The moat is real but medium-grade, built on workflow centrality and switching friction rather than monopoly or brand, and over the next three to five years it is contested at both ends, widening at the AI-governance edge while facing bundling erosion at the repository core. This is an infrastructure-embedded moat, not a consumer franchise.
Three sources of advantage are genuine. First, universality: JFrog's 2025 annual report describes Artifactory supporting Docker, OCI, Debian, RPM, Go, Helm, Kubernetes, npm, NuGet, Python, Java, Rust, NVIDIA NIM, and ML models, which makes it useful in heterogeneous estates without forcing one language, cloud, or stack. Second, switching friction: once the artifact system of record, security policies, and distribution logic are wired into CI/CD and release pipelines, replacement is operationally risky. Third, governance relevance, which is rising as the attack surface grows; Sonatype's 2026 report identified more than 454,600 new malicious packages in 2025, making a trusted internal gate more valuable, not less.
The retention data confirms the moat is currently intact. Gross retention was 97% and trailing net dollar retention was 120% in Q1 2026, with RPO up 36% to $574.9 million. Customers do not just stay; they expand. Those are the numbers of a sticky platform with real contractual depth.
The widening edge is AI-artifact governance. The MCP registry and Agent Skills Registry built with NVIDIA extend the artifact-control logic to a new class of objects, and if models and agents proliferate, the layer JFrog governs gets larger. That is a credible moat-deepening vector.
The narrowing risk is bundling, and it is structural rather than hypothetical. JFrog admits in its filings that public clouds may compete with a subset of its functionality. It does not own the developer front door the way Microsoft's GitHub does, nor the broader DevSecOps workflow the way GitLab wants to. A customer can love Artifactory and still rationalize spend across GitHub Packages, GitHub Advanced Security, GitLab security modules, or cloud-native registries if procurement wants fewer vendors. The repository layer can be sticky without being unassailable.
On balance the moat is more likely to hold than to break in three to five years, but it will be defended through expansion into governance rather than through pricing power on storage. The right tells to watch are Enterprise+ mix and the growth rate of $1 million-plus ARR customers; if both stall together, the moat is weakening at the high end where it matters most.