JFrog Ltd. (FROG) Earnings Call Transcript & Summary

All right, getting towards lunch time. Hopefully, people are grabbing some food. We're on with -- we're continuing the TMT Conference, and we're super happy to have the management team of JFrog. JFrog has been at our conference almost every year that since you guys have been public. We have Chief Executive Officer, Shlomi Ben Haim; and Chief Financial Officer, Ed Grabscheid. Ed, so let me thank you again for coming back to the TMT conference.

Thank you for having us.

Thank you for having us.

Awesome. Before we get -- so much to talk about when it comes to the JFrog story. Before we get there, for important disclosures, please see the Morgan Stanley research disclosure website at www.morganstanley.com/researchdisclosures.

With that, let's kick off the conversation around JFrog, and maybe to level set, Shlomi, we're out of time in software. There's a lot of uncertainty. And so I think people are coming -- investors are coming back to doing first principles analysis on what these software companies are, how do they create value. And so from your perspective, can you just walk me through the problems JFrog solves for its customers and why the company is adopted by more than 90% of the Fortune 500?

Yes. So great being here again, Sanjit. I think that what we are seeing in this evolving market is the adoption of the trust layer of software supply chain. That's the main reason behind everything, whether it's AI dreaming or development-driven, and JFrog provides exactly that. In the world of software supply chain management, you need a very strong system of record, in order to enforce security, in order to enforce governance, in order to make sure that what you distribute is also safe, in order to enable automation, in order to have universality of tools and universality of packages. And JFrog is the company that govern that with one primary asset in mind, managing your binaries. And binaries are the outcome of whatever source code developers or agents are writing. This is where JFrog is being more appreciated.

Awesome. In your messaging for years, you've been clear that JFrog serves as the system of record, single source of truth for binaries. And increasingly, I think the goal is to become play that same role for AI artifacts and AI models. What's the important -- what's the most important shift in how customers are using you that makes that framing truer today than maybe a year ago? So looking at that shift between containers, managing containers to AI models. I'm sure it's pretty early, but just any -- what's sort of the tea leaves that you're reading from that perspective?

Well, when customers are choosing JFrog platform, they are looking at different aspects. They are looking at the aspect of securing the one system effect or the single source of truth that every artifact, every binary, every software package that comes in and comes out, comes from the same place that was clean, blessed by the organization policy and whatever compliance will they enforce. The second thing that they are looking at is the security layer, not only how do I secure this system of record, how do I secure this vault of binaries but also what do I put at the gate between my organization and the entire open source Wild West. What do I put outside of Artifactory when I'm distributing binaries because as you all know, the only asset in your deployment environment, in your on-time environment is again binaries. And also what our customers are telling us is that what we see lately in the last years is software supply chain attack. It's not source code attack. Hackers and attackers are not after your source code anymore, not necessarily coming from public hub, but they are attacking the binary. So the threats in the market is also different. So when you think about why customers will adopt JFrog platform, it's because of the system of record, because of the governance, because of the enforcement and because of the security at the gate and before the runtime environment.

Yes. Let's dive into that a little bit more, right? So just over a week ago, a code security solution was announced by one of the leading model providers. JFrog stock was down 20% in a single day. And so can you give us a sense where JFrog plays in terms of the software security supply chain? And do you find your sales in the crosshairs of where the model providers are going from a security perspective?

Yes. Well, so much happened since February 20. And it's just amazing to see, and we are also very excited to see how well AI is accepted and adopted and nobody see it as a trend. People understand that the world of software is different. But what specifically announced by Anthropic, I think you referred to, is that the code agent is now not just building the source for you but also securing it, meaning scanning for vulnerabilities. And not only scanning for vulnerabilities, but also offering you a fix. And not just offering you a fix, in one click of a button, you can co-fix and have a better source code, that's amazing. I think the impact that we saw in the market is the impact of those who confused source code security and binary security. And then the more sophisticated shareholders or analysts ask that, okay, you know what, we got it. You are binaries, they are source code. But what promised me that tomorrow AI becomes better and smarter, why AI would not become the system of record. And the answer -- first of all, I want to be honest. OpenAI just raised $110 billion. They have brilliant people. If they want to become JFrog, they can become JFrog. I don't think that there -- this is their core business. But when you think about source code scanning versus binaries protection, you have to go down to the core. The core is the system of record, the single source of truth you protect. Now why it's important? Because there is no one I hope in this crowd or anywhere else in the world to think that whatever company will have only one agent. You will have Anthropic, you will have OpenAI. You will have Copilot from Microsoft. You will have Gemini from Google. You will have a multi-code agents environment. So who's governing who. Unless you have a universal to integrate it to fail system of record that all of them are working with this same system of record. Now let's say that this is also done. What happened when you combine that, this 10%, maybe 15% of your code with the rest of the open source packages, the 90%, the NPM, the python, the containers from Docker, the Hugging Face model, what happened with them? Who protects you from combining them? That's a second question that also being sold in a universal solution like JFrog that set as your single source of truth. Third question, Anthropic generated with Cloud -- by the way, JFrog developers are using Copilot and cloud. Anthropic generated an amazing source code secured 10x better, created the binary out of it. Binaries pushed into Artifactory, great. Then OpenAI comes and use this binary and build the other source code with it and create another binary. Now you have a dependency, who's managing who. You must have the enforcement layer that's not just protecting the company from vulnerabilities, but also managing, orchestrating governance and security all the way from the creation to production throughout the software supply chain. And I'm happy to see that not only JFrog believe that some of our customers are those exactly native AI companies that are practicing the same.

Yes. That's a great point. I mean, as you know, I've been around for every single JFrog quarter, you and I met before the IPO. I mean, this just seems like another permutation of a classic question concern around JFrog. I mean, remember, it was Microsoft, right? Like why can't Microsoft do binary package management? And how that story resolved is strategic partnership, right? And so -- and we sort of point out that you guys have the leading model providers as customers as well. So I think -- when we think about the nuances of the debate, I think the next angle is if AI native companies don't outright replace JFrog, will it erode pricing power and pressure what has historically been a high-margin business? What's your view against the notion that AI significantly reduces the terminal value of incumbent software vendors like JFrog?

Yes, I think that what happened on this Friday, the 20th was that people started to ask questions about the terminal value, right? So we already saw that you guys know how security is going to look like. 2 years ago, 3 years ago, people ask us, would you be able to sell security? Will you be able to address the [ upseec ] and the CISO pain? We prove that, not only with what we delivered, but also with the ARR numbers we shared, with the RPO number we shared. We show the world what it means to have a holistic solution and not a point solution, covering your software supply chain. But the terminal value question is, okay, so I thought based on your success that it's 10%, maybe it's 3%. And now I have some fears that JFrog will be replaced. And from what -- from where I see it, and what I see, and it's simple math. Code agents are being adopted on an hourly basis. It's amazing to see how fast this innovation is being hugged by the industry. Code agents are not going to sleep. They are not going to eat. They are not taking PTOs. They are not going anywhere. They just create more and more and more source code. They build with more and more source code and create more binaries. This Tsunami of binaries, where will it land? Where will it land? Storage, maintenance, dependency maintenance, security, distribution. Where will it go? Now not only did JFrog is a universal solution, it's the Switzerland of agents. It's also the database of DevOps. These agents are also building with what you created yesterday and approved by the organization, and it's in Artifactory. Not only that, it's also a combination of open source and agents. So I think that from terminal value, the autonomous -- the more autonomous our world will become, the greater the need for governance and enforcement and rules that you will have to apply to make sure that your organization is secure. So we are very excited about it. I understand that the market is showing some feel or panic and it's on us to execute and to pull...

Awesome. To sort of wrap up this line of question, I wanted to bring Ed into the conversation. So on the -- post February 20 in the last week or so, you announced first ever $300 million share repurchase program. Why the decision to pull the trigger on the share repurchase? Will it go beyond just managing dilution? And what time frame are you considering to complete the program?

Well, thanks for the question. There's so many questions about technology. There's actual financials and fundamentals that go behind that. And part of the reason why we did this is not because we saw great value with where the share price was. But the fact that we continue to generate cash that we have strong fundamentals. We manage with discipline, we continue to generate cash. This gave us the flexibility to do that. Now what happened on February 20 with the stock declining at the rate that it did, we saw an opportunity to deploy capital and stabilize in a sense, putting a stake in the ground saying, we firmly believe in our ability to execute going forward. Therefore, we're doing a $300 million share buyback program. How long that program will be? It's open ended. We are certainly going to look at opportunities as it continues to present itself with a favorable share price and we'll build it accordingly. But the time will be determined based on the price, and we'll continue to keep a close eye on that, and we think it's a great use of capital.

Awesome. Maybe sticking with you, Ed. As we think about fiscal year '26 guidance, you guided total revenue 17%, 18%. The cloud business -- excuse me, between 30% and 32%. How should we think about the level of conservatism against what appears to be a more -- excuse me, constructive demand environment versus a year ago? And the security business is frankly also gaining more traction.

Yes. So the philosophy didn't change. In fact, the philosophy remains exactly the same in 2026 as it did in 2025. What happened in 2025 as we started to see usage over minimum commit, something we didn't see in 2024. And as we step into 2026, the sentiment is better. We see a better environment. We see momentum that's being built in usage, but the philosophy itself didn't change. So assuming that things continue to progress the way they did in 2025, we would expect to see better performance against what we guided and because of the usage over that minimum commit. We also see our cloud -- I'm sorry, our security, building momentum. And as long as we continue to convert those opportunities, we'll see an outperformance against the guidance that we provided. But the philosophy itself remains the same.

Can I ask one follow-up before, Shlomi and I talk more about where the market is headed. If I go back to like 2024, you guys won some really large migration opportunities that help business growth. The theme for 2025 was really customers using an excess of commitment, maybe less on the migration side. With respect to those 2 particular vectors, migrations and excess commitment, how do you see that? What's your initial hypothesis of how that plays out in 2026?

Yes. So our existing customer usage and expansion of those customers is going to outpace what we're seeing today in migration. So customers today from a migration perspective, the very large migrations are being paused. We still see it many customers moving and migrating from self-hosted to the cloud. That hasn't changed, but the magnitude of the dollars and the large projects, those are on pause. So most of the growth will come from expanding of those existing cloud customers, some smaller migrations from self-hosted to cloud. But in terms of the very large cloud migrations that we saw during 2024, right now, those are due to predictability questions and uncertainty that these emerging AI trends are driving. Those will most likely be on pause during 2026.

Understood. Okay. Good to understand the dynamics going into next year. Shlomi, I want to talk about where the software development cycle is headed and what role JFrog will play? So I think a lot of confusion when it comes to this space that I deal with all the time when talking to investors about this category is. Code is just one piece of the process of getting software into the hands of customers. What role will AI play in the broader software development cycle? And how will the role that JFrog plays change in an AI-powered AI agent software development life cycle?

Yes. Well, listen, if anyone in this conference or anywhere else in the world, will say that they know where AI will go. I think that it's a bit too early. So humbly, I will say that it's amazing to see how fast AI is doing exactly what they said that it will do and replacing kind of a human labor and simple tests. We will see developers -- first phase will be developers empowered by agents. And second phase will be developers moving from being players to being coaches. They will start to manage agents. And the third thing that we will see is that agents are having a full autonomous power, not only to build, but also to take it all the way to production. At JFrog, we are looking at this phase already. Because I think that the movement that we will see is more and more business will understand that B2B is over. You have to think about business to agent and how the agent will pick me as a vendor because of whatever I can provide. So that's our focus on our JFrog 2030, the next 5-year strategy is about this shift, but it will take time. And until then, we will see a growth of the asset, the primary asset that this agent will generate, which is the binary. JFrog is built for this scale from day 1, not only because of the hybrid and multi-cloud, the solution that we bid, but also the storage layers that we build that scale better than everyone. And how well we know this asset we call binaries. The third thing that we will see is that the security aspect will be different, and there will be much more kind of focus on enforcement and governance and making sure that no agent is doing crazy stuff. And this is, again, when you need the system of record. So when we are looking at the future, I think -- it's a simple math. You will see more binaries. You will see more requirement for universality and flexibility and faster adoption of AI technology. Now one last sentence, Sanjit. We also have to remember that with all of these good things that are coming, attackers and hackers are also going to embrace AI, okay? So the race and the pace of the attacker versus the organization will stay because there's no hacker that will say, I'm not using cloud or I'm not using OpenAI or I'm not using Gemini. The malicious side of software is also going to be more sophisticated. And we have to put some guardrails around shadow AI, where AI was used, how it was used, identify that, trace that, make sure that governance also comes with the right auditable signed artifact. So I can trust this and not just saying that someone check the box on it.

So that next evolution that you speak to often is something from going from DevOps, DevSecOps and DevOps, which is a very interesting point. I also wanted to get your take on this sort of structure of the market. And what I'm referring to is that I would say pre-pandemic, if you looked at the DevOps market, it was pretty fragmented, right? If you look at the Infinity Loop and overlaid all the vendor landscape, you probably count 50 different vendors. If there was -- coming out of the pandemic and moving to a higher rate environment, budget is a little bit tougher. We did see a move towards consolidation. You guys have been benefiting from that from the security side. The question is that do we consolidate further? And like some of the start-ups of the Silicon Valley kind of expressed this view of a invisible SDLC where all of the workflows get executed in a particular agenetic platform. What do you view -- like as we go into the area, do you think this is going to be a multiple vendor environment, a heterogeneous environment? Or is it going to be kind of a winner take all?

What a great question. JFrog was founded 15, 16 years ago before DevOps was even a phrase. We called it developers acceleration, automation, whatever. And then it got so well adopted, automation was so much required and became a domain. And then it was evolved to DevSecOps because DevOps build speed then developers became fast and dirty and everybody wanted security to be enforced. So DevSecOps came in. Now we spoke about governance and DevGovOps. And the evolution is there, and you see a lot of companies that are not here anymore. Where are all these pioneers, they were either acquired or left somewhere. And a lot of these tools became commoditized. Think about CICD. I remember that people told me that the CICD of the world will acquire JFrog. And think about containers. I remember that people told me the Docker is everywhere, and by the way, Docker is everywhere until today, even in AI, you use Docker. But where is the consolidation that everybody spoke about. We will not need universality of software packages. We would not need NPM may even go and Python because of Docker. And still, it happens. So what really to your question, what really got commoditized or what kind of commoditization makes sense. It's around an asset. And what we start to see, especially emphasized by AI is that the world is divided to two. Are you an infrastructure company or an application company? Infrastructure, thumps up, great. If you're an infrastructure, are you a platform or a point solution? If you are just a scanner of source code, done, you are out. There is no one in the IPO pipeline to say, I'm a point solution security anymore. It was just the reality 2, 3 years ago. So are your platform? Yes, I'm a platform, check, thumbs up. Next question. Are you a foundational platform, meaning do you have a source code? Do you have a system of record that you provide that you can build value on top of it? If you are a CRM system of record, you are probably Salesforce. If you are a finance system of record, you're probably Intuit. If you're HRIS system of record, you are probably Oracle ERP. In the world of software supply chain since binary are the primary asset, JFrog became the system of record, and this is how we are powering most of our customers. So you will see more consolidation around the system of records and not necessarily the solution because solution will be commoditized. And by the way, how easy it is to move from Copilot to cloud, from cloud to OpenAI, a matter of hours. How easy it is to move from your system of record? Impossible.

Yes. That's a great point. Let's get an update on the security business. Every Q4, at least for the last 2 quarters, you've given us some really great metrics. And so in terms of where the security business stands, in terms of ARR, we're up to 10% of ARR versus 5% last year. Security accounts for 16% of RPO versus 12% last year, and it's increasingly driving your larger deals. How should we think about the attach rate of the security business going forward with security incidents like with NPM and pipeline over the past couple of months? Do you see security now as a structural growth driver rather than driven by kind of onetime events?

Yes. So I can only look at the pipeline. And by the way, an anecdote, none of the opportunities in our pipeline, none of our wins in the past were due to static code analysis, which is the Anthropic announcement. But -- looking at the future, I'm looking at the pipeline, and we are very optimistic because there is a real use case there that is looking at JFrog as a holistic solution. Our customers are not just looking for secret detection, contextual analysis, binary scanning, container scanning, they are looking at the full software supply chain protection from the creation of the code all the way to the production. This is what we see in the pipeline. The other thing that we see is that the attackers moved completely to attack software supply chain. It happened with Log4j, as you mentioned, Sanjit, last quarter of 2025, NPM [ Saikulud ], in between MCP attack, Python attack, SolarWind attack, everything is software packages. Everything I just mentioned is a binary attack. Not only that, when you try to remediate with the software package, it's different than source code. You have to open it and to look at all the dependencies. So the value that JFrog now brings in terms of ROI, in terms of enforcement, in terms of governance, is very clear. And we also understand humbly that all of our customers had a security solution before JFrog, and migration in the world of security is not happening in a day. And we have patient and we trust our value, and we see the adoption growing. And this is why it was important for us not only to provide you with the revenue numbers, but also the RPO numbers and the ARR numbers.

I mean to that point, you mentioned in the past is trying to find new ways in terms of customers, helping customers find budget for the security add-ons? Can you give us an update on how you're solving for this? Are there incremental investments needed beyond the security overlay team and some of the incentives you're rolling out for the sales force?

Yes. What we see is a very, very intensive collaboration between the CIO and the CISO of the organization. It's already kind of a mixed budget of who owns what. And yes, there is an incremental -- it's a growing addressable market. And why is that? A, because attacker think different. So introducing you to a new world of threat. And the second thing is nobody that I know is willing to adopt AI without first having it secured, trusted and governed and that all fall under the security. So on the gateway, the firewall part, which is JFrog Curation, you want to make sure that everything that comes in is kind of blessed, approved. The passport control is approved by the organization policy. JFrog Curation is an innovative tool. There is one or two other companies in the world that suggest that. JFrog brought that together with Artifactory. The other companies, even if they have that, they have to integrate with Artifactory, like you put a gate before of what, before of your system record. This is JFrog. So when it comes from JFrog, it's clear. Now what happened inside Artifactory. There is a new set of risks that you have to mitigate. How do I make sure that agent didn't bring a GPL license from whoever or violating someone's IP that I will be sued. And the last piece is the distribution what goes to production. Again, binary, how do I make sure that what happened in AWS 2 months ago, Kroll an agent decided to be completely autonomous, push something to production, wiped out the entire region. These need to be governed and secured in a holistic way, and this is why the budgets are growing, but so is the life cycle. To be honest, we will not see it immediately. It's an adoption, education, enablement process. And we see a great horizon ahead.

That's great context. I wanted to talk a little bit about how investors should think about the growth equation for -- the basic growth equation for JFrog. I'll hand it over to you, Ed, to opine on. But essentially, what I found very interesting last year is that your $1 million customer cohort grew fantastically well. So I think up [ 49% ], 100,000 customers, up 15% year-over-year. Total customers account actually declined, and that's in part due to pruning some lowest ASP accounts. So with that context, you have an NRR that stands currently at 119%. As investors think about what kind of growth equation to underwrite for JFrog, how should we think about the contribution of growth coming from existing versus new customers?

Yes. I'll start with the strategy. Ed, if you want to add about the numbers and the ARR growth retention. Listen, we told you guys around 3 years ago, and I remember it clearly because we completely changed our sales and marketing focus. We are going after the enterprise. And when you build a solution, not just the product, but the service around it, the go-to-market around it, everything, when you build for contracts that justify this growth that you mentioned with over $1 million, consistently growing over $100,000 to $1 million, consistently growing; ASP, consistently growing. When you build for that, when you build for $1 million, $2 million, $5 million, $20 million customer, you cannot be focused on the $150 per month customer. And I will never fire a customer, but I understand why they don't see a value when I'm building a mothership, and they only need a bicycle. So the proof of that was last year when we raised the price, the basic price from $3,000 a year for Artifactory to $6,000 a year, some of them left. Why? Because 100%, even if it's only $3,000 a year, 100% for them was too much. For me, it's signaling something else. If JFrog's strategy is to become your system of record, these guys are not adopting JFrog as a system of record. So this is not even a matter of who is the customer, it's a matter of, is it aligned with our strategy. The second thing, and then, Ed, you take it from here. Second thing is that back to 2021, people bought revenue. If you want me to get to 8,000, 10,000 customers, easy, easy. I'm just dropping the price to $50 a month, and the number of logos will explode. But this is not what we do. We build something for the enterprise. We are very serious about it. This is why we also had to kind of remove all frictions internally. We had to take 300 entities and put them under their parent companies because I brought a field sales enterprise field guy that comes into the organization as an octopus and work with the CISO, with the risk team, with the governance team, with the DevOps team. And then you hear that there is an SDR that is doing inside sales with some entity. Of course, I had to kill this kind of phenomena, and to consolidate that, that's by 300 logos.

I'll be very quick. The growth algorithm, very similar to what we saw in 2025. Usage that continues and we see the cloud growing. I want to remind you, we started in 2025, 31% on the guide. We ended at 45%. We see something very similar. Security, although we don't give the number of customers in security, we certainly see a very long tail. We have over 3,000 customers today that are enterprise customers. They have the ability to cross sell and grow through security products, and we're actively pushing that. So if we continue to do that, I think there'll be a very similar outcome in 2026 that we saw in 2025.

And you see the gross retention, right, over 97%. You do the math, you understand that all of the customers that we bought hundreds of them that we bought in 2025, landed with a much higher ASP and the net dollar retention also grew, so simple math.

Awesome. Well, thank you so much, Ed and Shlomi, for giving us the update on the JFrog story.

Thank you for having us.

Thank you.

May the frog be with us.

Awesome.