JFrog Ltd. ($FROG)

My name is Koji Ikeda. I am one of the software analysts here at Bank of America. Welcome to day 3 of our 2026 Technology Conference. Here to kick off day 3 absolutely thrilled to be hosting a fireside chat with JFrog. We have Ed Grabsheid, CFO of JFrog, and Jeff Schreiner, Head of IR. So thanks so much for joining us.

Thanks for having us.

Yes. I guess maybe just to kick it off, I always like to start with just a high-level overview of JFrog for listeners in the room that are maybe new to JFrog story. It's in the weeds of DevOps. But DevOps is a fantastic category. And so maybe just a high-level overview of what you guys do would be?

Yes. Yes, sure. Happy to do that. And it's great to see everybody. I see a lot of familiar faces, some new faces. So I'll give a very high-level overview of and kind of what we do. And you're right, it used to be in the weeds. I think there was a lot of people that misunderstood the story of JFrog and what we did and what is a binary in areas where kind of something that was a machine language that nobody really talked about, nobody understood they understood source code that you write code, you write it in English, German, Spanish, but that converts into a machine language, which is known as a binary and that's what JFrog does from the day #1 on always focused on binaries. We have built a trusted secure and automated platform that delivers software through the software supply chain as a binary to distribution. And in the era of AI has much -- many, many new binaries are being created. We have built a very and a holistic platform that allows for this sunamia binaries to come through into production and through distribution.

So when you're out there talking with customers, -- and in this tearsheets binaries and the security of binaries and frankly, the whole supply chain of software. When you're winning deals out there, what are maybe the 1, 2 or 3 top priorities and differentiation that JFrog offers that they're telling you, this is the reason why we chose you guys.

Yes. So as I said when I opened about JFrog, what are the critical kind of technical notes that that we win. And one is the automation. So the automation process, it is a holistic universal solution, which means that more than 30 languages connect with JFrog, it's agnostic to any languages, any cloud provider, any foundational lab and AI model. So that's number one. Number #2 is it is a controlled plane. So everything comes through JFrog. And you have full visibility, a holistic view of all of those applications that are coming into JFrog or into your organization and through JFrog. And so when you look at other solutions. And when we go up against other maybe smaller competitors, the technical win here and the moat that really separates JFrog from those others is the holistic view and the scalability and the fact that it's not just a good enough solution in the era of AI. It is the best solution that supports all of the languages that are available to any of the agents.

One of the questions I often get from investors, and I try my best to answer it, but would love to hear how you guys would answer it is hyperscalers and other big platform vendors might have some sort of binary solution. If you quickly Google artifact management, things come up. And so are you winning a lot against some of these bigger platform vendors that offer a lot of solutions out there.

Yes. Why don't I start I'll start and then you can jump in, Jeff, with maybe a little bit more of a technical view on this. But it goes back again to the universal approach and the fact that we support many language and the scalability. So maybe a year or 2 ago, you might have heard where the hyperscalers had a container registry offering and maybe smaller organizations were going to the container register offering from the hyperscalers. And there was a competitive advantage from a price perspective and a good enough solution to support 1, 2 or 3 languages. Today, it's very different. If you are using agents, and we can say that 80% or so of developers today are using an agent to build code in some capacity. The agent itself is going to go out and pull what is the most efficient way to write the code. And that may not be with NPM. It may not be with pipeline. It may not be with condo, maybe in its own language that it creates on its own. And JFrog can support all of these languages. It's a scalability. So as a new language comes into play with the development process, that language can be added to JFrog very quickly, and it doesn't break the model or the platform. And therefore, a good enough solution like a container registry coming from the hyperscalers is not going to be good enough in the Aero. And this is why nowadays, JFrog has become mission critical to all organizations. We're focused on the enterprise, but we see an opportunity for that to expand to all organizations, especially as we move forward to an automated fully autonomous process in AI. The autonomous process in AI.

When we look at the infrastructure software category and frankly, the entire software universe. I think investors out there are trying to figure out AI winners, maybe AI neutral and AI, we don't know. And JFrog definitely I think the AI beneficiary category facing a lot of tailwinds here benefiting from a lot of tailwinds here. And so maybe help us explain or help me understand why JFrog gives a beneficiary of I know the simple, simple, simple thesis is AI equals more binaries equal more JFrog, but why is that?

Well, it goes beyond that, to be honest with you, Koji. It's not just the ability to take the amount of new code that is converting to a production level binary into the organization and handled that level of the surge. And clearly, those numbers that you see in our cloud growth, 50% cloud growth, now representing 51% of our total revenues. A great outcome, and this is strategically what we've been building towards is moving as many workloads from self-hosted to cloud, landing new customers in the cloud, building new capabilities in the cloud, and that's being represented in the numbers, but it's also the governance aspect. And so where the AI winner maybe they're looking at JFrog as an AI winner, it's around the governance. So once you allow the machines to be autonomous or working in collaboration with the machines, you have to have the governance. And this is where JFrog quickly is becoming recognized as a beneficiary to AI because the model itself is a control plane or the platform is a control plane, allowing the governance. So when the machines start creating binaries, you have to have the governance layer on top of this. This is why it's critical with App Trust, a product that we introduced during swamp up in September of last year and it's starting to gain traction. Customers see the value of the governance as more and more code is being created by machines and not by humans that are overseeing the process. The governance layer will become critically important in the era of AI.

I think in the new world of AI and the current world of AI. Everyone is trying to understand, number one, where technologies sit in the stack -- and then also, where does the technology sit within the ecosystem. So I want to ask you the ecosystem question. And when you look back at the transcripts in the prepared remarks, there's a lot of commentary of how you guys are playing partnerships here and there. And so maybe help sum that up for us -- where does JFrog sit in the ecosystem?

Well, I think in the ecosystem, I think you heard Ed speak about it earlier, Koji, and that's the holistic view that JFrog has. And I think maybe that's 1 thing that might be underappreciated is with the universality we have with 20 tools connecting or utilizing JFrog or metadata from the binaries -- we have a whole picture view. A model may have the view of the model. I mean many models, if you try to move model to model tell you know that model suck some better than that model work with me. So they have a very centralized view of what they're trying to do, as do others, whereas the holistic view of JFrog, i.e., the Switzerland of binary, so to speak, gives us a unique positioning in that ecosystem. And I think that's also a competitive moat for us in a way because why? because why would a larger player want to allow that universality, right? A larger hyperscaler may want to enforce their tools, their cloud in that critical area where a lot of the enterprises need that universality so that they can choose the best solutions to plug in and work with JFrog Artifactory, and with the software supply chain managed by JFrog.

Got it. When I look at the business model, I think 1 of the key growth drivers is cloud. So cloud just grew 50%. It grew 42% the quarter before, 50% the quarter before that. All great right. But how do we -- what's the best way to understand the durability of cloud? And and maybe get a little bit more comfortable with 50 going to 42% going back to 50%. And what does that look like? Or how should we think about that?

So I think you're alluding to the seasonality. And that's a question that's been asked quite a bit as we've been on the investor circuit. What is the seasonality going forward? What should we be thinking about for JFrog? And how does workloads now -- how does that play out with the rest of the year, especially in the era of AI. Previously, you had holidays to take into consideration Q4 historically has always been a slower quarter. We always knew that Q3 was kind of a capture quarter in terms of commitments. But everything has changed in this environment because machines are running in the background. It doesn't take a break. It doesn't go to the restroom. It doesn't get on a holiday. It's the million-dollar question, to be honest with you. We don't know what the seasonality is. And what we do know is we have a commitment, and we're different than a pure consumption play SaaS company. We have a commitment and annual commitment to JFrog. It's contractually obligated. It's a legal binding agreement, and we guide on that. So whatever we're guiding we know it will not fall below that. That is the floor. We increased our guide heading into Q2. We raised it from a guide of 30% to 32% to 34% to 36%. And we also believe that we have a better confidence level of a sustained usage in the cloud above minimum commits today for a couple of reasons, and I'll explain. Number one, we've had now 4 or 5 consecutive quarters where we've seen strong growth. Even though it's not included in our guidance, we feel more confident about that. Number 2 is our customers are telling us, budgets have been loosened, the purse strings are loose and we're not being pushed back to slow down the innovation that's coming from the Board being asked by the Board or by management and we're not even being pushed back by the office of the CFO or procurement to go do a re-up on the agreement. We're going to spend over the minimum commitments for now. Now once you get to an annual commitment at the end of the contract, you're going to have to renew. And we still see customers renewing at a higher annual commitment. It makes a lot of sense. We saw that. We captured some of that in Q1, and we hope to do that going forward. But at the end of the day, we start to see customers spending over minimum commitments, and they're continuing to spend over the minimum commitments until they have the clarity. And once they have the clarity, they may re-up to a higher annual contract. Today, we feel like the seasonality behind with that is unknown, and the intent right now is to try and capture a higher annual commitment. So therefore, we have the visibility that we can guide clearly to the group here and the investors in the Street.

So not only do you have cloud, you have a very robust on-prem health managed solution to -- and so maybe talk a little bit about why a customer would go cloud versus on-prem and vice versa.

Yes. I'll start, and then maybe you can talk about the technical side. Yes. So there's 2 ways to look at it. There's organizations that JFrog and many of those today as a new organization landing at JFrog and in the cloud. They see economic benefit because they don't have to manage their network. They don't have to manage deployment across a global topography everybody is up to date from a version perspective. We also have customers today that are on self-hosted that are still migrating. Even though we talk about a slowdown in migration, there is still a benefit for those customers to move workloads from self-hosted to cloud. Now what's happening with the very large organizations that have millions and millions of artifacts that are 20,000 developer shops or so that had intention to migrate from Sophos to the cloud. These are very advanced developer organizations that are also using AI, they don't have the clarity yet on the cost structure, and those have been paused. It's not a matter of if, it's a matter of when. And they also see the value of moving to cloud and putting the workloads into cloud, but those are being paused at the moment right now.

Yes. And I would just add, I think, Koji, the decision to be on cloud or self-hosted, that's a customer decision that we leave to the customer. And I think what you're going to see over time is there will be a cohort of the self-hosted group that will be in regulated industries or be somewhat forced by some type of regulated policy to have a self-hosted instance. And those will be the customers that will continue to use that. However, we are starting to see things emerge with the use of hybrid in the era of AI because we all go through these periods of costs of cloud when new technologies or the use of technology and shifting from self-hosted to cloud earlier in the a few years back that we had seen causes some type of realignment of the vision, but inevitably, cloud goes on. But I think right now in the area of AI, certainly, some are looking to say, is there a hybrid approach in which I may choose to put certain workloads into cell posted and then move certain workloads into the cloud. And as you utilize JFrog, you're not experiencing any difference in how that's interface. The UI is completely the same to you. And again, I think that's a differentiated opportunity versus not only the large players but other smaller players beyond just scalability that each is kind of restricted to their area and their sandbox, 1 in self-hosted and 1 cloud native.

In the software landscape, pricing models has become a pretty topical conversation. You guys have been a very consistent pricing model. And so maybe spend a minute or 2 and remind us exactly how you price on cloud and on your self-hosted solutions.

Again, another question that's asked quite a bit. I think there's concerns around where is pricing going to go in the era of AI, especially with the seats and the change in seats going from humans to agents and how do you price that? And the good news is JFrog has never been a seat-based pricing model. On the cloud side, we always monetize based off of data consumption and storage and on the self-hosted, it's on number of servers. So we've avoided the seat discussion on security, we do monetize based on a number of contributing developers. That's a common currency, and we went to the market with our security solution based on that. We thought about maybe does it make sense to do something on scans or artifacts, but it was confusing for buyers and as we were stepping into security, we wanted to make sure that there was a common currency for CISOs to understand the value of JFrog. Now as you move forward and you think about tokens in this token environment and as token start to increase, there's a lot of discussion about now as more and more use or more and more development will go through tokens, what does that mean from pricing. We're not going to be the pioneers behind the pricing. We'll certainly follow the trends, but there could be some kind of bundle of pricing or a shift in the way that things are being priced. And we're keeping a close eye on that. We don't have any updates yet on JFrog when there's no intention to change anything yet, but we're keeping an eye on the market and see where it goes.

So you mentioned security there in your answer. We haven't touched upon it. We've got 18 minutes without talking about one of the most exciting growth drivers, I think, for JFrog. And so clearly, you guys have built an incredible franchise with your artifactory product. I mean, I don't use best-in-class all that much in software, but we hear it all the time with your partners and customers out there. So congratulations on what you did with Artifactory -- but let's talk about security. What is security to JFrog? What is security to your customers out there? And how are they thinking about it?

So security, there's 2 ways to look at it. There's a security -- the basic security that's added to our subscription called X-ray. You have Enterprise Plus, Enterprise X and ProX that is a Tier 0 scanning capability once you bring Artifacts into your organization. We also have an add-on security. This is really what's driving the growth in the ASP, which is driving our net dollar retention rate, which is driving the expansion that we're seeing and very healthy KPI and metrics that we shared at the end of 2025. That is curation and advanced security. Curation is the firewall that sits outside of the organization that you curate of what you can bring into the organization. And then once you bring those packages and artifacts into the organization, you use advanced security, advanced security is a platform that replaces 7 disparate scanning tools into 1 platform, replacing those tools. Now Security has gained a lot of momentum over the past year and in particular, since Q3 of last year, when you started to see a lot of these open source vulnerabilities, NPM attacks, the Shy Halo attack. That created a lot of awareness. Curation in protecting your organization outside of the firewall or outside of the organization as a firewall. And we saw great momentum, especially in Q4, where we had a lot of security curation purchases that were done really within the quarter in a short period of time and that momentum carried into Q1, and we're building a very strong pipeline. It's no longer a situation where there's an incident, great awareness. There's maybe fear by. This has become a pipeline builder -- the awareness is clear. It's really a no-brainer to protect your organization, especially in the era of AI when packages are moving at the speed of light into the organization. This is the best way to control that. It's the best way to keep developers productive and curation is becoming a very good product for JFrog and a nice pipeline builder.

Can you break down exactly what curation does from a very simplistic view. We've done a fair amount of work on it. We hear good things, but always a good reminder of what exactly does it do.

Yes. Thanks, Koji. As I described it, we tried to paint it for investors to understand is kind of the wall around the castle to keep out the barbarians at the gate, okay? And this has become something that was actually developed, and I want to highlight this that what JFrog has been able to do well and continues to do well. And I think will benefit us as we continue to work with these frontier labs is to create products that solve very important pain points for our customers. So there was a large financial services firm who came to us at the time because at that point in time, a few years back, prior to curation, what an organization did or at least this organization did allowed the developer to build, but you were not allowed to be have the package approved, and you had to hope that the package was approved by the time you built because they brought nothing in and you had to get that one package approved to be then built. Others at that time, we're just bringing everything in and scanning with x-ray to try to secure in that sense. And so this customer said, "Well, wouldn't it be great if we could have a centralized policy in which I could state and as Ed stated, curate, that's the name curation, the repositories that I, in fact, want to work with and want to allow my organization to use. And so I will tell curation to point to repository A, B and C. And within that repository, it will be curating and managing the packages, and it will manage the packages within that repository that I want to use and keep an eye on what is going on in this repository has anything been changing with the packages that I'm signed to be in charge of. Thus, it creates that firewall, which in essence has become critical in the area of AI because now the hackers have AI and the patch and the remediation of all these CVs we're seeing almost by the hour, where are they happening, they're happening at the binary level. And so when I now want to start moving towards more autonomous work as I start to shift at some point to allowing to build and go into production. What I want to have is a sandbox that I've approved centrally to say, do as you will, be creative, build, build, build baby but do so with what tools, what packages I've allowed into the organization. So in the world of AI, that's very critical to enterprises. And I think it's -- that's why it's becoming somewhat almost of a no-brainer solution to have because it sits outside your ID, sits outside source model, where the data is created so that will eventually as well. Another thing I want to add as I wrap up the answer as it relates to curation is that our CTO kind of snips it at and I when we're having conversations because he's like, you guys talk about duration, a lot of security. And we're like, yes, well, do built at security, it's governors and you wait, they'll learn that it's governments. And so it's going to be a critical aspect to the governance aspect that I talked about in tying into AI catalog. So curation has become a very critical product. And the last thing I'll add there is that -- it's become so critical that there's been some Johnny come lately that have tried to fill a void and they tried to fill a void on the typical way that I had described earlier in his first answer, in which I come with a good enough solution to tell you that you don't need everything JFrog offers and this is going to be just good for you. Well, some people chose that route and they've been hacked. And I'll say that curation has never been penetrated. So I think that there's a lot of opportunity out there for us still as it relates to curation.

Is there. A benefit to all with what you learn within curation. Oftentimes the software you here, hey, we take all the data and what's happening, and we don't share everything with everybody, but the learnings that we do within certain products do help everybody. Does that have a bad asset.

I think it's different in a way maybe you're talking, right? We're obviously part of the community, and that's another thing we do that I think many don't want to do in terms of really working with 36-plus languages. That's all the repositories that come with that. Supporting the community and doing community-led things that always lead to monetization. That's some of the things we've done. What you may be talking about or what I would probably answer the question with Koji to how you've presented it, is back to what I said was solving pain points is now being very tied into some of these AI frontier labs that you are all very familiar with and understanding that when they came to us, we have very, very smart people but they had a light go off when they were shown what an AI company views JFrog and a system of record as in the world of AI and now we are able to start to work with them and try to build to their pain points as AI scales and grows at their individual companies.

So the security story sounds great. And so what are you guys seeing that is giving you confidence in the durability of growth for security? Maybe things that you're seeing from the customers or usage or conversations, whatever it may be that helps support this durability of security?

So as I mentioned in the beginning, we have 2 products. One right now is probably weighted a little bit heavier in terms of criticality, which is curation because it's there is no alternative solution at this point and organizations didn't have it unless they tried to build it on their own, which they weren't able to do. So there's an immediate caffeine high, so to speak, to bring curation into your organization, implement that and see value immediately. And as I mentioned previously, this is no longer an incident-driven purchase or a fear buy, this is becoming obviously critical every week. Maybe even daily, you're starting to see these open source attacks and vulnerabilities that are happening. So if you're an enterprise and you're using AI capabilities and you're concerned about security, you're obviously going to take curation. So there's durability there based off what we're seeing in the pipeline. The second piece is advanced security, which, again, is critical, critical to consolidate all of these point solutions that many of these are not publicly traded companies. They had a value proposition maybe 3 or 4 years ago. Their value has come down. consolidate it to 1 platform with the provider that is securing your asset, the most critical asset, the primary asset, the binary and managing the binary. So it makes a lot of sense to consolidate those point solutions to 1 platform. So there's a lot of value in that as well, and we continue to see strong demand and interest in advanced security as well.

I would say the advanced security, just to add quickly Koji. It's going to have a much long tail type effect because you can think that some of our large deals that we signed a few years back, the largest deals in history, they'll be coming up over time for renewal. And let's see if in the first multiyear, 3-year agreements that they've signed, do they, in fact, replace all those 7 tools? Because that's the difference here. As Ed said, I'm putting as many contributing developers behind the firewall -- now the Jazz solution, advanced security is more for the good actors gone back inside the cast, so to speak, right? And I may replace 1 tool in year 1 because that's running in parallel for 9 to 12 months. And then obviously, I'm going to take a different step up in seats by year 2 because I'm running one, and I may now be testing 1 or 2 to replace as well. Now each has a built-in step up over this multiyear period, but I think the step-up is more weighted for invanced security as you build in the tool adoption over time. And so that's still very early innings in terms of the consolidation.

I got you. Running up on time here. So I do want to ask you the growth and profitability question. And 1 thing that I've always loved about JFrog is your responsible growth. you've never done a reduction in workforce, always been growing, always been innovating. And so you guys are really like facing a nice opportunity here. And that always bears the question why not invest more for growth. And so how are you thinking about balancing that growth and profitability framework.

You know us well. You've been with us for a long time, and you know the story. We're a very efficiently run company. We're very disciplined in the way that we deploy our capital and where we hire and like you said, especially now that there are so many headlines with reduction in headcount. We Knock on would have never done that, and we don't intend to do that. We continue to hire at this -- in this environment because we want to capture the innovation and make sure that we're staying very relevant in the AI era. In addition to that, we're also implementing a lot of AI internally. So we will have efficiency gain over time. Like many companies, we're continuing to educate ourselves in exploring, and I think efficiency will come in 2027 around AI, and we'll have to consider what that means from a hiring perspective. But for the time being, when there's an outperformance on the top line, and you understand our guidance philosophy, we're a little bit more conservative or responsible on the top line, less so on our operating expenses from a guide perspective. So we would expect that outperformance, a portion of that to flow to the bottom line. We had a very strong quarter in Q1, over 21% operating margin, a nice growth in operating margin on a year-over-year basis, and we'll see how the rest of the year goes, but we'll maintain that efficient disciplined approach.

Got it. We're out of time. Ed, Jeff, thanks so much for doing this. Appreciate it.

Thank you, guys.