kind of native AI foundational model type companies that you all know as customers. I tend to say that, one, people ask me now about the other 2, where I don't think I have as much visibility as to where they're headed and that's something for me to go back and speak with the team about it a little bit more. But I think one is obviously led to much more excitement and interest within not only in the investor group, but certainly with what they brought to JFrog and what they're looking to do. And that particular native AI customer had tried originally to build something Artifactory like on their own and failed. And thus, we didn't even know that they would be an opportunity and approached us in January and started talking to us about what their vision was of where they wanted to drive what they were going to do and how they would use Artifactory. And the nerds inside JFrog started hip hopping around a across the Lilly pads because of all the new exciting things that these guys were talking about doing with Artifactory. And it was very unique in nature. And we see these guys which, ironically, a lot of these native AI guys for other people are in the cloud. For us, it's a self-hosted deployment because the ultimate goal for this customer is to build their own data center. And if we're able to continue on and keep winning and prove out that we are, in fact, the model registry of choice for them, building a model as a service type offering to where they will maintain how secure and constantly train and update thousands of large language models which will then be utilized by other corporations in kind of a build versus buy scenario in which I may take a few of their models because those models work very well in writing the source code from my organization. And those models will be trained constantly. And what's the core aspect there is JFrog Artifactory, keeping track of every change, every update, every movement, every security aspect. So when things go wrong, where am I going to go? I'm going to go directly to Artifactory to see if I'm at risk.

A few minutes we have left, the upcoming 2026 guide, recently got 4Q can you just help us understand maybe how you're thinking about with all this momentum, how you're thinking about your guidance philosophy? I know your guidance has changed over the last 6 quarters to not guide above use commitments. And then that includes some of the large cloud migrations Will that continue? Any color maybe you can provide for that coming guide?

Yes, sure. No, you did a great job on the interlude there in terms of Yes. I think that what we have found to be beneficial for us is that, and Ed kind of taking hold of the guidance philosophy and making it his own as he took the reins in '24 as the CFO of the company, is that guiding to commit is what we really have the core visibility to because in our usage-based model, you could go over, but you could say, hey, I still bought the right amount of cloud. We just had a new project or in this case, the NPM hack. And that caused me to go over. I'll pay the overage JFrog, but then I'm going to go back to my minimum commit. And so that's why it's very hard for us to try to predict usage, not to mention that there's a disconnect between the procurement team negotiating the contract, the developer doing what he's told in just developing and consuming the consumption. There's no real correlation between all of those groups and what's going on. So we think the best way to guide you guys now is to guide you on what we have signed or committed in contracts. And you saw us talk about a floor as it relates to our net dollar retention of 116%. We're at 118%. Why would you say 116%? Well, 116% gives you an idea of the fact of what the business looks like if we have no overusage and no real uptake of incremental security. 118% is a year of 2025, in which we benefited from strong security adoption and strong consumption trends. Now as we guide '26, those strong consumption trends may, in fact, continue. And this is a debate I have with investors sometimes. But it's not something that we're going to forecast. We are going to continue to stay towards the commitments. And to the extent that we think that there's opportunities, then deliver upside through overages.

Jeff, thanks for being here. As Shlomi said, may the frog be with you. Thank you.

Thank you for having me. Good to see you.