Can FROG Thrive As A Standalone Company?

Summary

JFrog's platform has gained traction via Artifactory, boasting a global customer base of approximately 7,200 organizations across diverse industries and sizes. They have done a tremendous job utilizing freemium offerings to gain a foothold within corporations (89% of Fortune 100 organizations) and then executing their land an expand strategy. There is only one problem, the company’s annual revenue run-rate is still at only $320M after 15 years of existence with 3 of those being as a public company. Utilizing binary management tools as part of DevOps is not a new trend and one that will become consolidated with few platform players obtaining the bulk of market share.

The repository market will eventually commoditize and become a feature within broader DevOps pipeline tools offered by platforms like GitHub, Azure DevOps, Google, and Amazon. When looking at the broader organizational priorities and investments in software assets, JFrog may not be in the top five for most executives in the C-suite. While a developer may prefer JFrogs repository management, executives will prefer providing this solution as part of a broader offering provided by MSFT, GTLB, AMZN etc. These companies will be able to lead with security offerings, an area JFrog is still weak in, which are much higher priority in the C-suite. The dynamics between container repositories and binary repositories will converge, leading to consolidation.

Another problem is JFrogs GTM strategy, which has been historically growth through inbound inside sales, but if they want to expand their platform and security offerings, they will need to engage with CISOs and security leaders, indicating a shift to a more top-down sales approach. This will not be easy especially given the misalignment in having majority of employees abroad while majority of revenue comes from US customers.

JFrog’s is trading at 6.4x ‘23 sales and 5.5x ‘24 sales but, similar to companies like S and AMPL, it will have a tough time generative attractive returns for shareholders as an independent company. Competition will only heat up as companies within DevOps look to expand their TAM and encroach on each others territories. JFrog's size and expansive product offerings could make it an attractive acquisition target, particularly for integration with existing developer tool suites. Companies in the container space or developer tool space, such as TEAM or MSFT are possible candidates. Being acquired is the best path forward for shareholders.

Company Overview

JFrog was founded by Shlomi Ben Haim (CEO), Yoav Landman (CTO), and Fred Simon (Chief Data Scientist) in 2008 and introduced the concept of "liquid software," where the version number and update process of software becomes undetectable as updates seamlessly integrate without disrupting service. This vision was particularly relevant in a modular software development landscape, which became increasingly fragmented with the cloud adoption and hybrid infrastructures.

JFrog's founders championed a binary-centric approach to software development. Developers write source code in various programming languages, but this code needs to be converted into machine-readable format to be deployed. This transformation results in executable files called binaries, represented by strings of "1"s and "0"s. JFrog recognized the need for tools to manage, store, and secure these binaries, as well as create software packages for release and deployment. Their platform facilitates the efficient management and deployment of binaries, making them a critical component in the software ecosystem. The concept of a binary repository originated from the need to store and reference different versions of compiled code, allowing for software versioning and consistency over time. Binary repositories expanded beyond compiled code and became repositories for all the components that make up code, including libraries and dependencies. The increase in application counts within companies is driving the need for repository expansion. Modern cloud-based applications are often broken down into atomic components, which results in a larger number of applications and a greater demand for repository management.

Products

JFrog's platform revolves around their flagship product, JFrog Artifactory, a universal package repository. It enables teams and organizations to store, update, and manage software packages of any scale. Artifactory ensures the currency of deployed software packages by automatically caching dependencies and versions, even from external sources. It supports major software package technologies and can be seamlessly deployed in various environments, including public clouds, on-premises, private clouds, and hybrid setups. JFrog Artifactory acts as the "single source of truth" for an organization's software packages, ensuring consistency, trust, and enabling automation-based efficiency in the software release cycle.

The adoption of repository managers by organizations has been ongoing for over a decade, but there is still significant potential for growth, especially as more non-software companies undergo digital transformation and become software companies. While their repository product is considered best-in-class, other components of their suite, such as Xray, Mission Control, and Pipelines, may not be considered best-in-class compared to competitors like Sonatype's Lifecycle and Snyk. JFrog's independence and neutrality as a repository management solution may benefit them to some extent, but the dominance of platform players in the market will only gain momentum going forward. I don’t think trust in MSFT's ownership of GitHub is a significant concern for developers, as ease of use and functionality are more important factors in their decision-making.

While quantifying the exact ROI in monetary terms is difficult, the time saved, improved developer efficiency, and risk reduction provided by repository management tools contribute to overall cost savings and a more streamlined development process. By pre-approving and storing pre-approved components in the repository, organizations can save time by enabling developers to quickly access and use trusted dependencies without having to go through lengthy approval processes or manually search for and validate each component. This streamlines the development process and allows developers to focus on writing code rather than searching for and vetting dependencies. Additionally, by integrating security scanning tools like Xray into the development workflow, potential vulnerabilities and security issues can be identified and addressed early in the development lifecycle. This proactive approach saves time and resources by preventing security issues from reaching production and reducing the need for costly remediation efforts later. It also helps mitigate the risk of data breaches or other security incidents, which can have significant financial and reputational consequences for organizations.

While Artifactory is the flagship product, JFrog is trying to make strides in the DevSecOps space with their security offering (Xray), pipelines, connect, insight, etc. For JFrog to have success as a standalone company they will need to find a way to continue expanding end-to-end product offerings, and increased adoption of security, becoming the defector platform for DevSecOps. 

GTM

JFrog tends to have the most awareness in startups and small companies as developers in these organizations often have a full ownership of the DevOps process and are more familiar with the benefits of JFrog's tools. Even if they don't directly interact with JFrog's platforms like Artifactory, they may use IDE plugins or other integrations. In medium-sized companies, there are usually dedicated teams responsible for DevOps and DevSecOps, and Artifactory Pro or Enterprise versions are commonly used. These teams are focused on managing and running the JFrog solutions. In large enterprises, different teams within the organization are responsible for utilizing JFrog solutions. Within large enterprises that have strong engineering capabilities, they may prefer to build their own toolsets, which limits the potential spend with JFrog.

JFrog primarily focuses on a bottoms-up sales approach, targeting developers and teams as the entry point into organizations. Historically, they have relied on an inbound sales motion as adoption of DevOps tools proved to be a tailwind. Their goal has been to become the standard for binary management within teams and gradually expand their presence across the entire organization. The company has identified three key customer personas: community members, security teams, and product leaders. They create low barriers to entry for community members by providing a broad range of integrations and open-source support.

JFrog's sales organization has evolved to support their enterprise-grade platform. Initially, sales were mainly low-touch and demand-driven, supported by an inside sales team. However, since their IPO in 2020, the company has developed a high-touch strategic sales team to engage with the c-suite and target large enterprises. The sales organization is geographically segmented, with a focus on government as a key vertical. JFrog's sales reps have a relatively short ramp-up time, averaging 6-12 weeks for inside sales reps and six months for strategic sales reps.

JFrog's customer profile primarily consists of developers, with their average revenue per customer at around $40,000. They have a significant upsell opportunity within their customer base, as the majority of revenue comes from customers on the Enterprise+ tier. Over 90% of revenue is generated from customers on a multi-product tier (Pro X or higher), indicating a strong potential for upselling premium offerings.

JFrog operates on a multi-tiered business model, offering customers different tiers with varying levels of access to premium features, service availability, and combinations of modules within their platform. The pricing of these tiers escalates based on the value added, with higher tiers commanding higher prices. For self-managed deployments, the base price increases from the Pro to Pro X tier, and then further to the Enterprise X tier. The Enterprise Plus tier is negotiated on a contract basis, with an average price estimated to be four times higher than the Enterprise tier.

JFrog Pro: Provides access to JFrog Artifactory, ongoing updates, upgrades, and bug fixes.

JFrog Pro X: Includes all features of JFrog Pro, with the addition of JFrog Xray for security scanning and SLA support.

JFrog Pro Team: Cloud subscribers receive JFrog Artifactory, security scanning with JFrog Xray, and CI/CD tools with JFrog Pipelines.

JFrog Enterprise: Offers all the features of JFrog Pro, along with High Availability cluster configuration, multi-region replication, JFrog Mission Control, and SLA support for larger enterprise-scale deployments.

JFrog Enterprise X: Provides the features of JFrog Pro X, with the addition of High Availability cluster configuration, multi-region replication, JFrog Mission Control, advanced security features, and SLA support.

JFrog Enterprise Plus: This top-tier subscription includes all the features of JFrog Enterprise X, along with JFrog Pipelines, JFrog Insight, JFrog Distribution, JFrog Artifactory Edge, and potentially JFrog Connect. It offers customers access to the entire suite of JFrog products and functionality.

Competition

The market for DevSecOps tools is currently fragmented, with various players specializing in different aspects of security and development. Some of the key competitors include Gitlab, GitHub, Veracode, Black Duck (Synopsys), and Microsoft with its offerings like WhiteSource. The most likely path forward is there will be fewer niche companies and more consolidation among players. Customers prefer having a single supplier with multiple tools, rather than managing multiple relationships.

JFrog will need to make inroads in the security space but the security market is crowded, with various startups and well-capitalized competitors offering solutions. JFrog's acquisition of Vdoo strengthens their capabilities in this space, but it may not be enough given their lack of scale. JFrog faces heavy competition within each vertical it operates within.

Binary Repository:

• Sonatype with their Nexus offering.

• Microsoft with GitHub package manager and Azure Artifacts. While currently offering limited features compared to JFrog, Microsoft's platforms could pose a threat if they invest in enhancing their repository capabilities. Potential for them to become a significant player in the DevSecOps market. They already have a suite of security tools and have made acquisitions in the space. While they may currently be more focused on the deployment side, they are likely to expand their offerings and move closer to developers in the future.

• AWS, GCP, and other major cloud providers

• With its container scanning capabilities, Snyk could potentially enter the repository market and provide a strong competition to JFrog.

Security (Xray):

• Snyk

• Aqua Security

• WhiteSource

• Veracode

• Sysdig

• Twistlock

• AppScan

• Datadog

CI/CD (Pipelines):

• Jenkins/Cloudbees

• GitLab

• Circle CI

• Bamboo

• CSP providers