JFrog Ltd.

Ladies and gentlemen, thank you for joining us and welcome to the JFrog Third Quarter 2025 Financial Results Earnings Call. After today's prepared remarks, we will host a question and answer session. If you would like to ask a question, please raise your hand. If you have dialed into today's call, please press star 9 to raise your hand and star 6 to unmute. I will now hand the conference over to Jeffrey Schreiner, Head of Investor Relations. Jeffrey, please go ahead.

Thank you, Nicole. Good afternoon, and thank you for joining us as we review JFrog's third quarter 2025 financial results, which were announced following the market close today via press release. Leading the call today will be JFrog's CEO and co-founder, Shlomi Benhaim and Ed Grabscheid, JFrog's CFO. During this call, we may make statements related to our business that are forward-looking under federal securities laws and are made pursuant to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995. including statements related to our future financial performance and including our outlook for the full year of 2025. The words anticipate, believe, continue, estimate, expect, intend, will, and similar expressions are intended to identify forward-looking statements or similar indications of future expectations. You are cautioned not to place undue reliance on these forward-looking statements which reflect our views only as of today and not as of any subsequent date. Please keep in mind that we are not obligating ourselves to revise or publicly release the results of any revision to these forward-looking statements in light of new information or future events. These statements are subject to a variety of risks and uncertainties that could cause actual results to differ materially from expectations. For discussion of material risks and other important factors that could affect our actual results, please refer to our Form 10-K for the year ended December 31st which is available on the investor relations section of our website and the earnings press release issued earlier today. Additional information will be made available in our form 10-Q for the quarter ended September 30th, 2025 and other filings and reports that we may file from time to time with the SEC. Additionally, non-GAAP financial measures will be discussed on this conference call. These non-GAAP financial measures, which are used as a measure of JFROG's performance, should be considered in addition to, not as a substitute for, or in isolation from, GAAP measures. Please refer to the tables in our earnings release for a reconciliation of those measures to their most directly comparable GAAP financial measures. A replay of this call will be available on the JFROG Investor Relations website for a limited time. With that, I'd like to turn the call over to JFrog CEO, Shlomi Benhaim. Shlomi.

Thank you, Jeff. Good afternoon and thank you all for joining the call. JFrog's focus as a foundational platform and system of record for software delivery continues to drive momentum in our business. And I'm pleased to report another solid quarter across all metrics. Our execution remains focused, our investment remains strategic, and our customers continue to tell us we are helping them to meet the demands of a fast changing technology market. In Q3, JFrog's total revenue was $136.9 million, up 26% year-over-year. Our operating margin was 18.7% in the quarter, demonstrating our ongoing discipline between expenses and strategic investments. Cloud revenue for Q3 equaled $63.4 million, representing 50% year-over-year growth. We experienced another strong quarter of cloud revenue growth driven by increased usage of conventional software packages and ongoing increases in usage of artifacts such as PyPI, Docker containers, NPM, and models coming from Hugging Face for AI and machine learning. Our go-to-market teams are executing on a clear strategy of guiding cloud customers with usage overages toward higher annual commitments in order to build stronger partnerships and drive predictable long-term value for customers and for JFrog. Our enterprise sales motions continue to bear fruits with greater than $1 million customers growing to 71 compared to 46 in the year-ago period, equalling 54% growth year-over-year. Customers spending more than $100,000 annually grew to 1,121 compared to 966 in the year-ago period, equalling 16% year-over-year growth. In Q3, our full trading quarter net dollar retention was 118% demonstrating sustained growth among our customers base, driven by strong cloud usage and fueled by our holistic software supply chain security offering. Ed will further discuss net dollar retention later in the call. Now let me spotlight Q3's wins, including cloud and security, and discuss JFrog's AI and machine learning developments. First, addressing our cloud growth in Q3. Our ongoing growth in the cloud is supported by two vectors, our expertise in managing customers' binaries as they scale alongside AI-generated artifacts, and our observation of emerging trends in AI software package volume. We believe Qtree's cloud performance reinforces how customers view the JFrog platform and artifactory at the core of their operations. JFrog is already positioned as the universal binary repository to manage all software artifacts and is becoming the model registry of the software supply chain. As software continues to be created at an ever-growing pace by both humans and machines, the volume of artifacts rises, demanding not just intelligent storage, but a robust binary delivery system and a single reliable system of record. As their delivery pace increases, our customers are adopting hybrid, fit-for-purpose cloud strategies for their emerging AI workloads. They tell us they value cloud elasticity for AI adoption and deployment, but remain flexible in their approach due to the unpredictable compute cost, advising us that it's still too early for them to go all in on the public cloud. Meanwhile, the volume of AI-driven packages is rising, fueled by our Hugging Face integration and native support for ML models, Docker, NPM, PyPI, and other key components demanded by AI. We continue to monitor cloud adoption and AI-driven usage closely and believe it is still too early to bet on significant cloud usage goals. Our hybrid and multi-cloud offerings differentiate JFrog and uniquely position us to capture expansion due to AI, whether in the cloud or on-prem, delivering unmatched software supply chain, holistic platform capabilities, and deployment flexibility. Next, to security. In Q3, again, we saw some of JFrog's largest customers' wins, including new logos and significant multi-year contracts. Many of these deals included JFrog's holistic security solutions, such as JFrog Curation and JFrog Advanced Security. We experience this customer's purchasing behavior across multiple verticals and geographies. For example, we closed a three-year deal with the United Kingdom's Customs and Revenue Agency with a TCV of $9 million. In a similar move, a key US federal agency chose JFrog to shift left with JFrog Security Solutions and protect their software supply chain and 2,000 developers with an Enterprise Plus subscription, JFrog Advanced Security, and JFrog Curation as their open source software package firewall. In North America, our enterprise focus drove the closing of a net new customer deal with a TCV of more than $4 million for one of the world's top energy corporations. They were seeking to modernize and standardize software supply chain security and processes for the 3,500 developers choosing the core JFOC platform with JFOC security solutions in the cloud. This example wins give us confidence that the future of the software supply chain security and software governance market is being written not by point solutions, but by holistic system of record that incorporate binary management and end-to-end security consolidated into a single platform. A unified platform is a growing requirement, as companies have seen software supply chain attacks increase significantly over the past year. These attacks have become more sophisticated, targeting built pipelines, AI and machine learning software supply chains, and exploiting vulnerabilities in software binaries. Recent NPM, IPI, and MCP attacks show hackers are keeping pace with technology, but our security research team and the J4 Curation solution have been praised by our customers for protecting them from these recent, potentially devastating attacks. A cybersecurity lead at a Fortune 50 American company noted to us following the NPM attack, quote, Our JFrog curation deployment provides a very effective and efficient supply chain protection. We were able to shut down recent provider attacks in mere minutes once discovered, and the control has proven 100% successful since." End quote. Nothing fuels us more than our customers' feedback, and we are committed to safeguarding the software supply chains and aiming to ensure digital trust across the software package lifecycle. Hackers are targeting software supply chains. They know that binaries, software packages, containers, and AI models are gateways into our customers' runtime environment. This is now a real threat to every organization. Without strong protection for your software supply chain and binaries, you remain exposed. Attacks are not a question of if, but when. While one quarter doesn't define a consumption trend, Q3's adoption of JFrog security solutions give us cautious optimism for broader long-term momentum. Now to AI and machine learning. We continue to gain traction in the market as the model registry providers and are being positioned as a system of record for AI delivery, validated by some of the world's leading AI companies. In fact, Justin Boitano, VP of Enterprise AI at NVIDIA, noted at the JFrog Annual User Conference SwampUP in mid-September that JFrog enables enterprises to securely build, manage, and scale AI agents the next generation of intelligent software from development to production. Quote, AI agents are the next wave of enterprise innovation, but they are also the newest and most critical software artifact to secure. This is no longer just about models. It's about industrializing intelligent autonomous agents. By integrating with NVIDIA AI Enterprise and streamlining deployment onto AI factories, JFrog is delivering the essential pipeline to rapidly secure, manage, and scale these AI agents from development straight into production." End quote. Moving throughout 2025, JFrog has embraced the AI revolution, focusing on what we believe we do best, driving the next standouts in the market as the single source of truth for AI software packages. We integrated JFrog ML into the JFrog platform, empowering data scientists and developers to build, test, experiment, and deliver trusted models into production. We launched our MCP server alongside groundbreaking MCP security research, redefining how developers and AI agents interact with their software delivery platform. In addition, we introduced AI Catalog, a new add-on to J4 Curation designed to secure and govern both third-party and internally developed AI models, ensuring they are safe, compliant, and aligned with company policies for responsible use across the organization. Our next generation of offerings in ML and AI, as well as our DevOps and security products, were highlighted for customers and analysts at SwampUP in Q3. Every year, JFrog welcomes customers, prospects, and partners to our SwampUP conference, a key industry gathering for DevOps, DevSecOps, and MLOps users. This year, JFrog innovations were front and center with pain-solving solutions for customers. On stage, we announced a new way for companies to govern and trust their application with an innovative product, JFrog AppTrust. We were joined for the opening keynote by NVIDIA, ServiceNow, GitHub, and Sonar to showcase our partnerships in an industry-first DevGovOps solution. DevGovOps brings software development, security, and GRC groups together, focusing on, once again, the key asset of any company, the software binary. As the complexity in the world of software increases, the requirements of security compliance and governance put pressure on development teams. The need to release fast and often, combined with high regulation, requires automation and collection of evidence, such as quality testing or security results, to keep software flowing with confidence. With the new JFrog app trust product, companies will now have an automated way across platforms to manage governance as they deliver software faster than ever before. Through to our vision of cross-industry collaboration and our commitment to build solutions that are too integrated to fail, UpTrust was launched in partnership with ServiceNow as the IT op system of record with JFrog as the system of record for the software supply chain in the words of Rahul Tripathi, General Manager of ITSM at ServiceNow. The future of software built by developers and AI agents must include automated governance achievable only through evidence-based quality gates and systems. JFrog UpTrust is paving the way to make that vision a reality. In security, we further showcase new abilities to secure developer extensions or the plugins developers use in their environments. This is a different type of supply chain attack, and JVAM customers can now protect developer extensions in addition to their software assets. We also launched agentic remediation capabilities and demonstrated on stage how JFrog solutions use AI agents to detect vulnerabilities in source code, identify remediation methods, prioritize contextual path to fix problems, and even protect against similar vulnerability in the future, first through our GitHub co-pilot integration and soon available for other code assistance. Finally, we introduced JFogFly, the world's first agentic repository, reimagining software supply chain management in the era of AI. With JFogFly, AI agents become co-builders alongside developers, orchestrating artifacts seamlessly across the entire software lifecycle. This allows developers to focus on what matters most, delivering software to production faster, at scale, and without friction. Small teams now enjoy a zero-hustle, AI-driven experience, tightly integrated with GitHub and native AI tools like Cursor, Cloud Code, and GitHub Copilot. JFogFly's agentic capabilities will be shared with selected users, giving developer teams the opportunity to experience AI-assisted software creation and delivery. These capabilities are planned for full integration into the JFog platform, powering our customers in the new era of intelligent automated software supply chain practices built on an agentic binary repository. We believe that these product innovations shared at SwampUP are, in the words of our customers, AT&T, a home run for our users. With that, I'll turn the call over to our CFO, Ed Grebscheid, with an in-depth recap of Q3 financial results and our updated outlook for the full fiscal year of 2025. Ed?

Thank you, Shlomi, and good afternoon, everyone. During the third quarter of 2025, total revenues equaled $136.9 million, up 26% year over year. Our overachievement during the quarter was the result of strong go-to-market and operational execution, continued momentum in our cloud revenues, growing adoption of JFrog security products, and expansion by customers within our enterprise-level subscriptions. As noted by Shlomi, third quarter cloud revenues grew to $63.4 million, up 50% year over year, and represented 46% of total revenues versus 39% in the prior year. Our growth in the cloud was driven by increased usage across a broad set of package types, demand for JFrog advanced security and curation, and conversion of customers with usage above minimum commitments into higher annual contracts. During the third quarter, our self-managed or on-prem revenues were $73.5 million, up 10% year-over-year. We continue to proactively engage our on-prem customers to migrate DevSecOps workloads to our cloud or explore solutions better aligned with their specific use cases, including hybrid and fit-for-purpose deployments. In Q3, 56% of total revenues came from Enterprise Plus subscriptions, up from 50% in the prior year. Driven by ongoing execution of our enterprise go-to-market strategy and broader customer adoption of the JFrog platform, revenue contribution from Enterprise Plus subscriptions grew 39% year over year. Net dollar retention for the four trailing quarters was 118%, consistent with the prior quarter, highlighting the continued adoption of our security core products and increased cloud data consumption, resulting in higher customer commitments. We continue to demonstrate that our customers view JFrog solutions as mission critical to their software supply chain with gross retention that equaled 97% as of the third quarter, 2025. Now, I'll review the income statement in more detail. Gross profit in the quarter was $114.9 million, representing a gross margin of 83.9% versus 82.8% in the year-ago period. We remained focused on cost optimization with the cloud service providers and continue to expect annual gross margins to remain between 82.5% and 83.5% for 2025. Operating expenses in the third quarter were $89.3 million, equaling 65% of revenues. This compares to $75.5 million or 69% of revenues in the year-ago period. Our operating profit in Q3 increased to $25.6 million or an operating margin of 18.7% compared to $14.7 million and 13.5% operating margin in the third quarter of 2024. The continued balance between strategic investments and operational efficiency demonstrates our commitment to profitable growth. Cash flow from operations equaled $30.2 million in the third quarter. After taking into consideration CapEx requirements, our free cash flow reached $28.8 million or 21% margin compared to $26.7 million or 24% margin in the year-ago period. During the third quarter, we completed payments totaling $5.7 million under a hold back agreement related to the acquisition of Quokk AI, which was completed in July, 2024. Now, turning to the balance sheet, we ended the third quarter of 2025 at $651.1 million in cash and short-term investments compared to $522 million at the end of 2024. As of September 30th, 2025, our RPO totaled $508 million, a 47% increase year over year. This performance highlights the successful execution of our go-to-market strategy as customers continue to make larger multi-year commitments to our DevSecOps offerings. And now let's turn to the outlook and guidance for Q4 and the full year 2025. While we're encouraged by our strong year-to-date performance amid geopolitical uncertainty and ongoing macroeconomic volatility, we believe it remains prudent to continue to approach our forward outlook with measured caution. Our updated 2025 guidance range suggests sustained contributions from the JFrog Security Core, steady expansion of customer commitments, and adoption of the full JFrog platform. We continue to de-risk our outlook by excluding our largest opportunities given the uncertainty regarding the timing of certain large customer deployments. We estimate our full year 2025 baseline cloud growth to now be in the range of 40% to 42%. Cloud revenue guidance continues to exclude any contribution from usage above annual customers' minimum commitments. Taking into account our strong year-to-date results and fourth quarter guidance, we are raising our expectation for net dollar retention to above 116% for 2025. For Q4, we expect revenues to be in the range of $136.5 million and $138.5 million with non-GAAP operating profit anticipated to be between $21 million and $22 million and non-GAAP earnings per diluted share of 18 cents to 20 cents, assuming a share count of approximately 125 million shares. For the full year of 2025, we anticipate a revenue range of $523 million to $525 million, representing approximately 22.3% year-over-year growth at the midpoint. Non-GAAP operating income is expected to be between $87.3 million and $88.3 million, and non-GAAP diluted earnings per share of 78 cents to 80 cents assuming a share count of approximately 122 million shares. Now, I'll turn the call back to Shlomi for some closing remarks before we take your questions.

Thank you, Ed. The third quarter of 2025 is behind us. We committed and we delivered on innovation, on product execution, and across every financial metric. Despite macro challenges, the JFOG team soared. Over the past three quarters, we not only earned the trust of the enterprise, we reinforced our position as the definitive system of record for the software supply chain. As the world becomes powered by AI-driven software and every aspect of software creation and delivery is being transformed, One fact stands out. More software means more packages, more artifacts, more binaries, and that's exactly where JFrog stands, front and center, now and in the future. We're becoming the model registry of choice, securing the entire software supply chain of our customers, from passport control at the gate to safe and trusted delivery. We managed the full lifecycle of AI models, and we've introduced the world's first DevGovOps solution, preparing our customers for the ongoing tsunami of AI regulation and compliance. We continue to run our business with efficiency, focus, and discipline, while staying deeply energized by the opportunities ahead. This quarter was also a deeply meaningful one for our Israel team. as the war in the region came to an end and hostages were finally returned safely to their families after two long years. We stand in solidarity with the families of the remaining hostages still held by the terrorist organization Hamas, and we pray for their safe return home for proper burial. As we prepare for 2026, we're ready to leap forward in product, people, and business. We remain determined to continue building on what we've created by developers for the developers of the modern software world. With that, thank you for joining our call, and may the frog be with you. Operator, we are now open to take questions.

We will now begin the question and answer session. Please limit yourself to one question and one follow-up. If you would like to ask a question, please raise your hand now. If you have dialed into today's call, please press star 9 to raise your hand and star 6 to unmute. Please stand by while we compile the Q&A roster. Your first question comes from the line of Michael Sikos with Needham. Your line is open. Please go ahead.

Hey guys, thanks for taking the questions here. Jeff, great to hear you on the call and for Shlomi and Ed, congrats on the strong quarter. I wanted to tap into cloud and first just to sanity check the results super strong here. Was there anything one time or was this really just a confluence of a number of different pieces of the platform coming alongside the execution? Can you help us unpack that?

Hey, Mike, this is Ed. I'll go ahead and start with that. There is nothing in the cloud revenues that is one time. This is a convergence of strong usage across multiple package types, geos, and different verticals. In addition to that, we saw strong security. Security also is a leading driver of our cloud growth. So you had a combination of those two things happening, but no one time. It was a very strong quarter.

Excellent. And I did just want to tap in. I guess this is probably more for Shlomi, but again, on the cloud, we have a couple of quarters now of really strong growth. What is different if anything has changed, but from an execution standpoint on the go-to-market, what have you guys implemented that continues to bear out here? How should we be thinking about that? And thank you again.

Hi, Mike. This is Shlomi, and thank you for the kind words. I think that what you see in the cloud is a strong and consistent execution, not only of our technology, but also the go-to-market philosophy of working with our customers that have overusage, converting them to higher commitments. And that's translated to consistent cloud goals and less volatility. As you know, even when we guide, we provide you with the commitments-based guidance. And consumption might come and go, but we wanted to have an alignment between the go-to-market philosophy and the execution of our cloud business. That's on top, of course, to what Ed said, that our cloud customers are now also embracing our security solution, which obviously gives us more room to grow and to expand.

Your next question comes from the line of Sanjit Singh with Morgan Stanley. Your line is open. Please go ahead.

Yeah, thank you for taking the questions, and my congrats on the strong results this quarter. Shlomi, I was wondering if you could expand a little bit more on the theme on your script around the broadening of the types of artifacts that Artifactory is managing and storing and serving as a system of record. What does that mix start to look like between traditional... software artifacts, containers, registries, and some of the AI artifacts that are starting to come through. Can you speak to some of the underlying trends in terms of what our artifactory is storing and managing these days?

Yes. Hi, Sanjit. What we see, and we're obviously monitoring it closely, is that artifacts or different types of artifacts that are heavily used by AI creators are seeing a kind of growth in usage in our cloud and on-prem customers. We see that obviously Hugging Face is scaling up. This is the open source models hub for AI models, but also languages that support AI development like Python with PyPI, NPM. Docker containers for distribution of models, all of them are aligned and correlated and growing together. It's still too early for us to say that this trend is actually going to lead to a higher consumption in the future, but it's very encouraging to see that our customers are using JFrog as the system of records for all packages, including AI models. And that obviously drives the higher consumption, as we reported.

Your next question comes from the line of Kingsley Crane with Canaccord. Your line is open. Please go ahead.

Hey, thanks for taking the question. Really encouraging results. For Shlomi, the demo of JFrogFly was really impressive at SwampUp. The MCP capabilities are nice to see as well. It got me thinking, you know, AI is changing how consumers interact with technology. It's leading many companies to rethink their UI, their UX. How relevant is that for JFrog and is that something that you're thinking about?

Yes, thank you, Kingsley. The JFrogFly release is a disruption to the entire software supply chain system of record. We understand that software in the future will be created not just by developers, but also by agents. And therefore, whatever repository you want to build must come with the genetic capabilities. This is what we wanted first. to have a JFrog fly. The second thing, based on our research with thousands of developers, was that developers want to be focused on what they need to be focused on. Create software, deliver software we trust fast and rapidly. JFrog flies provide that. So instead of taking it feature by feature within the factory, we thought that what we would do better is to build a full agentic experience for our users, reimagining how software supply chain will look like, and then slowly bring those capabilities into the JFOG platform. Obviously, the enterprise market will adopt it one by one, feature by feature. The community and small team can run faster. So that's the idea behind FLY, and we are very excited to see how the market reacts to it.

Your next question comes from the line of Koji Akita with Bank of America. Your line is open. Please go ahead.

Yeah. Hey, guys. Thanks so much for taking the questions. I wanted to ask on NRR and maybe pick on the metric just a little bit because it was flat at 118%. But when I look at the cloud growth, that's really, really strong. And just knowing that NRR is calculated on a 12-month metric, on a 12-month basis, that just really means that there's some new customers that are growing very fast. Is that the right interpretation on kind of looking at NRR versus the cloud performance? And if that is true, how sustainable is that growth from these new customers going forward?

Thank you, Koji. I'll stop and Ed, feel free to chime in. NRR represent the tier of customers that are not committed to an annual growth NDR. Oh, sorry.

Let me go ahead and jump in here on the NDR. So first off, let me remind you that we had three of the largest customers close during Q3 of last year. So we're building off of that. It's a trailing 12-month metric. But what I said in the beginning of the year, Koji, if you recall, if there was going to be an acceleration in net dollar retention, two things would have to happen. Number one, I want to see an uptake in my security. And number two, I want to see usage over minimum commit in the cloud. And both of those are happening. So you start on a trailing 12 month metric with a very strong base off of those three very large deals that were closed at the end of Q3. And we've continued to build on that. So we've actually expanded our net dollar retention rate. We're very happy with where it is as it's stabilized quarter over quarter at 118.

Yeah, and Koji, sorry, I heard MRR and answered about the cloud monthly usage. Regarding net dollar retention, we also have to remember that part of the strategy of embedding our security solution into the platform will be a way to also expand our customers with a different persona. Getting our customers expanding with security actually addresses a completely different addressable market.

Your next question comes from the line of Mark Cash with Raymond James. Your line is open. Please go ahead.

Thank you. Shlomi, if I could start with you, I also want to ask around Fly, but more around if you see Fly opening up new customers or buying centers that you haven't serviced previously, And then what kind of go-to-market plans or tweaks would be required to drive market awareness versus maybe the market mostly thinking about JFrog, more large scale artifacts. And then if I can sneak one in for Ed, I'm just, I mean, you beat by 9 million, raised by additional six and a half million. So I guess maybe some of that comes with better visibility from RPO, CRPO strength, but you're still taking a prudent approach you laid out. So what are the key drivers that gave you confidence to raise by such an amount to be compared to 90 days ago? Thank you, guys.

Yeah, I'll start with Fly. This is obviously an opportunity, but it's not our goal. Our goal is to make sure that everything that you have at the JFOK platform in the future will support both agents and developers as they manage their software supply chain. And why is that important? Because we know that in the future, the way that engineering team will be structured will be a combination of developers and agent. It will not be just developers. So software will be made by agents. And if you don't provide them, these agents will not have access to your repository, then they will have another system of record. So with Fly's success, basically what we see is how we fuel and power the entire JFOG platform. Now, can small team use Fly and this will be another avenue of revenue generation? Yes, maybe, but our main goal is to make sure that we adopt this agentic experience across the platform and Fly is the North Star of adopting AI experience.

Yeah. And regarding the guidance and the confidence that I had moving into Q4, first of all, I only guide on the commitment. So I'm confident that what I'm providing to you 90 days after the last time I provided to you a guidance is the fact that I'm have the strong commitment. We saw a strong performance during the quarter. That's built into my forecast based on those commitment levels. And I've removed anything that's related to usage over the minimum commitments and feel very confident with those numbers provided.

Your next question comes from the line of Miller Jump with Truist. Your line is open. Please go ahead.

Hey, thank you for taking the questions and congratulations on the strong results. So for Shlomi, maybe for a couple of quarters now, we've heard about the demand for hybrid solutions correlated with AI. I'm just trying to reconcile this with the clear momentum that you're seeing in cloud. Is this something that you're seeing shift the pipeline composition right now? And then if I could ask one for Ed as well, just throughout this year, maybe the last two quarters, really, you've talked about the conversion of customers that are going over commit. And I'm just curious, like, what are you seeing from the customers that move on to new contracts? Like, are they continuing to ramp up their consumption? How has that played out versus your expectations? Thanks.

Yeah, thank you, Mila. I'll start. Well, first, what we see is what we reported in the past and we see it still. In our pipeline, there are some big deals that part of them include cloud migration. So we hear from our customers that they need more certainty before they double down on the cloud and go there with the entire AI workload that is currently being built. So for sure, the fit for purpose that we reported in the past is still relevant. But you also know that part of our guidance philosophy, these deals are being de-risked from our pipeline. And we are being very cautious with kind of hanging the expectations high when it comes to cloud migration and cloud consumption. In terms of the consumption, as I answered before to Sanjit's question, we see more software packages that are related to the AI world being used. And still, we want to make sure that this is a new behavior and not just a trend that will pass when people will decide whether they go with cloud or on-prem.

Regarding what we see from the behavior of those customers that are above minimum commitments that go to a higher annual commitment, it's still not easy to do this. And the sales team has done a good job. That's strategically aligned with our philosophy. Budgets are still not fully aligned there yet. But for those customers, they're now secure and it gives them that confidence to flex up and down. So we continue to see strong usage across the board, especially in Q3, but we also know heading into Q4, it's a seasonably slower quarter due to the holidays. So that's also something that we take into consideration.

Your next question comes from the line of Brian Essex with JP Morgan. Your line is open. Please go ahead.

Hi, good afternoon. Thank you for taking the question and congrats for me as well on these results. They're really nice to see the acceleration. You know, maybe for Shlomi, could you, any way to quantify what kind of lift you get in the quarter or you had in the quarter from conversions to cloud and maybe what percentage of your customer base is kind of remaining to convert?

Yeah, so we are not disclosing this number, Brian, but what I can tell you is that if you look at the report of the over a million dollar customers, we have now 71. That's a growth of 54% over here. I can say that the majority of them were not just using more platform capabilities, but also use it in the cloud. So while we are not disclosing it, the cloud for sure is a strong growth engine for the company.

Your next question comes from the line of Shrenik Kothari with Baird. Your line is open. Please go ahead.

Yeah, thanks a lot for taking my question. So, Shlomi, definitely securing the software supply chain for AI models, containers, packages sounds like a critical pain point right now. I just wanted to hear your thoughts on what do you think about customers of truly allocating new budgets towards this and just the sustainability of these budgets? Or are you saying it's getting bundled into existing DevSecOps and you are gaining from consolidation? You did note many attacks like the recent NPM and PyPy threads that were thwarted by curation. Just curious how customers are thinking about the budgets going forward and then how to follow for Ed.

Yeah, Shreddick, that's actually two different questions. First of all, there is a higher threat on software supply chain because hackers are after your software packages. And if you don't cover yourself there, as I said, it's a matter of when and not a matter of if you will be attacked. NPM, PyPI, MCP, in the past you remember lock4j. These are all software packages and attackers are going there because this is binaries and binaries are also the asset that our customers have in the runtime. So basically if you are attacked from runtime through the binaries, you have full access to the software supply chain. That's front and center for every CISO now. And the other question regarding new budget allocated to security in the world of AI, I believe the answer is yes. And it's not only the traditional security, but also GRC budgets. So cyber risk organizations are also looking at what happened in terms of governance and regulation. A moment before AI is fully adopted by the biggest bank and the biggest car manufacturers and the biggest retail companies, And the gap between full adoption of AI to what we see now is basically trust, control, security, and governance. So for sure, there is more budget there and more attention of CISOs and CIOs to make sure that software delivery driven by AI is not putting the company in risk.

Let me just quickly add a follow-up. Federal wins were a highlight. You mentioned meaningful DCV. So just in light of the strong Q3 and traction around security AI, the guide for Q4 does appear measured. You did touch upon it. It's coming from a place of prudence, but just implied is more kind of 25%. 30%. Is there more prudence coming from the fad side? Anything that can comment on deal timing, variability, just given the prolonged shutdown?

Yeah, thanks for the question, Shrenik. There's nothing related to a government shutdown that would change anything in terms of our sentiment going forward. We've managed this year with prudence. We're continuing to manage the year with prudence. There's a lot of factors that we take into consideration. I wanna remind you, there is no usage over minimum commitments in our guide. We de-risk for our largest deals as the timing of those deals are still uncertain, but nothing has changed from our previous philosophy. And we're continuing to use that same philosophy in our Q4 and fiscal year guidance.

Your next question comes from the line of Itay Kidron with Oppenheimer. Your line is open. Please go ahead.

Thank you. And congrats, guys. Really impressive. Maybe a couple from me. And just on this last comment that you made about that you don't give guide over the minimum commits, can you tell us in the quarter itself, this quarter, what was the upside from kind of spillover over the minimum commits?

Yeah, we didn't break that out and we're not willing to provide that information. But if you think about what we've carried over from Q3 into Q4 sequentially, that is the commitment levels. Anything above that, I would consider to be usage over minimum commits.

Okay. And then Shlomi, for you, Clearly you're doing very well. I'm kind of wondering internally what percent of your Salesforce is running above quota for the year and if that's running at a level that's higher than your normal internal averages. I'm just trying to think about, you know, you're soon to finish the year. You have to start thinking about how do you make tweaks and changes. And I was wondering if you have any initial thoughts given the change in the landscape, AI, the breadth of your portfolio. Do you have any initial thoughts on how you're going to tinker with comp as you go into next year?

Yes, it does. So obviously, we will not share some operational metrics, but of course, we are tracking it. There are very important key gears for the go-to-market team when it comes to the growth engine, when it's security, when it's cloud, cloud migration, AI and MLOps adoption, now DevGovOps and compliance. what you can see in the numbers, and this is not the first quarter, I think it's the fifth quarter in a row that we consistently deliver what we are committed to, is that not only the sales team is focused, but also they use the methodologies of top-down enterprise sales, things that in the past we didn't practice. Like three years ago, four years ago, when we used to sell to developers, there were no expansion. And now what you can see, not only by the reports of the big numbers or the big companies, but also the entire revenue growth and the consistent growth, is that the team is focused on enterprise sales, upmarket, know exactly how to expand the platform, and we are very pleased with the results.

Your next question comes from the line of Brad Reback with Stiefel. Your line is open. Please go ahead.

Great. Thanks very much. Salome, I'll take the five quarters one step farther and say that the magnitude of the SaaS speed over those five quarters continues to get bigger. So maybe building on Itai's question, is there any reason why you wouldn't accelerate sales and marketing headcount spend as we head into next year to take advantage of all this opportunity you see?

No reason. We are investing in go-to-market. We are investing in go-to-market in a responsible way. We want to see that what we deploy also comes out as the right ROI for our investment. And it's on all front. You can see the amount of releases from the product side, but you can also see the alignment on the go-to-market side when we deliver the numbers with such a strong bid.

Your next question comes from the line of Andrew Sherman with TD Cowan. Your line is open. Please go ahead.

Great. Thank you. Shlomi, I wanted to ask about the security wins and pipeline, some good color there in the quarter, but for the Q4 pipeline and beyond that, how is that tracking? How much is that pipeline up? What's your confidence in closing some of these big deals? Have the sales cycles changed at all? How's the market kind of shaping up competitively for these deals too? Thanks.

Yeah, great question. We see a lot of opportunities in our pipeline, including security. Obviously, J4 curation following the incident of NPM is something that a lot of our customers are asking and inquiring about. The sales cycles are longer when it comes to security because no customer comes with zero security coverage. So obviously it's not just a matter of upgrading themselves, but also displacing something that they use in the past. So the answer regarding the pipeline, it's growing, and we are very pleased with what we see there. It's also, to remind you, it's only part of our Enterprise X and Enterprise Plus subscription, so sometimes it also drives an upgrade in the subscription. Through to our methodology, when it comes to mega deals in the world of platform that also includes security, we are de-risking it to make sure that we are not missing a quarter because the customer needs a bit more time to conclude the proof of concept. Overall, the sales cycles are a bit longer, but not massively longer, I would say. Three quarters in average, sometimes it's four quarter, really depend on how many persona are involved in what you need to adopt from J-Frog.

Your next question comes from the line of Jason Salino with KeyBank. Your line is open. Please go ahead.

Hey, great. Thanks for fitting me in and really wonderful quarter. You know, the two wins you talked about that I thought were interesting. So the one UK customs customer and then the US federal agency, you know, did these deals directly benefit from the launch of AppTrust? I'm just trying to, you know, understand, you know, how AppTrust and the government opportunity might play as a catalyst. Thank you.

Yeah, so that was really a big win. And obviously it was an RFP. So not only J4 compete over this opportunity. And we are very proud of the team that delivered that, by the way, very long process, obviously in front of the government. UpTrust is not yet included. UpTrust was just announced last month. A few weeks, a baby product. We announced that together with ServiceNow. We are building the pipeline for UpTrust. And the DevGovOps landscape governance is something that we know that will get even more demanding when AI will fit in. So not yet. But I will answer something that you didn't ask. There is a room to grow with all of our customers when Aptos is in.

Your next question comes from the line of Iman Coughlin with Barclays. Your line is open. Please go ahead.

Hey, guys. Thanks for taking the question. And with Rire, congrats on a great quarter. The strong enterprise customer ads really stood out in the quarter. Can you help us understand some of the key drivers there? Are you spending more time engaging with your partner ecosystem? Is it a function of a more mature sales team? Just curious if there's anything you're doing to adjust a little bit of your sales motion or go-to-market motion. Thanks.

Hi, Iman. Thanks for the question. Yeah, we're seeing great traction in the enterprise, especially those customers over a million dollars. What we see, and Shlomi talked about this previously, security is becoming a driver of many of those large deals, and it's also in the cloud. So we see this expansion. The usage over the minimum commit and expanding to a bigger commitment, taking security on top of that, that drove many of the deals that we saw, 10 customers that we had over a million during the quarter, 54% growth. It's the efforts of the go-to-market team, and it's really a three- or four-year investment that we made, and we're starting to see the fruits of those labor.

Your next question comes from the line of Jonathan Reekhaver with Kantor. Your line is open. Please go ahead.

Yeah. Hey, guys. Congrats on the performance. I'm curious. So last week, OpenAI announced a private beta of a security application called, I think it's Aardvark. I mean, but it seems to differentiate with a LLM driven approach to vulnerability detection and remediation. And, you know, I'm curious if you could just talk about how this compares to x-rays capabilities, but maybe I think more importantly, the announcement at SwapUp, you know, around the genetic remediation capabilities, you know, how do you think this maybe further differentiates you from emerging competition?

Yeah, John, well, this was a very important announcement coming from OpenAI and obviously we saw it and we work with OpenAI on a monthly basis, if not daily basis. This is great news because it's yet another proof that human code creation is being covered by models. That's basically supporting the philosophy that what you need to invest in is to protect your binaries. The announcement from OpenAI is a solution that replaces static code analysis, basically code that is created in human language and not binaries. If it will drive something, I think it will drive more interest in what we bring to the market, which is a complementary solution to protect your entire software supply chain. So yes, LLM can provide your source code security, but not binaries. And that was the release from OpenAI.

Your final question comes from the line of Rob Owens with Piper Sandler. Your line is open. Please go ahead.

Great. Good afternoon. Thanks for squeezing me in. Just a couple of quick ones for me. Where you talked about cloud migration and some of those in the pipeline, taking the other side of that, customers that aren't moving to cloud, what are some of the governors or some of the reasons that they're not moving to cloud at this point? I understand that having a hybrid architecture is part of your value proposition, but just contemplating that move to cloud and maybe some of the barriers to get certain customers to move.

Yeah, that's a good question, Rob. So assuming that our customers, enterprise big customers, moving to the cloud from an on-prem setup means that they had their own projects, they understood the scope of these projects, and they wanted to move the workload to the cloud in order to kind of provide a better elasticity for the company. Now comes AI, and they see a new workload. They don't know how much they will pay for storage. They don't know how much they will pay for data transfer when you train these models, where the data to train this model will be hosted. That takes a bit more time for them to analyze. Putting aside the cost predictability, they also have some security and governance concerns. Who is training this model? How this model is being exposed? What are we doing in order to protect the company from having any type of malicious models coming in? And this, I think, um bring them to take a bit more time or at least this is what they tell us they need a bit more time before they fully bet on the cloud like it used to be maybe in a process a year ago two years ago um j frog is positioned to capture the opportunity both way either they will stay in on-prem customers and we will support them and go with them there or they will move to the cloud and we will do it in the cloud with them on a multi-cloud basis or one cloud. Basically, the hybrid solution that JFrog provided is the fit for purpose that they asked for.

There are no further questions at this time. I will now turn the call back to Shlomi for closing remarks.

Thank you everyone for joining us on this quarter results and earning call. May the frog be with you. Take care.

This concludes today's call. Thank you for attending. You may now disconnect.