Agenda
Keynotes | Hands-on Labs | Networking
September 1-3 2026
Training Day
September 1st
Tue, Sep 1
Conference Day 1
September 2nd
Wed, Sep 2
Conference Day 2
September 3rd
Thu, Sep 3
CyberFrog
Room
MatrixFrog
Room
NeoFrog
Room
TronFrog
Room
7:00 AM
8:30 AM
12:00 PM
1:00 PM
4:30 PM
7:00 AM
1 session
0
BREAK
Registration
7:00 AM – 8:30 AM
8:30 AM
4 sessions
1
Artifactory & Xray Automation Masterclass: Terraform & Advanced Orchestration
Advanced Lifecycle Automation using Terraform, JFrog MCP Server , and One Model GraphQL.
Course Objective: This session focuses on building a high-performance automation frameworks using Terraform and the JFrog CLI, enabling DevOps teams to orchestrate complex Project environments and AI workflows with zero manual friction.
What You Will Learn:
- Scalable Project Management: Implementing JFrog Projects to automate resource isolation, quota management, and delegated administration for growing organizations.
- The Terraform Blueprint: Master the JFrog Terraform Provider to provision repositories, security policies, and user permissions as a repeatable service.
- Governing AI with MCP: Configuring the MCP (Model Context Protocol) Registry to automate the discovery and security of AI agents and tool servers.
- Advanced Querying & Auth: How to leverage One Model GraphQL Authentication to perform high-performance, cross-product queries—getting deep insights into artifact metadata and security evidence through a single, secure endpoint.
Who Should Sign Up:
- DevOps Engineers & SREs who want and need to move away from "ticket-based" work and implement a fully automated, self-service platform.
- Platform Architects designing the infrastructure for multi-team scalability and centralized security enforcement.
- System Administrators looking to integrate advanced GraphQL-based reporting and AI tool governance into their CI/CD pipelines.
Walk away with the knowledge to build production-ready Terraform automation frameworks that eliminate manual friction points in project environments and AI workflows.
8:30 AM – 12:00 PM
2
JFrog Security Full Shift: Leveraging JFrog Curation for Automated Remediation
Combine JFrog Curation with local SAST (via MCP), Frogbot, and Snippet Detection to bridge the gap between policy enforcement and seamless violation fixes.
Course Objective: Learn to deploy a "Developer-First" security strategy that blocks malicious packages before they hit your cache and uses AI-powered agents to detect plagiarized code in real-time. Bridge the gap between Security and Development by stopping threats at the front door and automating fixes directly in the SCM.
What You Will Learn
- JFrog Curation: How to proactively block malicious or non-compliant open-source packages at the point of download.
- IDE & Git Integration: How to use Frogbot to scan Pull Requests and provide instant feedback to developers before code is merged.
- Developer-Centric SAST: Identify "exposed secrets" and security flaws in proprietary code during the initial coding stage and apply agentic remidiation - with MCP.
- Early Remediation: Utilize JFrog’s contextual analysis to fix the most critical issues early, saving time upstream and reducing downstream friction.
Who Should Sign Up:
- AppSec Engineers looking to move from reactive scanning to proactive, automated policy enforcement at the entry point.
- Developers using AI-assisted coding tools who want to catch and fix vulnerabilities, secrets, and license risks directly in their IDE or PR.
- DevOps Leaders tasked with reducing MTTR (Mean Time to Remediation) by automating the "autofix" lifecycle for vulnerable packages.
Create Developer-First security strategies that stop malicious packages before they hit your cache, and see how to utilize AI-powered agents to detect plagiarized code in real-time.
8:30 AM – 12:00 PM
3
AppTrust Essentials: Get NIST & SLSA Ready: Mastering DevGovOps & Supply Chain Integrity
Driving Compliant Releases with Evidence-Based Controls, Rego Policies, and ServiceNow Integration.
Course Objective: Transition from reactive security to proactive, automated governance. This course provides the technical blueprint for using JFrog AppTrust as the orchestration layer for "Trusted Releases," binding technical security metadata to business-ready compliance evidence that satisfies NIST and CRA mandates.
What You Will Learn:
- Identity & Provenance (SLSA): Using build attestations to cryptographically prove the origin and integrity of every artifact in your supply chain.
- Mastering the SBOM Lifecycle: Generating, managing, and exporting enriched Software Bill of Materials (SBOMs) to meet global regulatory transparency requirements (NIST).
- Automated Trust Policies: Setting the "Minimum Bar" for your organization using Policy as Code to automate complex approval logic and security gates.
- ServiceNow ITSM Integration: Automating the bridge between DevOps and IT Operations by triggering ServiceNow Change Requests and status updates based on real-time security evidence and AppTrust gates.
Who Should Sign Up:
- Security Architects & Compliance Officers who are responsible for defining and enforcing software governance that meets strict NIST/CRA regulatory standards.
- DevOps & Platform Leads looking to implement standardized "Trust" workflows that integrate seamlessly with existing ServiceNow approval processes.
- System Administrators and technical leads responsible for ensuring the JFrog infrastructure supports automated trust checks and compliant artifact delivery without manual bottlenecks.
Architect a technical blueprint for using JFrog AppTrust as your orchestration layer, that binds security metadata to compliance evidence, that satisfies NIST, CRA & other mandates, for trusted releases.
8:30 AM – 12:00 PM
4
JFrog at Global Scale: Architecting to Make the Complex Simple
Optimizing the Software Supply Chain Workflow, Multi-Site Sync, and Automated Policy Enforcement.
Course Objective: This full-day course covers follow the evolution of an organization. Learn to architect a unified platform that integrates disparate sites or teams, synchronizes artifacts globally, and enforces a "Trusted Release" lifecycle that evolves with the business at any scale. This will be a comprehensive deep dive into the latest JFrog Platform and capabilities.
What You Will Learn:
- Global Integration (Scale & Storage Optimization): How to implement Federated Repositories and JFrog Bridge for bi-directional synchronization and Advanced Retention Policies.
- Proactive Security & Remediation: Deploying JFrog Curation to block malicious packages at the perimeter and Frogbot for automated, developer-centric vulnerability patching within the SCM.
- Contextual Security & AI Governance: Utilizing Xray for runtime vulnerability prioritization and centralization the AI lifecycle via the JFrog AI Catalog to secure model usage and agentic workflows.
- AppTrust & The Trusted Release: How to master evidence-based governance using GraphQL and automated security gates to ensure only compliant, signed binaries reach production.
Who Should Sign Up:
- Platform Architects tasked with designing an end-to-end, "Secure-by-Design" software delivery pipeline.
- DevOps Leaders looking to standardize their global toolchain and eliminate fragmented "security silos."
- Security & Compliance Officers who need to implement automated, evidence-based governance across the entire software lifecycle.
Utilize the latest JFrog Platform capabilities to architect a unified environment that integrates disparate sites and teams, synchronizes artifacts globally, and enforces a Trusted Release lifecycle.
8:30 AM – 3:20 PM
12:00 PM
1 session
5
BREAK
Lunch
12:00 PM – 1:00 PM
1:00 PM
3 sessions
6
JFrog Enterprise and Multi-Site Synchronization
Optimizing Global Artifact Distribution and Bi-Directional Sync for Low-Latency Development.
Course Objective: This session focuses on how you can optimize download performance in Multi-site architecture by mastering Platform federation. The session will provide a technical blueprint for building a resilient, high-availability JFrog architecture that spans multiple regions and sites.
What You Will Learn:
- High Availability (HA) Clusters: How to tune multi-node environments for zero-downtime load balancing.
- Multisite use cases:
- Serving resilient production workloads using local SH/SaaS edge nodes and Release Bundle distribution.
- Synchronizing segregated networks over uni-directional network (egress only) using JFrog Bridge.
- How to enable collaboration of Global dev teams using Platform federation and bi-directional federated repositories.
- How to enforce unified security across a global organization using federated curation and unified security policies and governance.
- How to architect redundant systems and failover protocols (DR) to protect mission-critical binaries and deployments.
Who Should Sign Up:
- Infrastructure Architects responsible for designing global, multi-region software distribution networks.
- Senior DevOps Engineers tasked with maintaining 99.99% availability for enterprise-scale JFrog deployments.
- IT Operations Leads looking to streamline global collaboration and ensure data consistency across international sites.
Leave this session with your own blueprint for a resilient, high-availability JFrog environment, built on Federated Repositories and multi-site replication.
1:00 PM – 4:30 PM
7
Intelligence-Driven Vulnerability Management: Context to Runtime
Embedding Continuous Security Across Your Artifact Lifecycle
Course Objective: Master the integration of vulnerability detection with contextual analysis to eliminate false positives and focus remediation efforts on exploitable risks. This advanced course teaches practitioners how to combine JFrog Xray's comprehensive artifact scanning with JFrog Advanced Security's Contextual Analysis, and JFrog Runtime's integrity validation capabilities to build an intelligence-driven security program.
What You Will Learn:
- Implement a unified approach across the entire software supply chain
- Using Xray for deep recursive scanning
- Leveraging Advanced Security to validate vulnerability applicability through contextual analysis
- Detect exposed secrets and Infrastructure as Code (IaC) misconfigurations
- Utilizing JFrog Runtime to verify artifact integrity and monitor which validated images are actually running in production environments.
Who Should Sign Up:
- DevOps Engineers responsible for building and maintaining secure automated pipelines.
- Security Engineers designing the end-to-end governance for the complete Software Supply Chain.
- Compliance Officers who need to ensure every production release has a clean bill of health.
By the end of this course, you'll implement proactive defenses that identify and block security exposures before deployment, while maintaining continuous runtime validation to ensure production artifacts match their scanned and approved sources in JFrog Artifactory.
1:00 PM – 4:30 PM
8
JFrog AI Masterclass: Governance & Security in the Agentic SDLC
Optimizing Management, Security, and Governance for every AI asset in the Agentic Workflows.
Course Objective: This course provides a deep dive into the industry's most complete AI registry solution. Learn how to transform your agentic supply chain by establishing a single system of record for centralized governance
. We will guide you from discovering hidden Shadow AI blind spots to building a trusted, unified organizational hub for managing ML models, MCP servers, and more
What You Will Learn:
- Building a Unified AI Architecture: Discover how to use the JFrog AI Catalog as your centralized "Single Source of Truth" for AI Assets including Models, External Model APIs, MCPs and more
- Proactive Security & Scanning: Leverage JFrog’s advanced security features to detect Shadow AI usage, block malicious models, surface critical vulnerabilities (CVEs), and enforce strict license compliance
- Full-Spectrum AI Governance: Learn how to discover, curate, and "Allow List" approved AI assets using automated, enterprise-grade policy enforcement to stop non-compliant AI Assets at the gate
- Secure Agentic Workflows: Master the management of MCP servers to safely bridge AI assistants (like Cursor and Claude) with your private enterprise data - without compromising security or bypassing governance
Who Should Sign Up:
- DevSecOps Engineers tasked with applying the same "Binary-First" approach to AI Agents as they do to traditional software artifacts.
- Software Engineers who want to safely integrate AI coding assistants (like Cursor) into their workflows using a single-line configuration to connect with vetted internal tools and MCP servers..
- DevOps Engineers designing the infrastructure to support secure, and scalable AI workflows.
Take control of your agentic software supply chain with the industry's most complete AI registry solution. Learn to uncover Shadow AI blind spots to build a trusted, unified hub for governing AI models, MCP servers, and more.
1:00 PM – 4:30 PM
4:30 PM
1 session
9
BREAK
Welcome Reception
4:30 PM – 6:00 PM
FrogHall
Room
CyberFrog
Room
MatrixFrog
Room
NeoFrog
Room
TronFrog
Room
7:30 AM
9:30 AM
12:30 PM
1:30 PM
2:30 PM
3:30 PM
4:15 PM
5:00 PM
7:00 PM
7:30 AM
1 session
10
BREAK
Registration & Breakfast
Hop in, grab your badge, and fuel up. Coffee’s hot, breakfast is served, and the day is ready to take off.
7:30 AM – 9:00 AM
9:30 AM
1 session
11
Morning Keynotes
Leap into the future of trusted software and AI with JFrog’s founders as they unpack how AI is reshaping the software supply chain. As autonomous agents move from assistants to builders… writing code, resolving dependencies, and producing binaries at machine speed. Join us to see how the rules of trust are being rewritten.
9:30 AM – 12:30 PM
12:30 PM
1 session
12
BREAK
Lunch
Take a breather, grab a bite, and make a few new connections.
12:30 PM – 1:30 PM
1:30 PM
3 sessions
13
From Artifacts to Agents: Turning Artifactory into an AI-Native DevOps Brain
AI agents are no longer experimental, they’re writing code, fixing vulnerabilities, generating infrastructure, and even orchestrating deployments. But as autonomy increases, one critical question emerges: What trusted intelligence are these agents using to make decisions? In the age of agent-driven DevOps, your artifact repository can no longer be passive storage. It must become an active, policy-aware intelligence layer.
In this session, we explore how JFrog Artifactory, powered by MCP (Model Context Protocol), transforms into the decision engine behind autonomous software delivery. By exposing secure, contextual, and policy-enforced artifact intelligence to AI agents, organizations can enable smarter dependency management, automated remediation, and trusted deployment gating without sacrificing governance or security.
We will discuss how Artifactory MCP enables AI agents to reason over artifact metadata, SBOMs, provenance, vulnerabilities, and promotion status turning your software supply chain into an intelligent, self-improving system. This isn’t about replacing DevOps. It’s about evolving it, from automation to autonomy.
1:30 PM – 2:15 PM
14
One Pipeline for Everything: Extending GitOps to Your Hybrid Infrastructure
We’ve mastered GitOps for Kubernetes, but enterprise infrastructure remains complex. Outside the cluster, the smooth flow of 'Liquid Software' comes to a halt. Cloud infrastructure, serverless functions, and legacy systems remain tangled in delivery pipelines that don’t fully connect. In this talk, I’ll show why using GitOps only for Kubernetes is limiting, and how adding more isolated tools can actually hurt your software supply chain. Instead, we’ll look at how PipeCD, an open-source CNCF project, connects these separate systems by working closely with the JFrog Platform. We’ll explore how PipeCD, an open-source CNCF project, brings these disconnected systems together by working closely with the JFrog Platform. PipeCD uses the same interface for different platforms, so it’s easier to deploy trusted binaries, OCI artifacts, and AI models from JFrog Artifactory across your stack. By combining Artifactory’s secure source of truth, JFrog Xray’s continuous scanning, and PipeCD’s unified delivery, you get a clear and practical way to extend GitOps beyond Kubernetes or build a single pipeline for a complex environment.
1:30 PM – 2:15 PM
15
Investor Hour (Invite Only)
A dedicated session for JFrog investors and financial analysts offering an opportunity to engage directly with company leadership on market trends, strategic priorities, growth opportunities, and JFrog's role in enabling trusted software and AI delivery at scale.
1:30 PM – 2:45 PM
2:30 PM
3 sessions
16
The AI-Augmented Developer: Automating Artifactory Lifecycle Management at Enterprise Scale
The role of the developer is fundamentally shifting from writing every line of code to orchestrating AI-powered automation. In this session, we demonstrate how Capital One built a self-service Artifactory platform for Docker repositories and our roadmap to scale it across all package types.
We built a tenant-isolated repository architecture for Docker that delivers end-to-end lifecycle automation:
- Self-service onboarding where teams create system accounts and onboard via our inbuilt CICD tooling
- Automated credential rotation using identity tokens via AWS Secrets Manager
- Promotion API for artifact promotion from Core to Edge environments
- Stale image tracking with automated notifications
- Delete APIs for lifecycle management and compliance with retention policies
- How we reduced Docker repository onboarding from weeks to minutes using AI-assisted development
- End-to-end artifact lifecycle: Onboard → Promote → Track → Archive
- Patterns for integrating AI into DevOps workflows while maintaining governance guardrails
Whether you're a platform engineer scaling Artifactory operations or a developer exploring the AI orchestrator mindset, this session provides practical patterns you can adopt immediately.
2:30 PM – 3:15 PM
17
From Sandbox to Supply Chain: Securing the Full Lifecycle of AI Agents
AI agents work on their own within the software supply chain. They run code, connect to external APIs, use models, and add dependencies, often without anyone checking their actions. To keep them secure, you need to look at both the sandbox they run in and the supply chain they use.
We explain both layers with clear architectures and tools. For execution, we show how agent sandboxes use VM or container isolation, live forking, and pause/resume features to limit access to agent infrastructure. For the supply chain, we describe how agent skills, MCP servers, and models are versioned, scanned, and managed in JFrog Artifactory and the MCP Registry. This helps close trust gaps that execution isolation alone cannot address.
The talk explains how these layers work together. Each agent runs in its own sandbox, uses only approved MCP servers, and gets models with verified origins from Artifactory. Agents also create artifacts with a full audit trail, all while keeping delivery fast. The session also looks at deployment patterns, policy enforcement, and threats to agentic supply chains.
Attendees will learn practical ways to secure agent workloads from end to end. The session gives clear, real-world steps for running agents securely and shows how JFrog's platform acts as a trusted link between agent execution and the software supply chain.
2:30 PM – 3:15 PM
18
From SBOM to Decision Intelligence: Turning Software Supply Chain Data into Actionable Risk Signals
Software Bill of Materials (SBOMs) have become a foundational building block for software supply chain transparency, yet most organizations still struggle to convert this data into meaningful security decisions. SBOMs provide visibility into components and dependencies, but they stop short of answering the most critical question: what should we do about it?
In this talk, we explore the gap between raw supply chain data and actionable decision-making in modern DevSecOps environments. Through research and real-world analysis, we break down why traditional SBOM-based approaches fail to support timely, risk-aware decisions at scale especially in fast-moving CI/CD pipelines.
We introduce a decision intelligence approach to software supply chain security, where SBOM data is transformed into structured risk signals. This includes mapping vulnerabilities, dependency criticality, exploitability context, and policy constraints into a unified decision layer that can be consumed by engineering systems.
The session presents a practical framework for:
Converting SBOM data into prioritized risk signals
Reducing noise from vulnerability overload
Enabling automated, policy-driven decision-making in pipelines
Bridging the gap between security teams and engineering execution
By shifting from static visibility to dynamic decision intelligence, organizations can move beyond compliance-driven SBOM adoption and toward real-time, risk-aware software delivery.
2:30 PM – 3:15 PM
3:30 PM
4 sessions
19
Zero Trust for Build Pipelines: Closing the 55% Governance Gap
Your SBOM tells you what's inside the artifact. It tells you nothing about how it was built, who had access to the pipeline, or whether someone tampered with the process between commit and deploy.
In a 60-day research pilot across 30 repositories, 67% had configurations vulnerable to software supply chain compromise. Only 12% would have triggered an alert under SOC 2, SOX ITGC, or NIST 800-53. That leaves 55% of build pipeline risk completely invisible to existing governance.
Using the March 2026 Trivy supply chain attack as a case study, this talk demonstrates how mutable GitHub Actions tags enabled credential theft across thousands of pipelines, and how a single enforceable policy (SHA pinning) would have prevented it.
The session introduces a zero-trust framework for build pipeline governance built on four principles: Invisible Security (compliance as a side effect of shipping code), Forensic Attestation (a Build Chain of Custody record for every build), Blast Radius Control (instant forensic lookups across thousands of repos), and Compliance as Code (OPA/Rego policies mapped to 8 regulatory frameworks covering 100+ controls).
This is not a product pitch. This is original doctoral research, real production data, and a deployable framework for closing the governance gap that Trivy, SolarWinds, Codecov, 3CX, and Kaseya all exploited.
Attendees leave with: a taxonomy of pipeline risks outside current compliance frameworks, a working model for Build Chain of Custody as a forensic evidence standard, actionable OPA/Rego policy patterns, and compliance mappings across SOC 2, SOX, NIST, ISO, PCI-DSS, FedRAMP, CIS, and HIPAA.
3:30 PM – 4:10 PM
20
Wrangling Third Party Dependencies: Electric Sheep and JFrog
A talk about how we are working on curating our Third Party Dependencies using automation and JFrog products like Artifactory, Curation, Xray, and Advanced Security. What libraries are we using? What libraries are unsupported, abandoned, outdated, etc...? What open source tools can we leverage to help answer these questions and more?
Attendee Takeaways
Answers for the following questions:
- Why do we need to curate Third Party Dependencies?
- How to find libraries are we using?
- What libraries are unsupported, abandoned, outdated, etc...?
- What open source tools can we leverage to help answer these questions and more?
- What JFrog products can we leverage to help answer these questions?
3:30 PM – 4:15 PM
21
Beyond the Binary: Scaling DevSecOps for the AI Agent Era
AI teams move at breakneck speed, but the artifacts they produce, from multi-GB models to complex agentic workflows, often break traditional DevSecOps pipelines. This friction leads to AI Fragmentation, where disconnected assets reach production without consistent visibility, scanning, or traceability.
In this session, we’ll show how to bring AI assets into DevSecOps without forcing AI teams to change their tools. We will showcase the JFrog AI Catalog as the central nervous system for your ecosystem—serving as a governed system of record for models, MCP servers, and agent skills.
You’ll see a live demo of JFrog Fast‑Lane, a new architecture designed to reduce the “large file tax” by accelerating the movement of multi-GB AI assets. We’ll also demonstrate how JFrog ML works in tandem with Xray to automatically detect, audit, and apply governance policies—allowing or blocking third-party models based on organizational compliance, ensuring only vetted versions are promoted to production.
What You’ll Learn:
Accelerated Distribution: A deep dive into the Fast-Lane architecture, accelerating end‑to‑end traffic of multi‑GB AI assets like models and containerized AI services.
The Power of the AI Catalog: How to treat AI assets as more than just binaries by tracking Model Cards, licensing, and metadata for both LLMs and Agentic tools.
Active Governance & Security: How JFrog ML and Xray identify model usage and enforce allow/block policies to mitigate risk without slowing down innovation.
The Enterprise Bridge: Best practices for proxying third-party model hubs while maintaining a local, governed, and auditable system of record.
3:30 PM – 4:15 PM
22
From 1,400 Users to Zero Tickets: How WEX Scaled JFrog with Fabric and an AI-Powered Gemini Gem
Managing JFrog Artifactory for 1,400+ developers across dozens of teams and hundreds of repositories is a massive operational challenge. At WEX Inc., our PaaS Engineering team solved this by building the Fabric ecosystem — a centralized, Terraform-driven platform that automates every aspect of Artifactory: repository provisioning, OIDC authentication, permissions, and CI/CD integration — all governed by a single "Fabric ID" per team.
But infrastructure automation alone didn't eliminate the support burden. Developers still filed hundreds of tickets asking how to authenticate, push artifacts, configure their pipelines, or debug 403 errors. So we built an AI-powered frontline support agent — a Google Gemini Gem — grounded entirely in our internal documentation and Fabric operational rules. Using GitHub Copilot and Confluence, we authored a comprehensive markdown knowledge base covering every JFrog workflow at WEX, then embedded it as the Gem's system prompt with strict guardrails: enforce WEX-specific policies over generic JFrog answers, never hallucinate URLs, and always direct users to the correct self-service path.
The result: an 80%+ reduction in internal JFrog support tickets. Developers now get instant, accurate, policy-compliant answers — from OIDC setup to repository provisioning to troubleshooting pipeline failures — without waiting for a human.
In this session, you'll learn: (1) how we architected Fabric to make JFrog administration scalable for a small platform team, (2) how we built and grounded the Gemini Gem with real operational knowledge, (3) the prompt engineering and guardrails that keep AI answers accurate and policy-safe, and (4) the measurable impact on developer experience and support load. Walk away with a playbook for combining JFrog platform automation with agentic AI support at enterprise scale.
3:30 PM – 4:15 PM
4:15 PM
1 session
23
Agent Package Manager, the new Agent Supply Chain
The key to powerful Agentic Workflows is not the harness you pick, but the tools, rules and capabilities you equip your harness with. Sharing and managing them across hundreds of developers and multiple agent environments felt like the wild wild west - until now.
Learn how to manage Agent Skills, MCP servers, rules and basically any Agent configuration primitive as portable, audited and governed dependencies. Thanks to Agent Package Manager (apm) and JFrog Artifactory, we'll show how to unlock distributing, standardizing and governing agent behavior at enterprise scale, so that you can enable your engineering teams while ensuring auditability and control on a critical piece of the arising Agent Supply Chain.
4:15 PM – 4:55 PM
5:00 PM
1 session
24
BREAK
Happy Hour
Time to unwind and celebrate. Great food, great vibes, and even better company.
5:00 PM – 7:00 PM
7:00 PM
1 session
25
BREAK
Swamp After Dark
Join us for a refined, immersive experience filled with conversation, celebration, and connection among industry leaders.
7:00 PM – 10:00 PM
FrogHall
Room
CyberFrog
Room
MatrixFrog
Room
NeoFrog
Room
TronFrog
Room
7:30 AM
9:00 AM
12:00 PM
1:30 PM
2:30 PM
3:30 PM
4:15 PM
7:30 AM
1 session
26
BREAK
Registration & Breakfast
Ease into the day… grab breakfast, reconnect with peers, and get ready for what’s next.
7:30 AM – 9:00 AM
9:00 AM
1 session
27
Morning Keynotes
Start your day with fresh perspectives and bold ideas. See how teams are scaling trust across the software and AI supply chain.
9:00 AM – 12:00 PM
12:00 PM
1 session
28
BREAK
Lunch
Refuel, recharge, and reconnect before diving back in.
12:00 PM – 1:30 PM
1:30 PM
4 sessions
29
Human or Agent? Using Context Graphs to Govern Autonomous DevOps
As AI agents begin to write code, upgrade dependencies, remediate vulnerabilities, and propose deployments, organizations face a critical question: where should automation end and human oversight begin?
Today most CI/CD pipelines rely on static policies — manual approvals, fixed promotion gates, and rigid security rules. But these policies lack the context needed to distinguish between safe automation and risky changes.
In this session we explore how the software delivery lifecycle can be modeled as a Context Graph (https://metadataweekly.substack.com/p/context-graphs-are-a-trillion-dollar), connecting commits, builds, artifacts, dependencies, deployments, services, incidents, alerts, and human decisions into a single system of record.
By analyzing this graph over time, teams can learn which types of changes are safe for automation and which require human oversight. The result is a dynamic automation boundary that evolves as the system observes deployments, incidents, approvals, and rollbacks.
Through motivating examples and technical demos, we’ll show how this approach enables organizations to:
- leverage the rich data in the JFrog platform to build and maintain a Context Graph
- safely introduce AI agents into CI/CD pipelines
- identify critical infrastructure that requires human control
- automate low-risk changes while protecting high-impact systems
- continuously refine governance policies using operational data
The result is a new model for DevOps automation — one where the software supply chain becomes a learning system that determines when humans should intervene and when agents can act autonomously.
>>BEST as a keynote or featured presentation session<<
1:30 PM – 2:15 PM
30
Artifact Sprawl to Platform Discipline: Our 5M+ Artifact Journey with Artifactory & Xray
When our platform crossed 5 million artifacts, the real challenge wasn’t just storage volume, it was the operational complexity that came with it: too many repositories, frequent corruptions, inconsistent patterns, rising storage costs, and security scanning that produced more noise than action.
In this session, I’ll share our practical journey to building a leaner artifact delivery model using JFrog Artifactory with a focus on minimal configuration, controlled spend, and better developer experience. We’ll cover how we simplified our repository strategy, standardized lifecycle flows, reduced custom configuration, and introduced retention discipline, by aligning them to release decisions instead of just reporting dashboards.
This is not a “perfect architecture” talk, it’s a field-tested story of what worked, what didn’t, and the trade-offs we had to make to scale responsibly.
1:30 PM – 2:15 PM
31
Policy-as-Code at Agent Speed: Lifecycle Policy & AI-Assisted Rego
Agents don’t wait on compliance. In agentic delivery, you must prove what shipped was allowed - with defensible evidence.
When Artifactory is your org’s single source of truth for binaries, policy can be evaluated against what you actually run. Lifecycle Policy, the governance engine of JFrog AppTrust, turns intent into enforceable decisions across the lifecycle without asking every engineer to be a compliance expert.
This session is governance at agent speed - compressing intent → draft policy → evaluation → proof so teams can problem-solve when outcomes surprise them.
We will cover:
1. Lifecycle Policy in context - centralized policy when apps, pipelines, and controls must align; governance that is auditable, scoped, and repeatable in an agent-driven world.
2. AI Playground - natural language → Rego with iteration that matters because you can dry-run using evidence from your system of record, not toy examples - while keeping runs controlled and reviewable.
3. Authoring policy through an MCP server - how teams (and agents) can create and refine rules using tooling exposed via MCP.
4. Real application impact - allow/block/warn tied to gates, risk posture, and what app teams experience when rules fire.
5. Problem-solving on real evaluation outcomes - trace inputs and evidence against rule logic, adjust evidence as needed, and re-evaluate until the application-facing outcome matches intent.
1:30 PM – 2:15 PM
32
AI-Driven Cellular Architecture: Orchestrating a Predictive JFrog Fabric at scale
As enterprises scale, the traditional "One Big Cluster" approach to Artifactory becomes a bottleneck for performance and a risk for blast-radius incidents. Moving beyond static High-Availability setups, this session introduces a "Cellular Architecture" for the JFrog Artifactory Platform, now supercharged with AI-driven predictive orchestration. By decoupling Artifactory into specialized Kubernetes (K8s) clusters and using AI to forecast workload demands, we can achieve a platform that is both more resilient and significantly more cost-effective.
Key aspects:
Predictive Autonomous Scaling: Moving from reactive to proactive by feeding the JFrog OpenMetrics API into an AI-driven forecasting model, the platform anticipates traffic spikes and pre-provisions K8s resources, achieving a 30%+ reduction in infrastructure overhead.
Unified Identity Mesh: Leveraging JFrog Access Federation to synchronize security entities across distributed clusters. This ensures a seamless "Circle of Trust" for developers while maintaining strict infrastructure isolation between environments.
Database Multiplexing & AI Tuning: Implementing Database Proxying combined with AI-driven parameter tuning to handle Artifactory’s high-concurrency requirements. This allows a leaner database footprint to support a massive fleet of pods, reducing connection overhead by 60%.
Hardened Machine Authentication: A zero-trust model for thousands of concurrent automated jobs. Utilizing JFrog Reference Tokens integrated with Cloud-Native Secrets Management to eliminate plaintext secrets in build logs and automate token rotation at scale.
1:30 PM – 2:15 PM
2:30 PM
3 sessions
33
The Architect's Playbook: Unlocking the Full Potential of the JFrog Platform
Software delivery is accelerating in the age of AI, and the demands on every part of the SDLC are growing with it. For organizations using the JFrog Platform, this is the moment to move beyond artifact storage and start leveraging the platform as a central pillar of their software delivery strategy — a source of truth that drives decisions, enforces governance, and delivers measurable value.
In this session I'll share the architect's playbook — the best practices and advanced patterns we recommend in JFrog Professional Services, demonstrated live in the system. You'll see how to structure projects, repositories, lifecycle stages, and permission models for scalable governance and smooth team onboarding and asset sharing. How to use build-info, properties, and evidence to implement "build once" workflows where the platform makes dynamic promotion decisions mid-pipeline. How to work with the application entity and AppTrust to unify compliance and governance. How to avoid common performance traps and implement retention and cleanup strategies that keep the platform healthy at scale. And how to turn security data from Xray and Advanced Security into actionable findings routed to the right teams — and into KPIs and trend lines that give CISO offices and engineering leadership real visibility into security posture over time.
You'll walk away understanding which best practices matter most and why, where the biggest opportunities for improvement are across platform management, performance, governance, and value extraction — and with a practical blueprint you can start applying immediately.
2:30 PM – 3:15 PM
34
Inside Our Container Pipeline: A Developer's View of JFrog in Action
Container images are the backbone of modern application delivery, but building secure, traceable, and efficient container pipelines remains a challenge. In this session, we'll walk through real-world implementation of container build and deployment workflows using JFrog Artifactory integrated with CI/CD platforms.
You'll learn how to:
Structure Docker repositories for dev, staging, and production workflows
Implement automated container scanning and vulnerability management with JFrog Xray
Create promotion pipelines that enforce security policies before production deployment
Optimize build performance with layer caching and multi-stage builds
Integrate JFrog CLI with GitHub Actions, GitLab CI, or Jenkins for seamless automation
Through live demonstrations and practical examples, we'll show how to transform manual container builds into a fully automated, secure supply chain. Whether you're just starting with containers or looking to mature your existing practices, you'll leave with actionable patterns you can implement immediately.
2:30 PM – 3:15 PM
35
SaaS Migration & Security Enablement
Candescent is a company composed of four viable business units, merged into one specific entity. The JFrog SaaS offering for Artifactory and Xray has become a core tool.
The Candescent staff members will discuss the details of the SaaS migration and security enablement that was going on while still delivering to customers with critical data. JFrog Professional Services accelerated this effort, supported by Candescent team members. The considerations for minimal impact were critical, and deserve some discussion of the best practices to do correctly.
2:30 PM – 3:15 PM
3:30 PM
3 sessions
37
Open Source Culture Transformed Agentic Engineering
The open source contribution model is being disrupted — by AI agents.
Agents now open issues, author PRs, and iterate on review feedback autonomously. This isn't a future trend — teams are running agent loops against production codebases today.
## What's breaking:
* Provenance — agent-generated commits erode traceable authorship and accountability
* Maintainer capacity — one developer with good prompts generates ten PRs a day; review pipelines don't scale
* Trust — the norm that someone read this before it shipped is quietly eroding
## What's emerging:
* Spec-driven, agentic contribution as a first-class workflow
AI-native CI/CD: autonomous agents iterating against PRDs end-to-end
* Benchmarked review tooling — precision, recall, F1 — applied to real codebases
**The opportunity:** Open source has always been where engineering practices are invented before enterprise adopts them. What gets standardised here — agentic governance, human-in-the-loop norms — will define how engineering organisations operate in coming years.
The developer role is shifting: from coder to supervisor. Define intent. Review outputs. Own what ships.
3:30 PM – 4:15 PM
4:15 PM
1 session
39
BREAK
Closing & Awards
We’ll wrap things up with key takeaways and celebrate the builders, innovators, and teams setting the standard for trusted software in this new AI era.
4:15 PM – 4:45 PM
