JFrog named leader in Gartner's software security quadrant

JFrog has been named a Leader in Gartner's first Magic Quadrant for Software Supply Chain Security and ranked highest for Ability to Execute in the new category.

The recognition gives JFrog a prominent position in a market drawing increased attention as companies face rising risks across software development pipelines, open-source dependencies and AI-related assets.

Software supply chain security has climbed the agenda as attackers increasingly target the tools, packages and workflows used to create software, rather than only finished applications. The emergence of AI-generated code and wider use of machine learning models has added another layer of governance and oversight for large organisations.

JFrog's approach centres on managing and securing software artefacts, binaries and AI assets throughout development and deployment. Its platform is available in software-as-a-service, on-premises and hybrid formats.

The company highlighted several product areas that contributed to its market position, including software composition analysis, open-source licence compliance, third-party governance, software bill of materials management, threat intelligence and binary artefact management. It also pointed to tools designed to address the use of AI models and agent-based development in enterprise environments.

AI governance

JFrog linked its market position to a broader shift in security priorities as AI becomes more deeply embedded in software development. It argued that visibility over code repositories alone is no longer enough when organisations are also importing models, packages and automated tools from external sources.

JFrog cited findings from its 2026 Software Supply Chain Security State of the Union report showing rising pressure on development and security teams. The findings included 177,000 new malicious packages detected and a 451% year-on-year rise in malicious npm packages.

The report also found that attackers are targeting AI models, agentic tools and developer workflows, while many organisations continue to source AI models from untrusted repositories. According to JFrog, this has created a governance gap that many existing security tools do not address.

Several of the functions highlighted by JFrog reflect that concern. These include JFrog Curation, intended to block risky open-source components before they enter software environments, and JFrog AI Catalog and MCP Server, which applies existing software security controls to AI assets.

It also pointed to JFrog AppTrust, designed to provide audit trails and policy enforcement records, along with expanded SBOM evidence functions supporting VEX aligned to CycloneDX and SPDX 3.0. These features are aimed at customers and regulators seeking proof that vulnerabilities were assessed and risk decisions documented.

Executive view

Shlomi Ben Haim, Co-Founder and Chief Executive Officer of JFrog, said the company sees a structural change in how software engineering and security are converging.

"Software Engineering is evolving into Software Supply Chain Engineering. Today's developers and security teams carry a far greater responsibility: not only to build software, but to build software that can be trusted in a hybrid world of human and AI agents. While this is Gartner's first Magic Quadrant for this category, JFrog has been pioneering software supply chain security for years. We recognised early that speed alone is not enough - organisations need a holistic platform that delivers speed, security, and governance across the entire software lifecycle," Ben Haim said.

He also linked the shift to the growth of AI-assisted software creation and the resulting expansion of the attack surface.

"The AI era is accelerating software creation. Enterprises are shipping faster, and increasingly relying on AI-generated code, models, and autonomous flow. As a result, the applications and scanners themselves are no longer the primary target, but the software supply chain that creates and delivers it is. Organisations need a single source of truth that governs every binary, every package, every model, and every agent skill from the moment it enters the pipeline until the moment it runs in production. That is precisely what JFrog was built to deliver. We are honored to be recognised by Gartner, not simply because we believe it validates our vision, but because it reflects the trust our customers place in us every day to secure and power the world's software supply chains," he said.

JFrog said it serves about 6,600 organisations worldwide, including a majority of the Fortune 100, underscoring the scale at which software supply chain controls are now being adopted.