JFrog S-1 & IPO - Teardown 🐸
JFrog is a B2B Enterprise SaaS company in the DevOps space that primarily makes software for software release management. As a developer myself, I wanted to break down what the product does, the business opportunity, and analyze the financials to compare with the best SaaS companies & Dev Tools.
Summary
- Best product in the binary/package management space, with pricing and features that drive a strong up-sell.
- Many competitors in auxiliary spaces but not a threat to the fundamental business.
- Great Revenue growth (46%) & efficiency (57%), best-in-class margins (82%), NDR (139%) & Payback (16 months).
- Valuation at top of IPO range is reasonable at $41 at the time of this writing, but I expect it to close higher than that on opening day.
Product
JFrog develops multiple products related to DevOps (developer operations) and more specifically software release management. Software release management help software developers write, test, and distribute software. It's the fundamental plumbing in a development organization that makes software deployment easy & efficient.
JFrog's product offerings have amazing synergy, and I thought it would be best to go through the products via the software development cycle:
Version Control
While JFrog currently does not have a hosted version control offering, they integrate with many and it's where the developers enter the software release workflow.
When developers are writing software, they often have multiple versions of their work that is stored in a Version Control System like Git or Mercurial. The code versions are similar to "drafts" in writing. A developer eventually pushes their code to a hosted VCS like Github or Gitlab so others can review their code and workflows around their code can be kicked off. This is where JFrog comes in.
Pipelines (CI/CD)
CI/CD stands for Continuous Integration/Continuous Deployment, and JFrog's product is Pipeline. CI/CD are workflows that kick off when code changes are pushed up to a VCS host. These workflows can scan your code for vulnerabilities & compliance (JFrog Xray), compile code into binaries & packages (stored in JFrog Artifactory), run test suites with the code, and deploy the code to staging for the software testing team.
Automating each of these steps via CI/CD saves developers time to iterate, protects the quality of the software, and makes the software compliant before releasing it to customers. This effectively translates to a more efficient R&D & higher product quality.
Artifactory
Artifactory is used to manage a company's binaries and packages. Binaries are versions of the code that are harder to edit but more efficient to run and distribute. After these binaries are created, a company needs ways to host them with high-availability to serve either internally or to their customers. Artifactory stores and versions these binaries so the company can distribute them. This speeds up development workflows as well as provides a faster & more reliable service for their consumers.
Artifactory is their core product offering, and often where customers start when using JFrog. Artifactory is one of the most fully featured package/binary managers, supporting the most file types and enterprise features relative to their peers. The enterprise features & file type supports are the key to their competitive advantage.
For example, companies use Artifactory as a Kubernetes Docker registry. Kubernetes Docker images are binaries that encapsulate an application & its dependencies so it can easily run on different operating systems without managing dependencies. Because of the consistency of Docker images, Docker usage has been a growing trend over the last several years. Companies will need to keep multiple versions of docker images as they develop more and more software, and tools like Artifactory help them manage this. This use case became so prevalent, JFrog spun out a focused product for docker images that is build on top of Artifactory called Container Registry.
XRay
XRay is JFrog's security product to scan code for vulnerabilities & compliance. Developers often add or update external software libraries when they are building product or infrastructure. Sometimes these new packages have security vulnerabilities and compromises the security of the software. With XRay, JFrog can automatically detect and warn the developers that there are security risk, and prevent them from releasing insecure products. The customers can then avoid reputational damage and data breach risk from insecure code.
While scanning code, XRay can also check for license compliance. These third party libraries often have licenses that dictate if a company can use the software for commercial use. The complexity of this is also magnified by the fact that the third-party software can rely on other third-party software with their own licenses, but it's the company's responsibility to verify that all of it is compliant. Having a product that can dig into the complexity of the third party software can save time for compliance teams and prevent legal battles around the licenses in the future.
Distribution
Once the CI/CD compiles & stores the binaries and run the test, the final step is to distribute the secure binaries to the customers. Distribution is important because it allows the software to be downloaded quickly anywhere in the world, and load balances the servers incase one is overloaded.
JFrog's distribution offering is secure & immutable. Security is important because a company doesn't want a hacker to pretend to be the company and distribute a compromised package in its place. Immutability is important because it guarantees that the same version of the software is consistent any time you download it. If this isn't true, workflows & software can unexpectedly fail. Ultimately their distribution product allows their customers to deploy & manage their software as safely as possible.
Mission Control
JFrog offers to its enterprise customers their Mission Control product, which is a single pane of glass to control access for all of their Artifactory instances. It allows the company to see which of its instances are online, historical usage and load, and allows them to control traffic manually if one of them is overloaded. It's also used to help the company provision the correct licenses to secure the product.
Business
Customer Acquisition: JFrog offers both a Cloud on On-Prem solution for their software suite to support a wide variety of customers. One of their acquisition channels is bottoms-up, providing a way for customers to trial the product for 30 days. This is incredibly smart because it allows developers to play around with the product for free and start integrating their workflows around it. As more and more integrations, workflows, and stored binaries are built on top of JFrog, the stickier the product is.
Up-selling: Their pricing has 3 components, the amount of storage, the amount of data transferred, and the amount of minutes the CI/CD is running. Their higher priced enterprise offering adds important features for larger businesses like SAML SSO & CDNs, while offering up-sells like X-Ray for compliance checks.
My favorite part of this pricing is that it grows with the customers. As a customer needs to manage more docker images or deploy more software, their storage need grows. As they add more developers on their team, their CI/CD minutes grow. When the company grows in scale, Enterprise offerings like SSO & compliance checking are required. This translates to strong net dollar expansion that is evident in the financials.
JFrog will have no problems up-selling as long as their customer acquisition is strong.
Customers: JFrog has over 5800 customers world-wide, and many of them are high growth companies. As mentioned earlier, JFrog can grow revenue quickly as long as their underlying customers are growing their software deployment needs. Their customers are diverse and span many categories, including Finance, Technology, Entertainment, Software, Retail, and Education.
Competition
There are many competitors across the software release management stack. Some are more specialized while others also span across many of JFrog's functions.
VCS: While VCS is NOT a product released by JFrog, they are the biggest risk in terms of competitors. The VCS is the biggest entry point into the software release management pipeline because anything you do in this space requires the source code. Owning this part of the stack is the easiest way to up-sell into the other functions such as CI/CD, package/binary storage, and code security & compliance.
The biggest VCS competitors are Github (acquired by Microsoft) & Gitlab (growing quickly & last valued at 2.75B). Gitlab has a large enterprise customer base and offers many products that JFrog does, albeit not all of them are as fully featured. Github has many customers as well and has a huge number of developers hosting OSS code on it. Ever since Github was acquired by Microsoft, Github has been more aggressive about moving up the software release stack. Their recent additions include security scans, CI/CD through Github Actions, and their Github Package Manager.
CI/CD: The CI/CD space has many players between Open Source like Jenkins and purely commercial offerings like CircleCI (raised 215M to date). The many players also include: TravisCI, CodeFresh (42M in funding), CodeShip (12M in funding), Azure Pipelines, and Atlassian Bamboo.
The CI/CD space isn't completely zero-sum however, as one CI/CD can kick off workflows in another CI/CD.
Package/Binary Storage: JFrog's flagship product is Artifactory, and it's important to understand the competition it faces in this space. Github recently its own package manager, while Gitlab can also store and distribute packages. There are other stand alone competitors like Bintray, Nexus, Inedo's Proget, and AWS Code Artifact.
While there are multiple competitors for this product, Artifactory is head and shoulders above it's competition. Artifactory simply supports more package/binary types than all of its competitors, and thus will acquire any customers that need this support.
- Artifactory: Wide support for package formats such as package formats such as Maven, Debian, NPM, Helm, Ruby, Python, Docker, and 18+ more.
- Github: Only supports npm, Docker, Maven, NuGet, RubyGems, and Swift, no On-prem version
- Gitlab: Only supports Maven, Docker, NPM
Security/Compliance: There are a few competitors in the security & compliance space. As usual, Github & Gitlab offers some of this, while companies like FOSSA focus on license compliance. There are a few code security analysis companies like Snyk (last valued at 1B), Whitehat Security, and BlackDuck (acquired by synopsis).
Summary of competition: While JFrog competes with many companies in multiple parts of the development release stack, its main differentiator is that it has the best binary/package manager. Artifactory is an incredible product for a core part of the software release workflow, and as long as they keep their product best in class, they will continue acquiring these customers.
The rest of their products are up-sells to their Artifactory customers and aren't required for them to hold a strong net dollar retention. They have many integrations with their "competitors" because they don't need to compete on their up-sell products, but rather find every way to get customers using Artifactory.
Financials
Revenue Growth: Revenue is growing 46% at a 145M annual revenue run rate. This is a small revenue scale relative to all B2B SaaS companies but roughly the average scale of an IPO. 46% Revenue growth puts it in the top-quartile of revenue growth.
Gross Margins: High gross margins at 82%, just outside of the top decile of B2B SaaS.
Net Dollar Retention: Best in class Net Dollar Retention at 139%. The drivers of this high net dollar retention is the usage base pricing that only looks to increase as organizations grow & the large amount of auxiliary up-sells.
LTM CAC Payback: JFrog has best-in-class paybacks as well at 16 months of CAC Payback. Top decile paybacks are anything under 23 months. They have historically acquired new high margin revenue for very little S&M spend.
Rule of 40 LTM Free Cash Flow: JFrog has grown incredibly efficiently, with a 11% FCF Margin in the last year. This gives it a 57% rule of 40 efficiency, which is incredibly strong.
Valuation
As the time of this writing, the IPO price target stands at $41. Assuming the underwriters exercise the over-allotment there will be 90,410,407 shares, and this gives us an EV/Annual Revenue Run Rate of 25.4x.
This puts it in the middle of the pack vs Top 10 SaaS & Dev Tools in terms of valuation, which is in line with the revenue growth & efficiency, however the margins, net dollar retention, and paybacks suggest that the valuation should be higher.
Conclusion
JFrog has a strong product that has strong up-sell motions. Artifcatory, their core product, is several levels steps ahead against their competitors and will probably own the biggest mindshare for package hosting over the coming years. The biggest risk to them are Github & Gitlab, but these companies don't seem to be focused on competing with JFrog, but rather improve their own core offerings & integrating with JFrog.
JFrog has strong financials with revenue growth & efficiency, and really shines with their net dollar retention, gross margins, and payback. While the $41 IPO range seems within reason, it's most likely going to close for higher because of its standout metrics.
Howard Chen, Public Comps Team
howard@publiccomps.com
Like this analysis? Subscribe to the newsletter here where we send out investment memos, market maps and analysis on the broader SaaS market.
Disclaimer: The author owns stock directly in AYX, CRWD, TEAM, TWLO, AMZN, FB, DDOG, ESTC, and ZM. Public Comps (SaaSy Metrics LLC) provides financial and industry information and analysis regarding public software companies as part of our weekly dashboard, our blog, and emails. Such information is for general informational purposes only and should not be construed as investment advice or other professional advice.