The enterprise artifact management market - which has belonged for a while to JFrog and Sonatype - is now truly up for grabs.

Cloudsmith was built on the core principle that cloud-native architecture matters. So does simplicity in design and workflow. Partnerships matter, too. We’ve built a comprehensive platform that controls and secures every artifact as it’s built, scanned, signed, stored, and shipped across the software supply chain. We’ve tailored our product to the specific needs of large organizations, which support hundreds of software development teams, rely on a huge range of languages and formats, operate at massive scale, and need to ensure the provenance and integrity of artifacts entering their supply chain.

Our work is paying off. Today our product helps Fortune 500 and Global 2000 corporations, as well as independent software companies, build and distribute their software more securely and efficiently. Many of these customers migrated to Cloudsmith from the two primary legacy solutions on the market - JFrog’s Artifactory, and Sonatype’s Nexus. These customers came to us because they ran into challenges scaling to ever-increasing DevSecOps demands. They asked for a fully managed platform that just works, so they can focus on building software, not infrastructure, CDNs, or clusters. And they recognized Cloudsmith as a fresh, modern, developer-friendly, API-first experience. Cloudsmith is infrastructure you don’t have to think about.

A successful startup transitions into scale-up mode when it solves customer problems in new and innovative ways, and starts to win real market share. Cloudsmith has arrived here. We closed our Series B with TCV and Insight Partners earlier this year to fund our growth. We’re seeing incumbents take notice. We’re seeing analyst firms like Gartner and Forrester recognizing Cloudsmith as a new and legitimate candidate for enterprises with complex needs. JFrog CFO Ed Grabscheid confirmed our growing market share when he told investors at a Bank of America conference on June 5 that they see two main competitors: Sonatype and a “very, very small startup that is a cloud-native tool… not even worth mentioning the name,” starting to “kind of pop up.” I’m pretty sure he was talking about Cloudsmith.

We agree that large organizations are looking at three main options - JFrog, Sonatype, and Cloudsmith - for comprehensive artifact management. The artifact offerings from hyperscalers like Azure, AWS, and Google, as well as SDLC leaders like GitHub and GitLab, are limited to a handful of formats and use cases. They’re okay for small teams, but they’re not intended to scale across broad engineering organizations. We hear every day from JFrog and Sonatype customers who are curious if Cloudsmith is a viable alternative to their legacy vendor, and from platform engineering teams who recognize the benefits of a common internal set of universal artifact repositories.

I suppose it’s in the spirit of this head-to-head competition that JFrog recently published an analysis of our advanced security offerings. They didn’t reach out to us in advance, and appear to have based their findings on their use of a Cloudsmith self-service trial account. We would have been happy to help them make a more well-informed comparison! We think their conclusions are misleading or highly confused, and they got a lot flat-out wrong. Our solutions engineers love working with prospective Cloudsmith customers to showcase the actual capabilities of Cloudsmith, in a way that’s relevant to their company’s processes, scale, and needs.

There is one point in JFrog’s analysis of Cloudsmith that I found telling. They seem to fault our approach to artifact security scanning for relying on third-party industry vulnerability data. This outlook seems to align with JFrog’s general position on partnerships (that they’re bad for business). At that same Bank of America conference, JFrog’s CFO said that when it comes to security scanning, “point solutions” cannot operate without having a proxy to JFrog for access to the binary artifacts, which is true. He continued to say that “you could cut the oxygen off to these point solutions. We choose not to do that, but most customers see advantage to two things: consolidation, and to secure the most critical asset, which is your binary.”

We just have a different philosophy. We don’t think customers want their artifact management vendor to be their only source of vulnerability data and security scanning. In other words, not all JFrog Artifactory customers want to depend solely on JFrog Xray. We know that for sure, because they’ve told us. So we’re working hard to ensure Cloudsmith works well with commercial and open source security tools like ClamAV, Trivy, and Grype, as well as data sources like EPSS and CVSS, and we regularly incorporate their data into the metadata that’s available inside Cloudsmith repositories and exposed to our Enterprise Policy Manager (EPM). In this way, Cloudsmith is the control plane and the data plane for the entire software supply chain, but we don’t think we should be the sole provider of security data. We will not - to quote JFrog - “cut the oxygen off” from our partners in the ecosystem. We feel similarly about CI/CD, runtime scanning, observability, and hardened images; solving software supply chain security works best as a team sport.

If you want to see why so many companies are turning to Cloudsmith, we’d love to talk to you about what a modern, scalable, cloud-native artifact platform could look like for your organization.