Training Day
October 20th
Tuesday
Conference Day 1
October 21st
Wednesday
Conference Day 2
October 22nd
Thursday
CyberFrog
Room
MatrixFrog
Room
NeoFrog
Room
TronFrog
Room
8:00 AM
8:00 AM
1 session
0
BREAK
Registration & Breakfast
8:00 AM – 9:00 AM
9:00 AM
9:00 AM
4 sessions
1
JFrog AI Masterclass: Governance & Security in the Agentic SDLC
Optimizing Management, Security, and Governance for every AI asset in the Agentic Workflows.
This course provides a deep dive into the industry's most complete AI registry solution. Learn how to transform your agentic supply chain by establishing a single system of record for centralized governance.
We will guide you from discovering hidden Shadow AI blind spots to building a trusted, unified organizational hub for managing ML models, MCP servers, and more.
What You Will Learn:
- Building a Unified AI Architecture: Discover how to use the JFrog AI Catalog as your centralized "Single Source of Truth" for AI Assets including Models, External Model APIs, MCPs and more
- Proactive Security & Scanning: Leverage JFrog’s advanced security features to detect Shadow AI usage, block malicious models, surface critical vulnerabilities (CVEs), and enforce strict license compliance
- Full-Spectrum AI Governance: Learn how to discover, curate, and "Allow List" approved AI assets using automated, enterprise-grade policy enforcement to stop non-compliant AI Assets at the gate
- Secure Agentic Workflows: Master the management of MCP servers to safely bridge AI assistants (like Cursor and Claude) with your private enterprise data - without compromising security or bypassing governance.
9:00 AM – 12:30 PM
2
JFrog at Global Scale: Architecting to Make the Complex Simple
Optimizing the Software Supply Chain Workflow, Multi-Site Sync, and Automated Policy Enforcement.
This full-day course covers follow the evolution of an organization. Learn to architect a unified platform that integrates disparate sites or teams, synchronizes artifacts globally, and enforces a "Trusted Release" lifecycle that evolves with the business at any scale. This will be a comprehensive deep dive into the latest JFrog Platform and capabilities.
What You Will Learn:
- Global Integration (Scale & Storage Optimization): How to implement Federated Repositories and JFrog Bridge for bi-directional synchronization and Advanced Retention Policies.
- Proactive Security & Remediation: Deploying JFrog Curation to block malicious packages at the perimeter and Frogbot for automated, developer-centric vulnerability patching within the SCM.
- Contextual Security & AI Governance: Utilizing Xray for runtime vulnerability prioritization and centralization the AI lifecycle via the JFrog AI Catalog to secure model usage and agentic workflows.
- AppTrust & The Trusted Release: How to master evidence-based governance using GraphQL and automated security gates to ensure only compliant, signed binaries reach production.
9:00 AM – 5:00 PM
3
Artifactory & Xray Automation Masterclass: Terraform & Advanced Orchestration
Advanced Lifecycle Automation using Terraform, JFrog MCP Server, and One Model GraphQL.
This session focuses on building a high-performance automation frameworks using Terraform and the JFrog CLI, enabling DevOps teams to orchestrate complex Project environments and AI workflows with zero manual friction.
What You Will Learn:
- Scalable Project Management: Implementing JFrog Projects to automate resource isolation, quota management, and delegated administration for growing organizations.
- The Terraform Blueprint: Master the JFrog Terraform Provider to provision repositories, security policies, and user permissions as a repeatable service.
- Use JFrog MCP Server to manage your software supply chain and security via natural language, right from your IDE.
- Advanced Querying & Auth: How to leverage One Model GraphQL Authentication to perform high-performance, cross-product queries - getting deep insights into artifact metadata and security evidence through a single, secure endpoint.
9:00 AM – 12:30 PM
4
JFrog Security Full Shift: Leveraging JFrog Curation for Automated Remediation
Combine JFrog Curation with local SAST (via MCP), Frogbot, and Snippet Detection to bridge the gap between policy enforcement and seamless violation fixes.
Course Objective - Learn to deploy a "Developer-First" security strategy that blocks malicious packages before they hit your cache and uses AI-powered agents to detect plagiarized code in real-time. Bridge the gap between Security and Development by stopping threats at the front door and automating fixes directly in the SCM.
What You Will Learn:
- JFrog Curation: How to proactively block malicious or non-compliant open-source packages at the point of download.
- IDE & Git Integration: How to use Frogbot to scan Pull Requests and provide instant feedback to developers before code is merged.
- Developer-Centric SAST: Identify "exposed secrets" and security flaws in proprietary code during the initial coding stage and apply agentic remidiation - with MCP.
- Early Remediation: Utilize JFrog’s contextual analysis to fix the most critical issues early, saving time upstream and reducing downstream friction.
9:00 AM – 12:30 PM
12:30 PM
12:30 PM
1 session
5
BREAK
Lunch
12:30 PM – 1:30 PM
1:30 PM
1:30 PM
3 sessions
6
AppTrust Essentials: Get CRA and SLSA Ready - Mastering DevGovOps & Supply Chain Integrity
Driving Compliant Releases with Evidence-Based Controls, Rego Policies, and ServiceNow Integration.
We will focus on the transition from reactive security to proactive, automated governance. This course provides the technical blueprint for using JFrog AppTrust as the orchestration layer for "Trusted Releases," binding technical security metadata to business-ready compliance evidence that satisfies NIST and CRA mandates.
What You Will Learn:
- Identity & provenance (SLSA): Using build attestations to cryptographically prove the origin and integrity of every artifact in your supply chain.
- Mastering the SBOM lifecycle: Generating, managing, and exporting enriched Software Bill of Materials (SBOMs) to meet global regulatory transparency requirements (RCA).
- Automated trust policies: Setting the "Minimum Bar" for your organization using policy as code to automate complex approval logic and security gates.
- ServiceNow ITSM integration: Automating the bridge between DevOps and IT operations by triggering ServiceNow change requests and status updates based on real-time security evidence and AppTrust gates.
1:30 PM – 5:00 PM
7
JFrog Multi-Site Architecture for the Agentic SDLC Era
Learn how to federate your Curation and govern your AI/ML and MCP-driven pipelines, at enterprise scale with zero downtime.
Agentic SDLC and AI-driven pipelines are only as reliable as the infrastructure underneath them. This session delivers a technical blueprint for building the resilient, high-availability JFrog platform global enterprises need - distributing artifacts fast, enforcing security uniformly, and never going down, whether serving traditional builds or ML model pipelines.
What You Will Learn:
- HA Clusters for Always-On Delivery: Tune multi-node environments for zero-downtime load balancing - the foundation for any agentic era CI/CD pipeline.
- Federated Repositories & Bi-Directional Sync: Real-time, multi-site synchronization across packages, containers and AI/ML models.
- Federated Curation & Unified Security Policies: Consistent governance across every global site - blocking malicious packages, ML models and any non-compliant AI assets at once.
- JFrog Bridge for restricted networks: Distribute artifacts and AI model updates across egress-only environments without compromising isolation.
- Disaster Recovery Architecture: Redundant failover protocols protecting mission-critical binaries and AI pipeline dependencies.
1:30 PM – 5:00 PM
8
Operationalizing Xray & Advanced Security: Embedding Continuous Security Across Your Artifact Lifecy
Transforming Threat Intelligence into Actionable Insights via the Security Dashboard
This course focuses on the Build and Runtime phases, ensuring that no artifact- no matter how it was created—moves to production without deep inspection and policy validation. You will be able to implement automated, continuous security guardrails across the entire software lifecycle.
What You Will Learn:
- Continuous Scanning: Automating Xray scans within CI/CD pipelines (Jenkins, GitHub Actions, etc.) to intercept compromised builds.
- Vulnerability Prioritization: Use Advanced Security to determine if a vulnerable component is actually reachable in your specific runtime environment.
- Compliance & Auditability: Utilizing Audit Events for Xray to ensure compliance accountability for all security actions.
1:30 PM – 5:00 PM
CyberFrog
Room
MatrixFrog
Room
NeoFrog
Room
TronFrog
Room
8:00 AM
8:00 AM
1 session
9
BREAK
Registration & Breakfast
Hop in, grab your badge, and fuel up. Coffee’s hot, breakfast is served,
and the day is ready to take off.
8:00 AM – 9:00 AM
9:00 AM
9:00 AM
1 session
10
Opening Keynote
Leap into the future of trusted software and AI with JFrog’s founders as they unpack how AI is reshaping the software supply chain. As autonomous agents move from assistants to builders… writing code, resolving dependencies, and producing binaries at machine speed. Join us to see how the rules of trust are being rewritten.
FrogHall
9:00 AM – 9:35 AM
9:35 AM
9:35 AM
1 session
11
The Agentic Software Supply Chain: Rebuilding the Trust Model
The world’s software supply chain has mutated. "Liquid Software" is here, delivered through binaries! Software now flows continuously: assembled, evolved, and deployed through streams of binaries at AI speed. Source code is no longer the center of gravity in a faster, more autonomous software factory. Coding agents are becoming true software agents pushing software forward faster than human-driven governance can track. This is the AI surge.
This shift breaks the trust model you have only recently finished building! The new, AI-powered supply chain instantly creates assets nobody has controlled before, and exposes attack surfaces nobody has secured before. Agents’ code and actions can create massive downstream impact in seconds, and the same AI capabilities that write code can also find and exploit vulnerabilities in it.
As software is assembled and shipped at agentic speed, trust has to move closer to the binary, the runtime, and every decision point in the pipeline, anchored to one single system of record for everything that ships.
In this landmark keynote, we'll show how JFrog has become your universal trust layer: securing and governing every package, model, AI asset, and release process across your software factory, at scale, regardless of the tools, agents, or pipelines you use.
FrogHall
9:35 AM – 10:15 AM
10:15 AM
10:15 AM
1 session
12
Frontier vs Frontier: Securing the Software Supply Chain in the Age of Autonomous AI
Frontier AI models now discover and chain software vulnerabilities at machine speed, with defenders and attackers having access to the same capabilities. Your organization’s traditional playbook of scan, alert, and manually patch can't keep up in this world of adversarial symmetry.
Defenses today require pre- and post-release protection anchored on a single system of record for every binary your organization produces and consumes, plus one source of truth where fixes and patches from every vendor are universally available. You need continuous healing at machine speed - fixes must happen in minutes, not weeks - and at scale!
In this keynote, we'll show why the only viable defense is a self-healing software supply chain that operates at the same speed and scale as the threat itself - automated, universal, and anchored on one system of record across the entire software lifecycle.
Every binary and every fix flows through one system of record, securing both sides of the software lifecycle in a single platform.
FrogHall
10:15 AM – 11:00 AM
11:00 AM
11:00 AM
1 session
13
BREAK
Coffee Break
11:00 AM – 11:20 AM
11:20 AM
11:20 AM
1 session
14
Managing Your Agentic Workforce: From Skills and AI Assets to Shipping
It's 10pm. Do you know what your agents are doing?
Picture this: your leadership needs to know which MCPs ran on your developers' machines last week, and which skills shaped the code they wrote. Meanwhile, you’re busy adopting coding agents as awesome “employees” faster than any tool in history, but with near blindness to their actions. That means that, for most of you, the honest, brutal answer to those 10pm demands is “I think I know” - but you also know that answer isn’t good enough.
It’s not just about code generation – it’s also about the consumption of assets and processes agents use to get there, including Models, Skills, MCPs, plugins, and more.
This session shows how JFrog extends the trust layer you already depend on across everything your agents touch. Not point fixes for one tool, but one proven approach that you use for your software already (and some ways you treat agents just like humans) applied universally. JFrog is the single source of truth for your entire agentic workforce, and you'll leave this session with a path from "I think I know" to "I know, because JFrog controls it."
FrogHall
11:20 AM – 11:50 AM
11:50 AM
11:50 AM
1 session
15
Shattering The Compliance Illusion: Your Path to Built in, Continuous, Automatic DevGovOps
You're running 2025 compliance practices against a 2027 threat model – and you’re losing the battle.
When compliance officers arrive, most organizations rely on a fragile trail of manual checks, screenshots, and email chains across weeks of time. The agentic era is breaking this “process” completely. Autonomous agents now commit code, open PRs, and deploy to production in minutes, sometimes with no human in the loop. When something goes wrong, there's no one to ask, no memory, and no evidence of what happened.
The process integrity of DevGovOps is the answer: compliance engineered into the pipeline itself from day one, not bolted on after release. With JFrog as the single source of truth for every artifact, evidence, and approval, you’ll learn how policy enforces itself and evidence collects itself in a continuous, automatic, and proven manner. All at the speed your teams want to ship.
FrogHall
11:50 AM – 12:30 PM
12:30 PM
12:30 PM
1 session
16
BREAK
Lunch
Take a breather, grab a bite, and make a few new connections.
12:30 PM – 1:30 PM
1:30 PM
1:30 PM
4 sessions
18
SEB’s Technical Transformation: Securing the Supply Chain
The growth of software supply chain security complexity and threats, especially with advanced AI models like Mythos and Fable, is driving a more urgent need for companies to fix vulnerabilities in their systems. In a big enterprise like SEB, the technical landscape is complex, with many technologies and tools in use and complex internal processes to meet regulations like DORA. This makes it even harder to cyber-secure the systems at speed.
This session will focus on SEB's current software supply chain security journey - the challenges, what was done, what they want to do, and the outcomes they hope to achieve through initiatives such as JFrog Curation and other security solutions.
1:30 PM – 2:15 PM
19
Achieving Scalable Security: Vanderlande’s Enterprise Journey to SaaS
Vanderlande, a global leader in logistics process automation for airports, warehousing, and parcel, has evolved from a traditional manufacturing powerhouse into a software-driven intelligent logistics solutions provider. This transformation created the need for a modern, secure, and scalable software supply chain.
Before their migration, Vanderlande operated three self-hosted JFrog instances across Veghel, Dortmund, and Quebec. This model created operational challenges around VM-based scaling, manual Xray operations, application upgrades, limited access segregation, shared internal accounts, and incomplete adoption of advanced security capabilities such as JFrog Curation and Xray. To support ISO-aligned security goals across 100+ global teams, we moved toward JFrog Artifactory SaaS and redesigned our operating model.
This session shares how Vanderlande migrated from a repo-stage model to a project-based governance model aligned with agile release trains. The company implemented SSO and AD-based access control, project-level ownership, service account standards, and regional JPD considerations for global performance.
A major focus of the journey was scaling advanced security. Vanderlande rolled out JFrog Curation and Xray policies across teams with different SDLC maturity levels and many legacy applications. Full-scale enablement surfaced thousands of legacy references, curation blocks, and Xray violations. Rather than relying on a big-bang blocking approach, they adopted a phased model using dry-run, notifications, waivers, ignore rules, and JIRA-based remediation. They also promoted shift-left practices using JFrog CLI, Curation audit, build scans, Frogbot, and release bundle workflows.
To manage the SaaS era, Vanderlande built custom Grafana dashboards using JFrog APIs for data transfer, storage hotspots, repository usage, and account privilege audits. These dashboards helped track monthly transfer volumes, optimize storage and retention, and identify over-privileged or incorrectly configured service accounts.
1:30 PM – 2:15 PM
20
JFrog Jumpstart Masterclass: Driving Successful Platform Adoption (By Invite Only)
Course Objective: This session focuses on guiding new JFrog customers through a practical, hands-on deployment framework moving organizations away from fragmented point solutions toward a unified, secure DevSecOps platform built on JFrog Artifactory, Xray, and Distribution.
What You Will Learn:
- Foundational Platform Architecture: Map organizational entities and business units to JFrog Projects, and design scalable repository structures with fine-tuned access controls for multi-team environments.
- Governed Security & Access Control: Establish promotion workflows that move artifacts safely from development to production, paired with standardized access controls as your repository footprint grows while configuring perimeter-level protection with JFrog Curation to block malicious or non-compliant packages before they ever reach local caches.
- Developer-Centric Onboarding: Use the JFrog CLI and onboarding templates to reduce friction, and shift security left with IDE-based SAST scanning and Frogbot integration in pull requests.
- Agentic AI & MCP Integration: Configure the JFrog MCP Server to securely expose Artifactory data as a context source for LLMs, enabling AI coding assistants to inspect packages, query dependency trees, and surface vulnerabilities through natural language.
This session includes hands-on labs throughout, giving you the opportunity to practice each concept directly in a live JFrog environment as you learn it.
1:30 PM – 2:15 PM
2:15 PM
2:15 PM
1 session
21
The Vulnerability Tsunami: Securing the Software Supply Chain at Scale
Over the past year, Nationwide moved beyond building a multi-cloud JFrog platform to solving a harder problem: operating a secure, compliant, and scalable software supply chain in the face of rapidly expanding threat volumes.
In this session, we'll discuss how Nationwide delivered a comprehensive supply chain security roadmap across a large regulated financial services organization. This includes token automation, hardened container images, Xray-based vulnerability management enforcement, artifact curation, and a fully evidence-driven approach to provenance, SBOMs, and signing.
The session will cover the rollout of JFrog Xray enforcement at scale, with centralized reporting, alerting, and managed dispensations, and the introduction of Curation as a secure-by-default control plane to protect the organization from malicious and vulnerable open source dependencies at the perimeter.
A key theme throughout is moving from visibility to enforcement. Nationwide uses JFrog Build Info as the authoritative record of build-time truth, binding together dependencies, provenance, scans, and attestations into enforceable policy decisions. At the same time, they are evolving SBOMs from static artifacts into operational control points, embedded into build pipelines, evidence services, and release governance.
Finally, this session will address the emerging challenge facing all organizations: the “tsunami" of vulnerabilities driven by AI-assisted development and increasingly complex dependency ecosystems. This is forcing a fundamental rethink in patching strategies, prioritization, and change management. We’ll share how the company is adapting its platform, processes, and operating model to cope with this shift at scale.
2:15 PM – 3:00 PM
3:00 PM
3:00 PM
1 session
22
BREAK
Coffee Break
3:00 PM – 3:30 PM
3:30 PM
3:30 PM
1 session
23
Release Lifecycle Management @ Alstom
This session will cover how
- Alstom deployed JFrog Artifactory to support large volumes (HA).
- The repository is structured in Artifactory
- Software is aggregated in release bundles, challenges we faced, and the pivot to AppTrust Evaluation.
- Artifactory is linked to the Alstom Configuration Management process.
- Alstom will distribute software to factories that are responsible for installing software.
Alstom leverages JFrog Artifactory as the central platform for software artifact storage, traceability, promotion, and release, integrated first with GitLab and progressively with configuration-management tooling such as IBM ELM/GCM.
3:30 PM – 4:15 PM
4:15 PM
4:15 PM
2 sessions
24
Designing DevSecOps for Reality: Bootstrapping a Secure Software Supply Chain
Most DevSecOps talks focus on finished implementations, but what about getting started in a real enterprise environment?
In this session, Vattenfall shares how they are designing and bootstrapping a secure software supply chain using JFrog Artifactory and Xray. We’ll walk through Vattenfall's current challenges, architectural decisions, and early implementation steps to integrate security into CI/CD and Kubernetes workflows.
Learn how Vattenfall approaches policy-as-code, automations, vulnerability management, and developer experience from day one, along with lessons learned, trade-offs, and pitfalls to avoid when moving from visibility to enforcement.
4:15 PM – 5:00 PM
25
Securing the Software Supply Chain Without Compromising Developer Experience - DevSecOps Journey
Software supply chain attacks are no longer theoretical. From dependency confusion to malicious packages slipping through undetected, the threat is real, active, and growing. Most organizations know they need to act, but the moment security starts slowing developers down, it stops being adopted. This tension is exactly what Husqvarna Group set out to solve.
Husqvarna's engineering organization spans a broad, multi-platform ecosystem across multiple languages and stacks. At this scale, the challenges are familiar to many - security tooling that grows organically, visibility fragmented across multiple screens and systems, and no single end-to-end view of supply chain risk. Developer experience feels the pressure of context-switching, alert fatigue, and security processes that drift away from how engineers actually work. Add CRA and NIS2 obligations to the mix, and the case for a more coherent, integrated approach becomes hard to ignore.
This session tells the story of how Husqvarna built a DevSecOps practice with one non-negotiable principle - security had to work with developers, not against them. That meant rethinking what shifting left actually looks like in practice and co-designing the workflow with engineering teams from day one, surfacing the right vulnerabilities in the right context, and distinguishing between what exists and what is actually applicable, so developers act on signal, not noise.
You'll leave this session with
- A clear picture of how JFrog Advanced Security and Curator can be applied in real enterprise use cases
- Practical lessons on co-designing security workflows that work for both developers and security teams
- An honest view of where the friction still lives and how we handled it
- A sense of how getting supply chain security right also quietly takes care of a lot of what compliance asks for.
4:15 PM – 5:00 PM
6:30 PM
6:30 PM
1 session
26
BREAK
Awards, Gala Dinner & Open Bar
Celebrate the best in the business. Join us for an immersive experience featuring our annual awards ceremony, followed by a gala dinner and open bar with industry pioneers.
6:30 PM – 9:30 PM
MatrixFrog
Room
TronFrog
Room
8:00 AM
8:00 AM
1 session
27
BREAK
Breakfast
Ease into the day… grab breakfast, reconnect with peers,
and get ready for what’s next.
8:00 AM – 9:00 AM
9:00 AM
9:00 AM
1 session
28
Morning Keynotes
Leap into the future of trusted software and AI with JFrog’s founders as they unpack how AI is reshaping the software supply chain. Watch as autonomous agents move from assistants to builders by writing code, resolving dependencies, and producing binaries at machine speed.
Join us to see how the rules of trust are being rewritten!
9:00 AM – 1:15 PM
1:15 PM
1:15 PM
1 session
29
BREAK
Lunch
Refuel, recharge, and reconnect before diving back in.
1:15 PM – 2:15 PM
2:15 PM
2:15 PM
2 sessions
30
From Nothing to (Almost) Everything - How Erste&Steiermärkische Bank Built Successful DevSecOps
It all started five years ago when Erste&Steiermärkische Bank's security team realized they had a serious problem. They had a lot of internally developed applications, including the core banking system, but literally had no application security team nor DevSecOps of any meaningful kind.
In the past five years, the bank has established an award-winning internal cyber security education program, won huge investment from the EU for co-financing development of cyber security capabilities, tested every open source and commercial security tool you can think of, and managed to change its whole security culture.
Today, developers and infrastructure colleagues actively participate in security matters and actually use all security tools implemented. Their internal security workshops are the most attended, and even other entities within our banking group consult with the bank's security team regarding their cybersecurity programs.
But it was not all wine and roses. There were many blockers and issues the security team needed to address to get to where they are now - from securing management backing, finding our way through a bureaucratic EU labyrinth, to winning the hearts and minds of our developers and changing their perspective of security.
This session will cover the bank's security team's journey: How they did it, what security tools were tested and why, how they are using them today, and where they are heading.
2:15 PM – 3:00 PM
31
From Prompt to Production: Making GenAI Code Enterprise-Ready with JFrog
GenAI is allowing the generation of new tools and code faster than ever. Very few organizations can ship it safely at scale. The real bottleneck is no longer writing code; it’s trusting it, securing it, and integrating it into a fully governed software supply chain.
This session will share how Admiral moved beyond experimentation to operationalize GenAI usage across the SDLC using JFrog as the control plane for trust, traceability, and flow. We'll show how GenAI-generated tools and code can be made trustworthy from the earliest stages of delivery, before it ever enters a pipeline, across the full developer workflow:
- From prompt to Skill, MCP context, prototype, and dependency choice through to commit, with visibility before code enters the pipeline
- Supported by curated package registries, reusable Skills, agents, and prompts that encourage sharing, reduce cognitive load, and improve developer flow across teams
- Continuously guided by JFrog Xray and Curation policies, then connected into CI/CD with less rework, clearer provenance, and smoother promotion when code is ready to release
We will walk through a practical flow demonstrating how
- Shifting left on DevEx when using GenAI enables both security and speed at scale
- AI-generated code and its dependencies enter the SDLC, and where JFrog intersects that flow
- JFrog XRay, Curation, and Artifactory enforce security, provenance, and policy
- Platform engineering enables all this consistently across teams
Critically, the session will focus on the human and business reality
- Developers gain speed, but need guardrails to feel safe.
- Organizations want innovation but can’t absorb unmanaged risk introduced by AI tooling and dependencies.
- Platform teams must scale both without becoming the new bottleneck.
We'll also discuss lessons learned from implementations at scale - what worked, what didn’t, and how to design a platform that allows GenAI to accelerate delivery without compromising trust.
2:15 PM – 3:00 PM
3:00 PM
3:00 PM
2 sessions
32
Trusted AI Delivery at Scale: Securing Every Artifact from Curation to AWS AgentCore
Our AI supply chain is only as trustworthy as its weakest artifact. As teams race to build and deploy AI agents, every dependency they pull- Python packages, container images, agent tooling- becomes an attack vector. A single poisoned package can compromise everything downstream, and most teams never see it coming.
This session walks through how JFrog's platform gives you complete chain-of-custody, from the moment a developer triggers a build in their local IDE to the moment an AI agent runs in production on Amazon Bedrock AgentCore.
We'll build a real Strands SDK agent in Kiro IDE, then trigger a single build command. The full supply-chain pipeline unfolds: Curation evaluates every pip package against policy before Artifactory caches it; Artifactory resolves only approved dependencies into the Docker image; Xray scans the resulting container and fails the build on critical vulnerabilities- blocking promotion to ECR. A known-vulnerable dependency in the requirements file stops the pipeline cold; the agent never reaches production.
Only when every gate is green does the image land on Amazon ECR and go live on AgentCore.
JFrog Curation, Artifactory, and Xray- three layers of trust, enforced automatically, invisible to the developer until something goes wrong. That's the point
3:00 PM – 3:45 PM
33
From Reactive to Proactive Product Security With JFrog
This session highlights Danfoss’ journey to strengthen software supply chain security, transitioning from a reactive, fragmented approach with limited visibility and high effort toward a more proactive and structured model, supported by JFrog.
Where We Started
The initial maturity level in software security was low and largely reactive. We were always responding to alerts without full visibility into potential impact or compromise. Significant time was spent on remediation efforts, often without certainty about whether development teams had been affected.
Communication challenges further compounded the problem, either overwhelming teams with too much information or failing to target the right stakeholders, leading to confusion and inefficiencies. At the same time, we were trying to balance security with developer productivity, ensuring that controls did not slow down delivery pipelines.
Where We Are Today
To address these challenges, Danfoss established the Digital Product Security Program (DPSP): a structured initiative designed to embed security directly into our development processes and products.
With the support of JFrog, we shifted earlier in the lifecycle and introduced preventive controls rather than late-stage remediation. This includes, but is not limited to:
- Preventing malicious or untrusted packages from entering the environment
- Blocking critical vulnerabilities (CVEs) early in the development lifecycle
- Implementing controlled and auditable exception handling processes
The Value of JFrog Support
An important enabler in this transformation has been the strong and responsive support from JFrog, which played a key role in:
- Providing best practices and guidance aligned with our goals
- Helping us fine-tune policies and controls to balance security with developer productivity
- Acting as a trusted partner in our ongoing journey toward proactive security
3:00 PM – 3:45 PM