Blog Home

JFrog swampUP 2025: News and Updates Live From the Show Floor

By The JFrog Team

16 min read

 

JFrog’s annual user conference, swampUP 2025, is the ultimate gathering of the brightest minds in DevOps, DevSecOps, and MLOps where they exchange ideas, insights and practical strategies for navigating this transformation while amplifying trust, traceability, and transparency in the era of intelligent software. Here are live keynote updates coming from the event in Napa, CA on September 9-10 2025:

Make sure to refresh your browser to see the latest updates from Conference Day 2, September 10th, starting at 9:00 a.m. PT…

Conference Day 1, September 9th

[12 p.m.] Frog-Proof Security: Streamlining The Sec In DevSecOps

Asaf Karas | CTO, SVP JFrog Security at JFrog

Overview

What’s in store for Software Supply Chain security in 2026? With the types of software entering organizations ever-changing, and the volume ever-increasing, DevSecOps teams are facing new, and complex questions at macro and micro levels: How can teams effectively control and curate what enters systems? How can remediation be accelerated, while ensuring accuracy? How will the rising use of AI impact our threat landscape and can DevOps and Security teams truly share ownership of this emerging reality without adding friction? While no one has a crystal ball, JFrog’s leading-edge research and impactful real-world insights provide clarity.

Attendees of this session gain critical foresight into the evolving and future software supply chain security challenges that will redefine how you operate. We dissect recent, high-impact supply chain attacks to reveal malicious threats, and crucially, equip you with practical, implementable solutions for mitigating both current and emerging risks. In a world being built for humans and machines side-by-side, your attack surface is morphing daily. In this session, we explore groundbreaking capabilities and new, exciting approaches that smoothly put the “Sec” back in DevSecOps.

Sound bites from the session

  • Asaf uses the Amazon Q incident as a a real-life example of the threats that exist. In this case, it was a security vulnerability discovered within the Amazon Q Developer Extension for Visual Studio Code (VSC).
  • Attacks are constant — just this morning, the JFrog Security Research team discovered the largest NPM compromise in history.
  • Asaf details how potentially catastrophic situations can be avoided with JFrog Curation, which defends the software supply chain and enables the blocking of malicious or risky open-source packages before they even enter.
  • SLA times for fixing CVEs are constantly decreasing — Asaf notes that we need to focus on CVEs that are critical, those that can be exploited, and those actually running in production.
  • A full 73% of all CVEs don’t have an exploit, while 85% aren’t exploitable with common usage. At the same time, 90% of CVEs developers see are from transitive dependencies.
  • Asaf stresses the importance of actionable information when investigating vulnerabilities — the type of information provided by JFrog Advanced Security, Xray, and more.
  • Announcement: Asaf reveals JFrog’s Agentic Remediation, which helps developers identify and automatically fix vulnerabilities as they code.
  • Agentic Remediation unites JFrog’s Curation and Catalog capabilities with deep security research, MCP-based platform connectivity, and GitHub integration with Copilot AI assistant. Importantly, it doesn’t just find vulnerabilities, it helps developers fix them instantly and continuously.
  • JFrog’s Agentic Remediation is available now in GA!
  • That concludes the morning keynotes. After lunch, attendees will reconvene for specialized breakout sessions.

[11 a.m.] Reimagining Trust in Software Releases: A New Approach to Supply Chain Integrity

Eyal Dyment | VP, Security at JFrog
Yossi Shaul | SVP, DevOps at JFrog
Kristina Heidinger | Senior Product Manager, Supply Chain Security at GitHub
Dan McCall | VP of Product, ITSM at ServiceNow

Overview

Only secure, verified, compliant software should reach production. Full stop. With increasing pressure on modern development teams to deliver across security and compliance requirements, a fully-secured, attestable pipeline demands complete visibility and control across the entire release lifecycle in a single solution.

In this keynote session, we look at new innovations across JFrog security and platform teams, as well as industry advancements that enable a not just-connected, but fully-integrated and robust software supply chain security solution that meets the modern needs of a security-focused, EveryOps reality.

Attendees get an exclusive look at how this tectonic security shift reshapes what you thought you knew about application security and governance, helping you unlock new levels of confidence in every release.

Sound bites from the session

  • Eyal recalls the infamous Log4j vulnerability of 2021: “It got so bad that management teams had explaining to do to the board of directors, and some people lost their jobs — all because of a vulnerability that was mishandled.”
  • Fast-forward to 2025, and Eyal walks the swampUP crowd through how new vulnerabilities can be addressed within the JFrog Platform. He “calls” Yossi Shaul, JFrog’s SVP, of DevOps on the phone in a skit-like performance that demonstrates how a team might address a new vulnerability in real-time.
  • Yossi (donning a sleep mask because the fictional “phone call” woke him up in the middle of the night) joins Eyal on stage and the two work together to address the newly discovered CVE.
  • Good news! They found a fix.
  • Uh oh: “Release from DEV to PROD failed.”
  • After more troubleshooting, the team finds a fix. The on-stage reenactment was a perfect demonstration of how application lifecycle management can be done right with JFrog: Fast. Effective. Trusted.
  • The duo makes another big announcement: JFrog AppTrust. It gives users full visibility, clear ownership and proven maturity over time. It automates evidence-based control throughout the SDLC. See the moment AppTrust was introduced, captured on video here.
  • At its core, AppTrust provides a comprehensive view of software security, quality, and performance metrics, alongside evidence-based policies and contextualized insights. The aim is to help DevOps and security teams seamlessly and cohesively govern enterprise applications.
  • Eyal shows attendees how AppTrust delivers minimal friction with adoption at your own pace.
  • Yossi details how AppTrust helps teams trust the application lifecycle with evidence: evidence about the process, and automated evidence-based control gates throughout the SDLC.
  • Yossi and Eyal then welcome to the stage GitHub’s Kristina Heidinger, Senior Product Manager for Supply Chain Security at GitHub, to discuss a new integration.
  • Heidinger says, “It’s all about proving the integrity of your software at deployment time.”
  • By combining the power of JFrog Software Supply Chain Security with GitHub, organizations can:
    • Safeguard against unsafe packages
    • Flag and fix vulnerable code automatically
    • Immunize code for future development using context-aware insights
  • Eyal on lifecycle policies: “We’ve built a new policy engine that’s built into the platform and allows you to set up policies based on your needs for security, governance and quality use cases.”
  • Following a short demo, Yossi and Eyal introduce Dan McCall, VP of Product, ITSM at ServiceNow.
  • McCall discusses the persistent challenge of balancing speed with resilience. “Developers want to move fast… Operations teams are tasked at keeping things stable… This tension is often seen as red tape across operations teams.”
  • McCall gives the crowd details on a new integration between ServiceNow and JFrog for unified application lifecycle management. Specifically, ServiceNow will share its change requests, approvals, and vulnerability exceptions as signed evidence in JFrog AppTrust.
  • Yossi and Eyal wrap up their session with this: The next time a vulnerability is introduced, you can now address it with trust.

[10:15 a.m.] Trusted AI at Scale: Secure Governance and Scalable Management for Your AI Models

Yuval Fernback | VP and CTO MLOps at JFrog
Adel El Hallak | Senior Director of Product Management for NVIDIA AI Enterprise at NVIDIA

Overview

As AI becomes an indispensable part of modern software applications, managing machine learning models with the same rigor as code and binaries is essential. Yet most organizations still treat models as ad-hoc assets: scattered, untracked, and inconsistently governed, creating potentially serious risks around security, compliance, and operational trust.

Reminding us of yesterday’s OSS package gold rush, today’s ML/AI Models can originate from many sources: custom-built, open-source, and third-party APIs, each with different risks, ownership boundaries, and lifecycle considerations.

In this session, we explore these emerging challenges, and show how advancements in JFrog ML and platform technologies are helping solve them. By treating every type of model as a first-class software artifact, attendees learn how to integrate mode management into your existing DevSecOps pipeline, enable trust by providing visibility, traceability, and evidence-based policy enforcement, and bring the same governance and trust to AI that you already rely on for your software supply chain. It’s time to take back control of AI!

Sound bites from the session

  • Yuval says that by 2027, over 90% of new applications will include ML models. “This is something we’ve seen for a few years now.”
  • He says JFrog Artifactory can already manage machine learning artifacts, while the entire platform delivers end-to-end security across JFrog Curation, Xray, Advanced Security, and Runtime.
  • Yuval emphasizes the point that AI is growing at full speed. “New models are being launched daily,” he says. “The fact that AI keeps changing actually doesn’t make it easier for us to adopt it, it makes it harder because the pace of change means you also need to change your processes.”
  • He says the number of reported AI incidents is growing. “Attackers understand this is an emerging field.”
  • Yuval says JFrog has heard huge amounts of feedback on how difficult it is to manage ML models across teams in a standardized way. Challenges with adoption include the pace of innovation, governance and compliance, security, and the inherent new audience. “AI is not used by just data scientists anymore… now, AI is used and managed by anyone.”
  • Yuval announces a new product to address these challenges: The JFrog AI Catalog.
  • With the JFrog AI Catalog, teams can:
    • Discover secure models
    • Govern model usage
    • Consume and deploy models
  • The product is designed to help organizations keep pace with the rapid evolution of AI while maintaining top-level security and governance.
  • The crowd is buzzing as Yuval gives a short but detailed demonstration of the JFrog AI Catalog.
  • Yuval says that the JFrog AI Catalog is an easy way for teams to manage which AI models can be safely used. He teases a forthcoming JFrog solution: Shadow AI, which will discover AI usage in your artifacts and detect models and calls to external APIs. The capability is slated to be available during Q4 2025.
  • Yuval says, “To actually trust AI usage, you need to trust the entire AI lifecycle.”
  • Joining Yuval on stage: NVIDIA senior director of product Adel El Hallak.
  • El Hallak: “Performance is a key value prop to NIM.” He guides the crowd through the increased complexity of NIMs, which can create vulnerabilities.
  • El Hallak says that open-sourcing AI models doesn’t translate to value. “Agentic AI is here,” he says before turning the stage back over to Yuval.
  • Yuval finishes his session by alerting the crowd that JFrog AI Catalog is available now.

[9:45 a.m.] AI-Driven DevOps Unleashed: The Future Starts Here

Yoav Landman | Co-Founder and CTO at JFrog

Overview

The future of DevOps is being transformed with autonomous agents. As the world begins to focus on agentic-driven release management, we will soon experience agents driving crucial processes such as building, securing, and deploying packages alongside automated policy enforcement. These agents are not working in silos — they will (and are) communicating with one another, enabling real-time visibility and management of secure pipelines. In this landmark technical keynote, we reveal how JFrog is empowering teams to implement this modern approach to agentic software delivery – with minimal manual intervention, and with enhanced security – all in a streamlined release process without losing control!

Soundbites from the session

  • Yoav says the software supply chain is moving into the hands of developers. “It’s not only about the experience, it’s about the capabilities of AI.”
  • Interesting point: Yoav says that in 2023, AI solved 4.4% of coding problems. That number has jumped to nearly 75% in 2025.
  • Yoav: “We’re going to see an explosion of software releases, and this change will do to software delivery what software coding agents did to coding.”
  • Yoav touches on the “red light” of agentic software delivery. “You want to trust the decisions AI is making as much as you would trust a human being. But this is very challenging in our domain.”
  • When it comes to software versioning, “latest is king.” But this has made a handful of questions harder to answer, including what makes up a release? And how do I track it? Yoav says that one key is a system of record that manages agentic releases.
  • The goal: shift control closer to developers. Yoav announces JFrog Fly, the foundation of the next generation of the developer experience within the JFrog platform.

  • Yoav delivers the crowd a short walkthrough of the new JFrog Fly, a zero-config, fully-transparent, agentic repository for accelerating modern, AI-driven software delivery.
  • JFrog Fly has the flexibility to integrate with other AI repos and platforms like Cursor, GitHub Copilot and Claude Code, using MCP (Model Context Protocol) standards. It ensures all agents operate consistently with context-aware decision-making across different systems.
  • Yoav says Fly will be integrated gradually into the JFrog Platform: “This is just the tip of the iceberg.” Attendees are invited to sign up for the beta waitlist.

[9:00 a.m.] Control. Shift. Deliver. Take Command of your Software Supply Chain

Shlomi Ben Haim | Co-Founder and CEO at JFrog
Tariq Shaukat | CEO at Sonar
Justin Boitano | VP of Enterprise AI at NVIDIA
Rahul Tripathi | GVP & GM, ITSM BU at ServiceNow

Sound bites from the session

  • swampUP 2025 is officially underway! “It’s where the shift happens.” CEO Shlomi Ben Haim takes the stage to touch on this year’s theme: Control. Shift. Deliver.
  • Shlomi says, “Security is embedded into what we do.”
  • He touches on “AI FOMO” — 40% of CIOs are saying they’re increasing budgets due to board-level pressure.
  • Shlomi asks the group, “Raise your hand if you already have AI embedded in your software supply chain.” (Nearly everyone raises their hands). “If you don’t, you can leave the room.” (Laughter ensues).
  • Shlomi: “Every foundational platform requires a single system of record. If you don’t have that, you don’t have an anchor to build a platform around.”
  • “The world is changing as we speak, and we already know there’s a new persona coming, and it’s not necessarily a human being. It’s an (AI) agent.”
  • Shlomi stresses that a foundational platform requires agentic practices, along with security, traceability and visibility in the AI era.
  • He says the software supply chain is being attacked daily. “We see JFrog as the system of record for your software supply chain.” He then introduces Tariq Shaukat, CEO of Sonar.
  • He asks Shaukat what he thinks about leaping forward into the world of AI. Shaukat says, “A lot will change, and a lot will stay the same. It’s never been about how fast developers type on a keyboard.”
  • “Trust, but verify — or in marketing-speak, ‘Vibe then verify’. We’re helping with that verification step as software is being written,” Shaukat adds.
  • Shlomi introduces his next guest: ServiceNow GVP and GM Rahul Tripathi.
  • Tripathi says, “One thing I’ve noticed running large DevOps teams is they want to move fast. But nobody wants to receive a notification that our software was breached… It’s about getting IT Ops moving at the speed of DevOps.”
  • Tripathi: “AI is everywhere. But how do you do governance across AI?”
  • Shlomi introduces a third special guest: NVIDIA VP of Enterprise AI Justin Boitano.
  • Boitano says in reflection, “We are a huge contributor to open-source software, but we realized the industry needs open models to move AI into data centers.”
  • Boitano: “A year ago, Jensen asked us to double the amount of chips we create as a company. And the only way we could do it is infusing AI across our lifecycles.”
  • Shlomi asks Boitano, “How important is it when you’re building models to optimize the hardware?” Boitano says if you can performance optimize the model, you can get 2X-3X token efficiency.
  • Shlomi then engages the group in a panel style discussion. Shaukat says, “The least interesting part of the job is how quickly you type code.” With this backdrop, he says the industry is entering a new and interesting era driven by AI.
  • Shlomi asks Boitano if he sees AI replacing human beings. His response is straightforward: “I think that’s over-hyped. We see it as improving productivity across the board.”
  • Shlomi on the one thing he sees as the difference on whether AI agents will replace developers: “The only people it will replace are those who don’t embrace the change.”
  • Shlomi: “These two days will be full of announcements that will change the software supply chain.” He concludes by thanking the crowd for attending: “May the FROG be with you.”

Popular Tags