Confessions from a DevOps Conference
JFrog's Emerging Network Effect Strategy and Bold Agentic AI Play
Today, I attended the JFrog User Conference in Napa Valley – because nothing says 'DevOps' quite like discussing binaries and software delivery surrounded by vineyards. As I wrap up the day (and resist the urge to sample the local offerings), here are the two things that come to mind after assimilating all the customer conversations, product announcements, and investor meetings:
JFrog is Elevating its Market Position Again, But This Time With Compliance. JFrog is making a shrewd play to become the compliance backbone of the DevOps world by positioning itself as the central hub for SLSA (Supply-chain Levels for Software Artifacts) implementation. The SLSA framework requires cryptographically verifiable provenance metadata that documents the "who, what, and how" of every build process, and JFrog is integrating with partners across the DevOps toolchain to collect and store these digital signatures at every step. As more partners sign on to this initiative, JFrog transforms from just an artifact repository into the authoritative source of truth for the entire software supply chain—from source code commit to production deployment.
This is how I understand it: imagine a financial services company deploying a payment processing service. Today, when their security team needs to prove to auditors that their software hasn't been tampered with, they're scrambling through logs across GitHub, Jenkins, security scanners, and deployment tools. With JFrog's new SLSA approach, every tool in their pipeline automatically creates a cryptographic "receipt" that gets stored in JFrog—GitHub signs the source code, Jenkins signs the build, the security scanner signs the vulnerability report, and the deployment tool signs the release. What used to take weeks of detective work across multiple systems would now take a fraction of the time with a single source of truth. In fact, AT&T said they used to track 122 tools for this information, which could be now distilled to one.
The real opportunity here appears to be that of an emerging network effect: as more partners (Sonar, ServiceNow and others) integrate with JFrog's SLSA hub, their suite becomes increasingly valuable to customers, which in turn attracts even more partners to join the ecosystem.
As companies strive to comply with regulations, JFrog won't just be selling storage for their binaries—they'll be selling the compliance story that keeps CISOs sleeping soundly at night. This creates a natural pathway to upsell the entire JFrog suite, including Runtime because once you're the keeper of cryptographic provenance, customers become reluctant to fragment their supply chain visibility. It's like becoming the notary public for the software world—not the most glamorous job, but absolutely essential and surprisingly difficult to replace.
JFrog is Playing Offensive When it Comes to Agentic Software Delivery. The software development bottleneck has fundamentally shifted in the AI era—what once took developers weeks to code now takes hours with AI assistance, but getting that code safely into production still requires the same weeks of manual security reviews, compliance checks, and release processes. This creates a new reality where the constraint has moved from code creation to everything else in the DevOps pipeline: testing, security scanning, compliance validation, and deployment orchestration. JFrog is making a strategic play to alleviate that constraint with the industry's first "agentic repository" (JFrog Fly), designed to allow software release cycles to continue at the speed of AI agents and rapid coding, ensuring productivity gains flow all the way through to deployment. JFrog Fly, built on top of JFrog's Artifactory, provides a semantically driven release and software delivery process with minimal setup and full integration with source code repositories like GitHub and IDEs like Cursor or Visual Studio.
It's an interesting move that positions JFrog not just as the keeper of software artifacts, but as the architect of AI-native development workflows—essentially becoming the infrastructure that enables developers to ship at the speed they can now think, rather than at the speed bureaucracy traditionally allows.
BottomLine: The common thread here is clear: JFrog is positioning itself as the essential infrastructure layer for the next era of software development—whether that's compliance-driven enterprise requirements or AI-accelerated development cycles. There is much more to the story but I don’t want to go into a long rambling - thats for another day.
Customer Conversations
Large Telecommunication company: We did buy curation in July. When we first signed the contract without Curation, there was no budget. But then CISO reached out to CIO to ask why we don’t have curation, which led to the Curation deal over summer. Very interested in AppTrust and be able to cryptographically sign artifacts and make sure no one tampers with the artifacts from build to production. JFrog Runtime will be crucial for it and we are looking into it.
Security Company: Using FROG for 7 years about but only usingArtifactory with Xray. Getting interested in Advanced security after learning more in the conference.
Big Mid-western Insurance Company - Only using Artifactory. Getting interested in Advanced security. Also intrigued about the new AI and Agentic capabilities.
Amazing insight, thank you!