JFrog Lost 25% Because of One AI Tool

From $50 to$37 in Four Trading Days

On the morning of February 20, 2026, Anthropic announced Claude Code Security. An AI-powered tool that scans codebases for security vulnerabilities and suggests patches. By market close, the entire cybersecurity sector was bleeding red. But one stock got hit far harder than the rest: JFrog (NASDAQ: FROG). Starting at $50.07, the stock slid over four trading days to **$37.75**. A 24.6% drop. Roughly $2 billion in market cap, gone.

CrowdStrike fell 8%. Cloudflare dropped 8.1%. Okta lost 9.2%. The whole sector took a hit, but JFrog's decline was in a different league. Bank of America's report was blunt: Claude Code Security poses a "significant threat" to code scanning platforms, naming GitLab and JFrog specifically. The market priced that in immediately.

The question is obvious. CrowdStrike has an $80 billion market cap. Palo Alto Networks sits at$120 billion. They fell single digits. Why did JFrog, a $530 million annual revenue company, lose a quarter of its value?

What JFrog Actually Does

JFrog is a software supply chain platform company. When developers write and build code, the resulting binaries (artifacts) need to be stored, managed, and distributed. That infrastructure is what JFrog provides. Its flagship product is JFrog Artifactory. Thousands of companies worldwide store Docker images, npm packages, Maven artifacts, and more in Artifactory. Think of it as the warehouse for the software supply chain.

But JFrog's growth strategy went beyond storage. After acquiring Xray in 2019, the company expanded into security scanning. JFrog Xray is an SCA (Software Composition Analysis) tool that scans artifacts for known vulnerabilities in open-source dependencies. They then added SAST (static analysis) capabilities, positioning themselves as a "security-built-in supply chain platform." As of Q4 2025, the end-to-end Enterprise+ subscription accounted for 57% of total revenue.

That security scanning business is exactly where Claude Code Security competes.

Pattern Matching vs. Reasoning

JFrog Xray and JFrog SAST work through rule-based pattern matching. They reference known CVE (Common Vulnerabilities and Exposures) databases and flag code or dependencies when a matching pattern is found. Typical SQL injection patterns, exposed API keys, outdated encryption algorithms. Snyk, Veracode, Checkmarx, and virtually every commercial security tool operate on the same principle.

Claude Code Security works differently. Claude Opus 4.6 reads and reasons about code like a human security researcher. It tracks how data flows through an application, understands interactions between components, and identifies business logic flaws. It can find vulnerabilities that don't exist in any pattern database.

The comparison:

The 500+ high-risk vulnerabilities Anthropic found in open-source projects prove the gap. These codebases ran in production for years, sometimes decades. Snyk, Veracode, and similar tools scanned them repeatedly and missed every one. JFrog Xray would have missed them too. If it's not in the rules, it's invisible.

Why JFrog Got Hit Hardest

The entire security sector sold off, but JFrog's 25% crash was not random. There are structural reasons.

First, direct business overlap. CrowdStrike does runtime endpoint security. Okta handles authentication and access management. Zscaler runs zero trust networks. Their businesses are different domains from code scanning. But JFrog's Xray and SAST do exactly what Claude Code Security does: scan code and artifacts for vulnerabilities. JFrog is the company with the most direct overlap.

Second, scale mismatch. CrowdStrike generates $4 billion in annual revenue with an$80 billion market cap. Code scanning is a tiny fraction of its business, so the impact is limited. JFrog generates $530 million with an$8 billion market cap (pre-crash). Security scanning is the core growth pillar of its platform strategy. When that pillar gets threatened, the entire growth narrative wobbles.

Third, valuation premium. JFrog traded at roughly 15x price-to-sales before the crash. That premium was built on the "security-built-in supply chain platform" expansion narrative. When evidence emerges that AI does security scanning better, the basis for that premium weakens. The higher the valuation, the harder the fall when the narrative cracks.

Forrester's Jeff Pollard nailed it. The CrowdStrike, Okta, and Zscaler drops were "sentiment contagion", not direct threats. These companies don't do code analysis or fix vulnerabilities. JFrog, on the other hand, was assessed as having "specialized software supply chain controls directly threatened by AI agents that can autonomously identify vulnerabilities."

Wall Street's Split Verdict

After the 25% crash, Wall Street split into two camps.

The bearish view came from Bank of America. BofA explicitly stated Claude Code Security is a "significant threat" to code scanning platforms. They qualified it: "AI could improve efficiency in specific workflows, particularly code scanning, but does not now have the visibility, control, or reliability to replace end-to-end security platforms." JFrog and GitLab are at risk, but CrowdStrike and Zscaler are fine.

The bullish view came from Raymond James and Morgan Stanley. Raymond James maintained its Outperform rating, calling the sell-off "excessive" and pointing to JFrog's share buyback program as evidence of a buying opportunity. Morgan Stanley took a similar stance. JFrog's core business is storing, managing, and securing binaries, not source code analysis. The 23% decline was "materially overdone."

Who is right? Short-term, the bulls have a case. Claude Code Security is still in research preview. Artifactory was already critical infrastructure before JFrog ever added security scanning. Enterprises don't switch artifact management platforms overnight.

But long-term, BofA's concern carries weight. JFrog's growth narrative is "from repository to security platform." Enterprise+ subscriptions hitting 57% of revenue means customers are buying the security-inclusive bundle. If AI erodes the value of security scanning, the bundle's justification weakens too.

The Three-Way AI Security Race

JFrog's threat isn't just Anthropic. The AI security market is already a three-way race.

Anthropic Claude Code Security launched February 20, 2026 as a research preview. Built on Claude Opus 4.6, it found 500+ zero-days in open-source projects. Available to Enterprise and Team customers, with free priority access for open-source maintainers.

OpenAI Aardvark shipped four months earlier, in October 2025. A semantic analysis tool that embeds directly into CI/CD pipelines, integrated with Codex for in-workflow security review.

Google CodeMender takes a hybrid approach, combining Gemini's reasoning with traditional program analysis techniques.

All three AI giants have entered the code security market. That is not a coincidence. It signals this is a strategic industry direction, not one company's experiment. For JFrog, that means the competition isn't one player but three.

Forrester described it as "AI companies vying to compress the disruption window from years to months." Where cloud migration took a decade, AI-driven security market disruption could happen in months.

JFrog's Remaining Cards

Is JFrog getting fully replaced? Not yet. There are reasons.

First, Artifactory's moat. Artifact repositories have extremely high switching costs once adopted. Thousands of build pipelines, CI/CD configurations, and team workflows are tied to Artifactory. Claude Code Security, no matter how good, is not an Artifactory replacement. JFrog's foundation business remains solid.

Second, regulatory barriers. Enterprises in finance, healthcare, and defense require certifications like SOC 2, ISO 27001, and FedRAMP. JFrog holds these certifications. Claude Code Security getting the same approvals will take time. The more regulated the industry, the slower the adoption of new tools.

Third, integration strategy. JFrog doesn't have to treat AI as the enemy. Just as CrowdStrike integrated Charlotte AI into its platform, JFrog can integrate Claude Code Security or similar AI engines into Xray. DefectDojo already officially supports agentic security workflows with Claude Code integration. The existing security ecosystem is moving to absorb AI, not resist it.

But every one of these cards has an expiration date. When AI security tools move from research preview to general availability and secure FedRAMP certification, JFrog's security scanning premium faces fundamental revaluation. Whether the 25% drop that Morgan Stanley called "overdone" will still look overdone a year from now is anyone's guess.

How Fast Moats Crumble

JFrog's 25% crash is not just a stock event. It is a case study in how fast AI erodes the moats of specialized software companies.

When Claude Cowork was announced, Zoom dropped 11.5%. When Claude Code Security launched, JFrog dropped 25%. A pattern is forming. Every time an AI company enters a specific domain, the domain specialist takes the biggest hit. Large platforms absorb the shock through diversification. Companies concentrated in a single niche face existential questions.

Forrester called it the "SaaS-pocalypse." When AI companies bundle security capabilities into existing subscriptions, incumbents are forced to defend pricing mismatches at every renewal cycle. If cloud migration took a decade, AI-driven disruption could compress that into months.

Artifactory will survive. But the "security-built-in platform" premium narrative is under serious pressure. A $530 million revenue company losing$2 billion in market cap over a research preview tells you something about how fast software moats can crumble. This was not even a general availability launch. It was a preview. The real game has not started yet.

Sources:

• Anthropic Debuts Claude Code Security, JFrog Falls 25% — WinBuzzer
• Claude Code Security Triggers Cybersecurity Flash Crash — MarketMinute
• Cybersecurity stocks drop as new Anthropic tool fuels AI disruption fears — CNBC
• Claude Code Security Causes A SaaS-pocalypse In Cybersecurity — Forrester
• Making frontier cybersecurity capabilities available to defenders — Anthropic
• JFrog tumbles 25% after launch of Claude Code Security — Globes
• Why the JFrog sell-off is "excessive" according to Raymond James — Yahoo Finance
• JFrog Announces Fourth Quarter and Fiscal 2025 Results — JFrog