VDOO Connected Trust Ltd. (FROG) Earnings Call Transcript & Summary

Good day, and thank you for standing by. Welcome to the JFrog Call to discuss the acquisition of VDOO announced this morning. [Operator Instructions] Please be advised that today's conference is being recorded. [Operator Instructions]. I would now like to hand the conference over to your speaker today, JoAnn Horne of JFrog Investor Relations team. Please go ahead.

Thank you, operator, and good morning, everyone. As you've seen this morning, we announced the entry into a definitive agreement to acquire VDOO Connected Trust Limited. Joining us today to discuss the proposed acquisition will be JFrog CEO and Co-Founder, Shlomi Ben Haim; and Jacob Shulman, JFrog's CFO. After managements brief remarks, they'll be happy to answer your questions. During this call, we may make statements related to our business that are forward-looking under federal securities laws and are made pursuant to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995. Including statements related to our future financial performance, including our previously disclosed outlook for the second quarter and full year of 2021 and our expectations regarding the proposed acquisition of VDOO. The words anticipate, believe, continue, estimate, expect, intend, will and similar expressions are intended to identify forward-looking statements or similar indications of future expectations. You are cautioned not to place undue reliance on these forward-looking statements, which reflect our views only as of today and not as of any subsequent date. Please keep in mind that we are not obligating ourselves to revise or publicly release the results of any revision to these forward-looking statements, in light of new information or future events, except as may be required by law. These statements are subject to a variety of risks and uncertainties that could cause the actual results to differ materially from expectations. For a discussion of material risks and other important factors that could affect our actual results, please refer to our Form 10-K filed with the SEC on February 12, 2021, which is available in the Investor Relations section of our website. Our quarterly report on Form 10-Q for the quarter ended March 31, 2021, filed with the SEC on May 7, 2021, and the press release issued earlier today. Additional information will be made available in other filings and reports that we may file from time to time with the SEC. Additionally, non-GAAP financial measures will be discussed on the conference call. These non-GAAP financial measures, which are used as measures of JFrog's performance, should be considered in addition to, not as a substitute for or in isolation from GAAP measures. Please refer to the tables of our earnings release for the first quarter of 2021 for a reconciliation of those measures to their most directly comparable GAAP financial measures. A replay of this call will be available on the JFrog Investor Relations website for a limited time. And with that, I'd like to turn the call over to JFrog's CEO, Shlomi Ben Haim. Shlomi?

Thank you, JoAnn. Greetings from the swamp everyone, and thank you for joining the call. I'm excited to share more information about our announcement earlier today regarding the proposed acquisition of VDOO, the creators of a hybrid product security platform that automates security tasks throughout the entire software release life cycle. This acquisition is yet another step towards our vision of becoming the company behind all software updates and creating a world of liquid software. Previously, we showed how security is a strategic focus for JFrog and is driving enterprise DevOps across the globe. By joining forces with VDOO, we are taking another leap forward in securing software-based release and orchestration tasks all the way from the dev environment to IoT or other edge points and expanding JFrog's security offering within our platform to provide holistic security for software creators. But why is this important? In today's world, the main goal of any DevOps process is to release software faster and more efficiently. But if companies aren't focused on the security of the releases as part of the DevOps process, if they are not trying to streamline, consolidate and cross-reference data to ensure security, they will see a slowdown in both development and security operations. Many of today's security tools focus only on some of the application components such as code, third particles, open source configurations, et cetera. And are not fully integrated into the complete delivery life cycle, only offering isolated control points that don't share data. This creates disparate security system each with its own data set that slows the release of software updates specifically when continuously delivering to the edge. Therefore, these tools are not fueling the promise of fast, automated and secure leases. Furthermore, there aren't many tools that serve both DevOps and security engineering as well providing them a common ground to bridge the 2 walls with a common understanding that they are doom to have friction at best, failure at worst. Four years ago, we introduced JFrog Xray to the world of developers, offering them a solution that will secure the binary repository and integrate with the CI/CD flow. Xray today serves thousands of customers as part of the JFrog platform. With Xray, our customers use our software composition analysis technology to secure their software packages and DevOps pipeline for containers and cloud-native applications at scale. We see the market. We hear the demand from our customers, and they are looking for more. They are looking for value and not adding security solutions out of field. They would like to have an end-to-end holistic process that secures the binaries all the way to the edge. Consolidate security data for efficient decision-making, save time and resources and blesses an end-to-end delivery system with the highest integrity, something that goes beyond the development organization. This is where VDOO comes in. VDOO's vast team of security experts and their advanced security technology is a perfect match to deliver on the liquid software vision while solving today's challenges. For example, VDOO's contextual threat analysis capability allows them to prioritize critical security gap enabling fast mitigation and recommendations of the issues that are exploitable across multiple vectors by binaries, application images, VMware and more. Alternative solutions currently available provide long list of venerability with many folks positive that often development teams need to sit through at length and again, serving one side instead of building trust between Dev and Sec. Often, these alternative solutions are manually charging the applicability of venerability in the particular use case. Only defined that while it's relevant in some other instances, it may be irrelevant in other environments. The days of long venerability lists provided by the security team that overload developers with no good reason are over. We need to be faster and seek after security and development organizational handshake. VDOO also discover and provide visibility into zero-paying new venerability malware, exploits, backlog, supply chain risks and other threats before they become public, for both first-party and third-party binaries. VDOO's hybrid product security platform and team of experts can find security issues before the issues are even public knowledge. They have already demonstrated hundreds of times and saved many hours for software makers. Imagine how great it would be if solar wind drag issue was deducted before the world even heard about it. VDOO provides security that extends even to embedded software on devices. The automated technology observes and analyze the applications that run on devices and provides data on the environment, behavior, usage, security architecture, configuration and more. To illustrate VDOO's capabilities, let's take the example of services provided to a Tier 1 telecommunication provider that supports millions of customers and also delivers millions of edge devices, most of which are shipped containing software from third-party vendors. Securing the software applications running on these many devices for many sources is critical for the service provider customers. However, analyzing this devices software stack in the release form is almost impossible without slow manual analysis and large engineering efforts, making it out to consistently enforce security standards at scale across hundreds of externally sourced products. With VDOO's platform, the telecom providers team started running analysis scans of their devices software stack automatically out of their build pipeline in their final binary form with no modification. They can now obtain comprehensive results within minutes, including a detailed software bill of material, common venerability and exposures, zero-days venerability, configuration issues, security malpractices, malicious files and more. The company was able to get fast detection and response to new threats as well as produce higher accuracy and coverage of security issues. In addition, they received meaningful prioritization, resolution and standards compliance guidance, enabling efficient handling of any issues that have actual security and risk impact. Now about how JFrog and VDOO will walk together following the completion of the acquisition. JFrog the only vendor in the market that manages the end-to-end flow of software packages also known as binaries. VDOO leads a holistic product security approach that provides security for any software package or artifact. The integration of VDOO's automated security technology into JFrog's DevOps platform, combined with their extensive research expertise will provide a complete picture of how customers' software components are woven together, giving developers, security engineers and product teams the flexibility to analyze and mitigate security issues in the multiple dimensions of the environment in which their software is created and shifting. By bringing VDOO's team, we expect to triple the size of the JFrog security expert team, including engineering, marketing and sales with employees that will be located in Israel, Germany, Japan and North America. The world-class security expert and venerability researchers have many years of experience in software architecture, venerability research, reverse engineering and binary code analysis, enabling them to continually enhance the VDOO knowledge base. In addition, VDOO's top-down sales approach will complement our strategic sales team to expand our security footprint. Netanel Davidi, CEO and Co-Founder; and Asaf Karas, CTO and Co-Founder of VDOO have built a global team of security experts that together with JFrog will expand our joint vision. This research and engineering team will be an integral part of our plans moving forward. Both companies teams stand ready to start merging the product following the completion of the acquisition. We expect the rollout of the first set of solutions into JFrog Xray to happen rapidly to deliver a hybrid universal integrated solution as part of the JFrog platform through 2022. In closing, a personal note to the VDOO team. We are beyond excited to have you join the JFrog family upon completion of the proposed acquisition. It is clear to us that the joint vision of changing the way software is being created, released and update to the edge will be our compass as we offer the market a binary-focused solution to secure their organizations software assets. This move will amplify JFrog's current success with Xray and create the expectation that fearless software releases will be the experience both security and development teams enjoy. Welcome to the swamp VDOOer and made the Frog be with us all. And with that, I'll turn it over to Jacob Shulman, our CFO.

Thank you, Shlomi. Under the terms of the definitive agreement, JFrog agreed to acquire VDOO for a total purchase price of $300 million subject to adjustments as set forth in the purchase agreement for cash-free debt-free basis to be paid in a combination of cash and share consideration. Of the purchase price, approximately $90 million will be paid with JFrog ordinary shares based on the average close price of the shares during the last 15 trading days or approximately 2 million ordinary shares. The required corporate approvals of both VDOO and JFrog have been obtained for the proposed transaction. The transaction is subject to certain customary closing conditions and is expected to close in the third quarter of 2021. VDOO brings extensive technology know-how to JFrog. To date, VDOO revenues have been immaterial as the company just began to ramp up its go-to-market strategy. Therefore, the acquisition will not have an immediate impact on JFrog revenue. We expect to see the revenue benefit next year when we begin selling the product integrated VDOO and Xray as Shlomi discussed. I'll also add that while we expect some minor cost synergies, we plan to reinvest any potential savings to support growth for the combined entity. Also, please note that in today's press release, we reiterated our guidance for the second quarter and full year. Subject to the closing of the proposed acquisition, JFrog anticipates its consolidated operating expenses to increase by approximately $9 million to $10 million for the remainder of 2021. We are confident in our ability to bring the JFrog and VDOO teams together. This confidence stems from our shared goals and values and our success with previously completed acquisitions. With that, Shannon, please open the call for questions.

[Operator Instructions] Our first question comes from Sterling Auty with JPMorgan.

So a couple of questions from my side. I think you did an excellent job describing what they do. I want to drill into how VDOO does what it does. And specifically, within the CI/CD pipeline and software development process, there are some presentations out there talking about micro agents that they use on device. But where is the solution installed? Is there an agent? What does it capture? Just help us understand how it actually accomplishes all the things that you talked about.

Yes. I can address that, and thank you for the question. VDOO started a bit more than 3 years ago, by developing security solutions for embedded software and for the IoT environment. In the last year, they were focusing on shifting that and starting to build tools that secures the DevOps, the DevSecOps pipeline, including containers and the CI/CD flow. This is where they started to integrate with tools like Artifactory and JFrog Xray in order to serve developers' environment. What we built with JFrog Xray is actually coming from the other way. We build tools for developers to scan their binaries, to secure the repository, integrate with their CI/CD and to be able to distribute binary securely to the deployment environment. The combination of both is actually what we are looking at. We want to take VDOO's capabilities putting aside the extensive security research, data and infrastructure that they build. To take these scanners, to take these capabilities and add it to Xray. The result will be a security tool that not only serves developers on the CI/CD side integrated seamlessly with your pipeline, comes as a platform, all-in-one repository, CI/CD, security and distribution solutions for software packages, and also secure your embedded software or IoT environment. Now if you add to it the specific security capabilities that we just bring like the research, the zero days, the contextual security threat that they know how to do. You get a full end-to-end security solution that is driven by binary analysis. And this is exactly what we had in mind when we thought about the vision of JFrog moving forward.

That makes a lot of sense. And then, Jacob, is it fair to think since the revenue was immaterial. It sounds like this is really just getting integrated into Xray. It's not like there's any type of different contract structure. It's still that you're going to be selling Xray going forward. And that's how you're going to generate revenue with the VDOO solution?

Yes, Sterling. This is our intent. We will try -- we will combine our capabilities of Xray with VDOO, and we expect to start seeing revenues from the combined product throughout 2020.

All right. Great. Last question, how many employees in total do you expect to come over with the transaction?

VDOO's total team is approximately 90 employees in 4 different countries. We expect the majority of them to join JFrog.

Our next question comes from Koji Ikeda with Bank of America.

Just kind of looking at the VDOO website here. I was wondering if you could tell us maybe what are the key 1, 2 or 3 features of the VDOO platform that excites you most today?

Yes. So I'll try to go define 1 or 2 or 3 items that we really like because the list is long and obviously start with a team of experts that bring a vast experience in this domain. But a few things that we heard from the market, and we knew that we have to reinforce Xray with our -- the saving resources with improved efficiency and high accuracy when you provide a contextual threat analysis. What it basically means is that VDOO's scanners, VDOO's technology can help you understand what you are actually threatened by and not just the list of what the security engineers throw on the developers. This saves tons of times and hours of development and also build the trust between the 2 communities. The other thing is the zero-day detection, that's actually -- this is huge. The main reason for that is that if you have a team of experts, they have PhD expert people that know how to find zero-days venerability. They know how the hacker thinks, they develop their product with the hacker mindset. This is -- this can be an amazing add-on to Xray, if we can find and detect and protect our customers from zero-days from venerability that are not yet reported. The other thing, obviously, that we are super excited about is the IoT and the embedded software security. This comes not just with the expertise of analyzing your binaries in the security world, but also understanding the configuration around it, understanding the environment, understanding the instance of the device in order to provide you not only with software analysis security results, but also software analysis security results on the specific environment, again, saving tons of hours for both developers, security, product manager and more. Alongside what I just mentioned, Koji, we are joining a team of 90 experts that this is what they do from their day 1 in the industry. This team has already had a company before. This is the second company. They've built a vast experience around the community of security. They are well known with the results that they are bringing. And the combination of that with a great technology that will lay down on Xray would be a great benefit for all of our customers and community.

Got it. And just one follow-up here. You mentioned in your prepared remarks a fully integrated product here from JFrog and VDOO in 2022. I guess any sort of color on the time frame in 2022. Is that an early or late 2022 target there?

Yes. So our team already spent time thinking about what would be the first milestones and how can we plan the next 8 quarters in terms of technology and joint road map. It was kind of a joy, if I might say so because when you have a joint vision, when both of us understand that the primary assets that need to be protected is binaries. It's now a discussion around merging the infrastructure, the databases, merging the teams, merging the add-ons, the UI, the assets that you want to get into the JFrog platform. We think about the low-hanging fruit, and it obviously will start with the infrastructure and database that will enrich Xray. And then how can we provide this service as an integral part of the DevOps end-to-end solutions that is provided by JFrog. So obviously, we will have it in several milestones. Later this year, you will start to see the early results of this integration. And towards swampUp, the middle of 2022, we would love to have the first version of the merged product coming from JFrog.

Got it. Super helpful. Congrats again on the acquisition announcement.

Our next question comes from Brad Reback with Stifel.

Great. As we think about monetization of the VDOO product going forward, do you envision it a separate SKU or this just accelerating enterprise adoption?

Yes. Brad, thank you for the question. Obviously, it's too early. We are observing all the possibilities. This is -- this opportunity open a new door -- to a new avenue of growth. As you can see in the security market, there are so many dimensions of what you can and need to protect. So we are looking at that. We understand that there is other opportunities for security, for IoT and edge devices. We don't yet have the full information around that. The first milestone for us is to merge VDOO into the JFrog platform. And obviously, to provide more value to our customers, and we will take it from there.

Our next question comes from Kingsley Crane with Berenberg.

One is a similar theme. So talking about providing more value to your customers through Xray. Do you think that potentially lines up the product for some type of price increase over the next 12 to 24 months?

Again, price increases and new subscriptions, new values added to the cloud subscription. Obviously, in the cloud, it's less relevant because our JFrog-as-a-service is based on consumption. When we think about the on-prem self-hosted solution, we will have to consider the prices, the packages, the subscription. Currently, we would like to be focused on the technology merge to add it to the JFrog platform and not yet ready to share the prices or the updates that might come into future.

Okay. That's helpful. And then for the 90-person engineering team, I'm curious how many of those are entirely focused on zero-day threat hunting research? And then how many of those are sort of software developers building out a software product?

That's a great question because I asked -- this was my first question when we met the team. 90 people are not just engineers and researchers, 90 people include their sales and marketing that are also security experts in the go-to-market of the security landscape. They will join our team. They will join our sales and marketing team, the strategic team will be boosted by this team. Around 60 in total out of the VDOO team are engineers and around 15 of them are researchers. So probably, this is what we will start with. It will be merged with our security team and our team of researchers and data collector. So it's become quite a significant team. As I said, we are more than tripling the team that is focusing on security in JFrog.

[Operator Instructions] Our next question comes from Sanjit Singh with Morgan Stanley.

Congrats on the deal surely. I wanted to get your view on who the ultimate buying center is going to be? Because it sounds like VDOO was more of a soften, a solution and JFrog obviously, with Xray focusing on developers of the DevOps team. As you sort of look to 2022 to monetize that product, who do you have in mind as the ultimate sort of end users for the integrated solution?

Yes. Thank you for the question, Sanjit. Well, you were with us just a few weeks ago at swampUp when we announced and introduced JFrog distribution to the world. The reason that I'm starting with that is that, again, JFrog expanded their solution to new persona. JFrog distribution actually addresses the product managers of the organization. When we look at security, as we always said, and when we said that we will extend our solution in the DevSecOps market. When we look at security, we are looking at the holistic solution. It's not just the security piece of the platform. It has to be embedded into the platform to -- well, improve and empower Xray to integrate with your CI/CD and with your distribution. So binary flow will be seamless as we described in the liquid software vision. So basically, to your question, Sanjit, It will be the DevOps engineers in small companies, probably security and product security engineers in small and medium companies. The organization, the security organization in the enterprise and product security and product managers in the big enterprise. When we look at the 6,000 customers -- currently have over 6,000 customers of JFrog, we probably going to hear first from security engineers, stackups engineers, DevOps engineers and product managers.

That makes a lot of sense for me. And then from a their traction perspective, I know they were early in their go-to-market, but I think JFrog has a strong reputation for being an enterprise-grade solution. As you did your due diligence on VDOO, what was sort of some of their early customer profiles? I imagine they did a lot in sort of the early tech startup community, but any sort of traction in sort of enterprise rate environment that you guys were able to encounter and sort of rebuild.

Yes. So from what we learned during the due diligence, we saw 2 types of interest in VDOO's technology. First was the same persona that also looked at Xray. They have a security solution that need to be powered by a container solution, and this is where VDOO solution for the DevOps market address the DevSecOps team. The other side of the VDOO offering is the product security people. These are the guys that had to secure the product, not just the flow, not the DevOps flow. They were not owning the DevOps platform, they own the product, and they had to secure the product all the way to the edge. This security engineers often cover the full software release flow all the way to the device, including configuration and environment setup. So those are the 2 personas. The nice thing about what VDOO brings from go-to-market expertise is the top-down methodology. As you know, JFrog is mainly bottom up-ish. So it also exposed us to CISOs and to the security community and VDOO researchers and engineers are well known in this industry.

Our next question comes from Jack Andrews with Needham.

Congratulations. I was just wondering if you could provide any more background information in terms of just the process of the acquisition. Was this something that you this sort of opportunistic in nature? Or had you specifically been casting a net for this type of technology to add to your platform?

Yes, Jack, Well, you know that from the early beginning, when we thought about expanding JFrog inorganically, we were looking at the security market. Obviously, in Israel, where there are a lot of security experts and security companies. We saw several targets, and we were happy about some and less happy about the others. Sometimes the technology was better than the team. Sometimes the team was better than the technology. None of those targets were focusing on binaries on software packages. When we met VDOO few months early this year, we met them to discuss an integration between VDOO's product and JFrog Artifactory and Xray. And when we have realized what they build and when we saw the team, and we saw how they speak about securing binaries, it was, for us, again, a binary conclusion. Either we buy them or compete them. And we decided that we go with joining them to the family, and we were very happy and honored to see that they were also interested in building something that is bigger together.

And just as a quick follow-up for Jacob. In terms of your expense guidance provided in the press release, should we assume that mainly impacts 4Q? Or is that -- should some of that impact 3Q expenses as well?

Yes, Jack. We expect the acquisition to close during Q3. So some of that will impact Q3 as well.

Thank you. And I'm currently showing no further questions at this time. I like to turn the call back over to Shlomi Ben Haim for closing remarks.

Thank you. And thank you, guys, for taking the time and join us. Obviously, this is a very special day at the swamp. We are extremely, extremely excited. We know that the fruits of our labor are now being expanded with the new group of Frogs into the company. And we are welcoming you all to stay tuned and may the Frog be with us. Thank you very much.

This concludes today's conference call. Thank you for participating. You may now disconnect.