Investing analysis of the software companies that power next generation digital businesses

First Look at GitLab – the One DevOps Platform

GitLab stock has nearly doubled since bottoming in May and reporting strong Q1 FY2023 results on June 6th. Analysts followed through with Buy ratings and increased price targets. The stock has been on a downward trajectory since the IPO in October 2021 and is still more than 50% below their ATH price in November, a trait shared with many other software infrastructure plays. As we are three quarters into their life as a public company, I wanted to dig into the story and begin considering it for an investment. Personally, I have used the product with a previous engineering team and was impressed by the ease of use and integration of multiple steps in the software development lifecycle. Since then, GitLab has expanded their offering and are setting a broader vision to become the “One DevOps Platform”.

As I typically do, my focus will be on the product offering, platform roadmap, market position and competitive landscape. For a great summary of the financial drivers and some technical analysis, I recommend checking out this article from Cestrian Capital Research (who is also a sponsor). It provides a nice balance to my coverage for investors considering a position.

Audio Version
View all Podcast Episodes and Subscribe

Current Product Offering

GitLab’s mission is to allow development teams to address all steps in the DevOps lifecycle through a single application with one user interface and a unified data store. This starts with project planning, code creation, packaging and builds, followed by automated testing, verifications and release. As the runtime for user-facing code, the production environment requires configuration, orchestration, performance monitoring, auditing and incident response when issues arise. And, of course, with the heightened security threat environment, applications must be secure, requiring runtimes and code to be free of vulnerabilities.

Opening Keynote, GitLab Commit Conference 2021

GitLab brings together development, operations and security teams, allowing them to plan, build, secure and deploy software. Extending the collaboration of development and operations teams (DevOps), security has become a shared responsibility from end-to-end giving rise to the expanded organizational construct encapsulated in DevSecOps. Where GitLab uses the term DevOps, security is implied.

The first iteration of the GitLab DevOps platform was much simpler and included only the Create and Verify steps. These represented the combination of their two open source projects GitLab Source Code Management and GitLab Continuous Integration. Just combining those two steps created significant value for development teams, as these steps required interacting with two separate tools with different logins, management consoles, integration points, etc. That separation existed whether the team was using both tools from GitLab or point solutions like GitHub (source code) and Jenkins (CI/CD).

From that integration, the GitLab team has continued their trajectory of building and integrating tools into a single platform to cover all steps in the DevOps lifecycle. At this point, the GitLab team identifies 10 steps of the Software Development Lifecycle (SDLC) that they consider within scope. Each step encompasses a set of features to make it an effective and complete function for DevSecOps organizations.

  • Plan. GitLab supports the software project planning process across multiple methodologies (Waterfall, Scrum, Kanban, etc.). For each methodology, they offer the standard planning artifacts, like project milestones, epics and tasks. Teams can easily organize, align and track project work in a shared interface. This helps the project team ensure that everyone is working on the right task at the right time. Project work items and artifacts can be traced through the delivery lifecycle from initiation to production.
  • Create. This is the step in which the code is created. Teams can write, share, view and manage code. The system keeps track of commits, branches and merges, with useful tools to resolve conflicts and streamline coordination between team members. Teams can cooperate on code changes through code review tools.
  • Verify. The focus of the Verify step is to maintain code quality by facilitating automated testing and reporting. To support this, GitLab provides a baseline of automation for builds, integration and code verification. These verifications include unit/functional testing, static analysis, security testing, dynamic analysis and code quality checks. Builds are separated into pipelines, so that testing and integration is performed in parallel.
  • Package. After integration testing passes, GitLab enables teams to package applications with all dependencies into build artifacts for deployment. The package registry is preconfigured to work with GitLab source control management and CI/CD pipelines. This step also oversees the software supply chain, ensuring the integrity of third party packages.
  • Secure. This step layers security into the development lifecycle. The platform provides Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Container Scanning and Dependency Scanning. These functions all examine source and infrastructure configuration code to surface vulnerabilities in applications. This step also addresses licensing compliance for third party packages.
  • Release. Once code has been built, tested and secured, it is ready for release to production. GitLab helps automate the release and delivery of applications across deployments of thousands of servers. Continuous Delivery (CD) is built into the pipeline, supporting different environments like staging, production and even canary. It also supports feature flags, auditing and on-demand environments.
  • Configure. GitLab helps teams manage and configure their application environments. This includes deep integration with Kubernetes and protecting infrastructure configuration details from hackers. Password and login information is secured in vaults to limit access to only authorized users and processes.
  • Monitor. The purpose of the Monitor step is to reduce the severity and frequency of service impacting incidents. GitLab can alert users when issues arise, facilitate their investigation and triage and coordinate the response. The platform allows metrics charts from external monitoring tools like Grafana and Prometheus to be embedded into incident tracking. It also manages on-call scheduling and escalation policies.
  • Protect. GitLab provides tools to discover and protect production software from vulnerabilities. It can scan cloud native environments, like Docker containers, for vulnerabilities and even manage downloading a patch to address any issues. Security teams can also apply policies for GitLab projects to Kubernetes clusters. These might include requiring approvals in order to make a configuration change or utilize a new software package.
  • Manage. GitLab provides visibility into how the software delivery lifecycle is performing as a whole. Teams can set up metrics to monitor steps in the process to optimize their overall delivery velocity. To help executives determine the value of software development and delivery efforts, GitLab provides tools for value stream management.

For all these steps of the SDLC, the platform can be deployed in two configurations. The first is Self-Managed, in which the customer downloads the software package from GitLab and deploys it themselves in their cloud environment or private data center. According to GitLab, the majority of these self-managed installations are running in the public cloud. This provides customers with the benefit of full control over their environment and may be a requirement for customers handling sensitive data.

The other deployment configuration is using the SaaS model, in which GitLab hosts and manages the customer’s software instance for them. This allows the customer to avoid having to maintain their own staff to configure, troubleshoot and manage the GitLab installation. In Q1, GitLab reported that 39% of ARR came from the SaaS deployment, up from 26% a year ago. The cloud-hosted version has the benefit of recurring revenue. The core software is the same for either deployment method, so there is no additionally R&D cost to GitLab, beyond the overhead of maintaining the hosted service (captured in cost of sale).

Scope

GitLab’s vision represents a lot of ground, especially considering that they started with just the Create and Verify steps. If we examine the full scope of functionality that GitLab aspires to address, they may butt up against space occupied by leading security, infrastructure and observability vendors. GitLab provides the full set of targeted features by SDLC step on their web site.

GitLab Web Site

This product scope is enormous and has the potential to unlock a very large addressable market. Their foundation in source code management provides a strong base as a “system of record” from which to expand into all of these adjacent functions. All of their targeted steps and features can be tied back to source code in some manner.

GitLab does run the risk of trying to address too much and providing a light version of feature areas outside of core planning, code and build functionality. If we look at some of the feature areas under each category, I can identify the following areas of competitive overlap:

  • Secrets, IaC: Hashicorp
  • Product Analytics: Amplitude
  • Metrics, Tracing, Error Tracking: Datadog, Dynatrace, Splunk
  • Incident Management, On-call schedule: PagerDuty
  • Security, Protect: Snyk, Crowdstrike, Zscaler, Cloudflare, etc.
  • Package Management and Configuration: JFrog, Hashicorp

This list also doesn’t include the other full-featured developer platforms like Microsoft and Atlassian, which offer products that span multiple steps of the SDLC as well.

In spite of this broad scope, GitLab leadership contends they can roll out new features quickly, as a consequence of their open core model. The CEO feels that their foundation as a system of record in source control provides an advantage to move upmarket into these other phases of the software lifecycle. Due to their functions in Plan, Create and Verify, a platform like GitLab is where developers already spend the majority of their time. From this single pane of glass, they logically could extend into other areas of interest for DevSecOps and the full software lifecycle.

It’s also worth noting that GitLab maintains many integrations and partnerships with various third party software vendors. In some cases, it appears they have an understanding of where GitLab stops and the partner solution starts. For example, Datadog and PagerDuty were both Bronze sponsors of the 2021 GitLab Commit user conference. While Azure is an integration partner, they were not listed as a sponsor, likely due to the competitive position with GitHub.

GitLab Commit 2021, Sponsor List

As I’ll discuss, this broad vision for the GitLab One DevOps Platform represents both the big opportunity and a big risk for the company. On one hand, they risk addressing too many segments of the software development value chain and offering a marginal solution in each. This may continue a preference by customers for deep point solutions in critical categories like observability and security. On the other hand, if GitLab can achieve relative feature parity in all steps of the DevOps process, they would unlock an enormous addressable market from an attentive and captive user audience on a single unified platform.


Sponsored by Cestrian Capital Research

Cestrian Capital Research provides extensive investor education content, including a free stocks board focused on helping people become better investors, webinars covering market direction and deep dives on individual stocks in order to teach financial and technical analysis.

The Cestrian Tech Select newsletter delivers professional investment research on the technology sector, presented in an easy-to-use, down-to-earth style. Sign-up for the basic newsletter is free, with an option to subscribe for deeper coverage.

Software Stack Investing members can subscribe to the premium version of the newsletter with a 33% discount.

Cestrian Capital Research’s services are a great complement to Software Stack Investing, as they offer investor education and financial analysis that go beyond the scope of this blog. The Tech Select newsletter covers a broad range of technology companies with a deep focus on financial and chart analysis.


Advantages

GitLab’s sales proposition addresses a couple of levers within development organizations. Most teams have cobbled together a number of open source and Do-It-Yourself (DIY) solutions to address the various steps discussed above in the software development lifecycle. This is particularly true for those steps close to the development environment, like Create, Verify and Package. GitLab makes the argument that teams benefit from a single platform, with a single interface and one data set. This makes a lot of sense in practice.

To quantify the benefit, GitLab conducted a study with Forrester Consulting to determine the expected return for an organization by moving to the GitLab platform. They estimated the benefit to represent a 407% ROI within three years of deployment. This implies that every $1 of spend on GitLab will return over $4 in cost savings and productivity improvements. Costs are reduced by eliminating multiple point solution licenses and lowering the overhead of stitching together disparate tools. Benefits are accrued through higher productivity of developers (single interface, login, admin console) and increased revenue from faster feature release cycles.

GitLab Investor Presentation, Q1 FY2023

Organizations can easily start with one step or function within the SDLC, like source control management. From there, they get access to tools in the other steps and often experiment with those as the integration makes that easy. GitLab claims that on average customers replace four point solutions a year over a three year period. This factor is what drives GitLab’s strong DBNRR, which was 152% in Q4 and reported as greater than 130% for Q1.

Like other open source products, GitLab has a large stable of free users. These individuals get access to the basic feature set across all steps in the SDLC. As these users become comfortable with the GitLab toolset, they are more likely to convince their management team to upgrade to a paid version to unlock more features. They may also become familiar with the GitLab platform as a free user at school or through personal use and then bring the commercial license to their new enterprise development job.

Once introduced to an enterprise development team, GitLab often benefits from a viral effect. It starts to be adopted by multiple teams, pulling in more individuals as it replaces additional open source or DIY tools. Because of the collaborative nature of planning, testing and monitoring, teams outside of development naturally become users.

The benefits to enterprises in cost savings, productivity gains and expansion effects were highlighted in several examples provided by the GitLab team during the Q1 earnings report and last year’s user conference. Here are some examples:

  • T-Mobile. Migrated their team of 8,500 developers from a set of point solutions to GitLab SaaS Premium. Increased developer output, achieving 3M CI/CD jobs run monthly. This resulted in a 10x increase in production deployments, delivering changes and features to customers faster. Bug fixes were addressed within 3 weeks on average versus 3-6 months previously.
  • UBS. Migrated 12,000 users and 54,000 source code repos from two legacy point solutions to GitLab Ultimate self-managed platform. Reported increased productivity and accelerated deployments across all environments. Also scaled up to 3M CI/CD jobs a month.
  • Ticketmaster. Started with GitLab for code review and Git history, and then adopted GitLab CI tools, resulting in faster cycle times and quicker release turn-around. They reduced their build times to less than 8 minutes and increased the frequency of mobile app releases to weekly, which was a long-standing goal.
  • Goldman Sachs. Reduced their build speed, allowing them to surpass 1,000 builds a day. Accelerated their release cycle from two weeks to just a few minutes. Have had over 1,500 platform adopters.
  • Trendyol. As the largest e-commerce company in Turkey, they serve more than 30M shoppers every day. Adopted GitLab Premium to simplify operations and organize under a single platform. As a result, they experienced a 30% improvement in developer productivity and a 60% reduction in build times. Further, they reduced the time to build and release a new application by 50%.

The advantage for development teams is that all these functions are integrated into a single tool, with one user interface and data set. GitLab claims that this has significant value for customers in time and cost reduction. These examples demonstrate some of the benefits achieved.

Monetization

The base GitLab product is an open source project. It can be downloaded and self-hosted on a user’s own servers, in a container or on a cloud provider. There are distributions available for all flavors of Linux as well as targeted for each of the hyperscalers. All of GitLab’s code is source-available and the open source components of GitLab are published under the MIT open source license (which is permissive with limited restrictions on re-use). The open source distribution can be downloaded from the GitLab web site and contains all the same features as the Free tier.

When determining what distribution to download, the user is faced with the decision to utilize the Community Edition or the Enterprise Edition. The Community Edition is pure open source with only the free tier features available. Add-on features would not be available in the future from this edition. The other option is to download the Enterprise Edition. This includes all paid features as well. There is a free tier available (without paid features) that matches the Community Edition. However, the code in the Enterprise Edition is understandably not open source (source available), as it includes the code that makes up GitLab’s proprietary and commercial feature set.

GitLab Distributions, Web Site

This approach aligns GitLab with the open core software distribution model. Open core provides the ability to view all source code, but only the core feature set is open source (meaning it can be reused). The open core model provides the developer of the project with the ability to monetize their open source project and prevents other companies from hosting it. This model is generally used by other software companies that maintain an open source project but also want to generate revenue from add-on features. Examples are Elastic, MongoDB and Confluent.

GitLab’s other option for distribution instead of self-hosting is to adopt the SaaS version. Like other managed services, this offers the benefit of not having to provision and maintain servers, as well as retain staff with expertise in Linux and system configuration. Activation of the SaaS version involves a simple registration process. They offer a 30 day free trial that includes all paid features.

In either case, the user will eventually decide if they want to take advantage of GitLab’s paid features. This is how GitLab generates revenue. The features are designed and packaged in a way that creates significant value for larger organizations, versus the needs of an individual developer who isn’t operating a business.

GitLab Investor Presentation, Q1 FY2023

There are two paid tiers currently, Premium and Ultimate. They are both sold on a per user basis (similar to other SaaS products). With GitLab, all users must be on the same tier. Even though they advertise a monthly cost, customers are billed annually at a rate of 12x the listed monthly rate ($228 for Premium and $1,188 for Ultimate).

While those price points don’t sound like a lot, just 1,000 users on Ultimate would represent over $1M a year in ARR. The UBS installation cited earlier would generate over $14M in ARR at list price. Granted, with 12,000 Ultimate users UBS likely negotiated some sort of volume discount, but we can appreciate the scale possible with this tool. On the earnings call, management highlighted a North American based technology company that uses GitLab primarily for the SCM and CI/CD capabilities. That customer now has over 18,000 Premium seats, which would represent $4.1M in ARR.

During the Q1 earnings call, management pointed out that Ultimate is the fastest growing tier. It now represents 39% of ARR, compared with 26% of ARR for Q1 of FY 2022. ARR or that tier continues to grow in excess of 100% annually. Ultimate is designed to appeal to enterprise customers with large DevSecOps organizations. This allows GitLab to benefit from large lands as these customers engage and a strong expand motion as they transition more teams to the platform and add more users.

In terms of the differences between the two paid tiers, GitLab Premium is the first step up for an organization that spans multiple teams. The add-on features focus on collaboration, enabling workflows like faster code reviews, advanced CI/CD, enterprise agile planning and release controls. It also adds enterprise level features like priority support, upgrade assistance and assigns a technical account manager. For self-managed installations, GitLab adds readiness features like high availability and disaster recovery.

GitLab Ultimate targets organizations that need the team collaboration and delivery features associated with Premium, with the addition of advanced security capabilities, risk mitigation, compliance, portfolio management and value stream management. In addition, GitLab Ultimate allows for free guest user licenses to extend license usage to users with minimal interaction with the system. This is important to enterprises with external partners, temporary workers and ancillary departments that just need read-only access.

Product Roadmap

GitLab’s platform initially started by combining source code management (SCM) with Continuous Integration (CI). While that may sound like a minor change on the surface, for the industry it represented a significant improvement, as these tools were generally separated (like SCM in git and CI on Jenkins). That required teams to manage two different tools – effectively doubling the work. Each required configuration, had a separate admin interface, reports, tracking, etc.

By combining the two, engineering teams could utilize a single interface to manage their code and run their integration jobs. Build breaks and test failures could be quickly tied back to the errant code snippet in the same view. This efficiency gain is similar to the benefits realized by Datadog and other observability tools when they combined the “three pillars of observability” of metrics, traces and logs into one interface.

Prior to that consolidation in observability, DevOps teams had to swivel between three different tools to triage production issues. An alert might be issued by the tracing system for a connection time-out, which tied to an error in a system log that led to a system where the CPU metric was pegged at 100%. Toggling between systems was a real pain. Storing log, metric and trace data in one observability platform, with one set of visualizations provided a significant efficiency gain.

GitLab is effectively making the same argument in justifying the value proposition for their platform. Like Datadog, their product roadmap logically involves extending their reach into as many functions of the SDLC as possible that are addressed by their core audience of DevSecOps (developers, security personnel and operations). The key for GitLab will be to identify those functions of the SDLC where they can find leverage, due to their core foundation in source code management (SCM) and CI/CD. Since the functions of operations and security can touch a lot of IT categories, GitLab will need to find the right balance of going deep in product segments where they can add significant value with reasonable leverage, versus areas where the bar to reach acceptable feature parity is high.

As an example, while Datadog has been moving their offering closer to developer operations (shift left), they have also stated that they don’t intend to offer a source code management tool (SCM). They are instead focusing on applying observability to developer operations, versus trying to power those operations themselves. An example of this approach in practice is their recently released CI Visibility product, which provides insight into the health and performance of code build and integration environments. It is compatible with multiple CI tools, including GitLab, GitHub Actions, Jenkins and CircleCI. Datadog doesn’t intend to try to compete with these tools – they leverage their core competency in observability to provide a monitoring layer over them.

GitLab will need to find a similar balance, lest they take on too much. The risk is they advertise a platform that consolidates all 10 steps in the SDLC, but can only achieve a minimum viable product in some of them. That would leave them open to competition in those shallower steps and waters down the platform messaging. Clarity in product marketing and an active Partner program will help streamline adoption.

Fortunately, GitLab is very transparent with their product roadmap and the current state of the offerings in each category. In fact, they are probably the most open with their product development plans and honest assessment of their progress of any software company that I cover. In their Q1 FY2023 Investor Presentation, they offer the diagram below showing the list of features by SDLC step and their assessment of the current level of feature completeness.

GitLab Investor Presentation, Q1 FY2023

We can see that they consider the Create and Verify steps to represent their core offering with fairly complete feature coverage. Secure has also been receiving a lot of investment in the last year, representing an opportunity to capture the current demand environment for security and its application to controlling software supply chains.

From that base, GitLab is focusing on building out the Package and Release steps, as well as continuing to expand Secure. Beyond these focus areas, GitLab leadership has identified additional steps for future expansion. These involve building out features in Configure, Monitor and Protect, which extend into the production environment (along with Secure). A number of the features in the Current Expansion and Future Expansion phases identified above are sold as add-ons in the two monetized subscription tiers Premium and Ultimate.

Like other software category leaders, GitLab has ingrained a rapid product delivery cadence into their culture. They release to production every month on the 22nd. They chose this day to be consistent, allowing customers to plan around any changes. For every release, GitLab publishes a list of changes for anyone to view. The most recent release was 15.1 on June 22nd (although as edit write this piece, version 15.2 went out on July 22nd). Release 15.1 included over 30 individual improvements, with highlights of SAML Group Sync, SLSA level 2 build artifact attestation, links to included CI/CD configuration and enhanced visibility into value stream with DORA metrics.

For Q1 FY2023, the leadership team highlighted three new capabilities launched in the quarter (Feb – Apr 2022). This provides further evidence that security and compliance are big focus areas, as well as fleshing out of earlier steps in the SDLC:

  • Integrated security training functionality to help developers address security issues as part of their normal development workflow. GitLab launched a comprehensive set of security scanning tools that can identify all types of security issues. Security findings are presented in merge requests, pipelines and in a dedicated vulnerability report. When available, a recommended solution is given.
  • Released individual compliance violation reporting, which improves compliance capabilities to capture a single view of projects. The compliance report now includes every individual merge request violation for projects within a group. This is a large improvement over the previous version, which only showed the latest merge request. The new version allows the user to view history and patterns of violation over time.
  • Introduced functionality that enables teams to collaborate better and track their dependencies across GitLab groups. Effective dependency management is a key component of reducing variability and increasing predictability in value delivery.

Releasing over 30 capabilities a month is impressive. The leadership team also highlights the fact that GitLab customers can contribute to the codebase, since it is open source. On the Q1 earnings call, the CEO called out an example in the May release in which the top contributor was from a customer organization. This individual built CRM functionality into GitLab that allows users to set up and link organizations and contacts to issues directly in GitLab.

These kinds of contributions extend the reach of the GitLab platform. They also include work on paid features. Customers often develop code extensions for their benefit and then contribute them to the open source project, so that they they are incorporated into the GitLab base project and maintained over time. While a customer could keep these to themselves, they benefit from the “free maintenance” of their feature when it is officially incorporated into the codebase.

This open core model does provide some advantages to GitLab’s product development velocity, as customer work extends the capacity of GitLab’s own staff. In addition, a customer who develops their own feature extensions on GitLab will likely be stickier and more likely to expand, leading to higher DBNRR.

This approach is in contrast to closed source platforms, like Datadog or Snowflake. Those platforms don’t get the benefit of customer contributions to the code and the implicit trust from source code visibility. At the same time, they aren’t encumbered by any dependencies on open source contributions, the maintenance of those features or expectations around the product roadmap from the community. They can easily deprecate features with low usage and quickly pivot into new opportunities, which might have been opposed by the community. They can also freely optimize performance of the system by utilizing proprietary data models and storage techniques without being tied to open standards that can be slower to evolve.

At a high level, I think the advantages and disadvantages of the open core model balance out, and don’t provide a clear competitive moat for the open source company versus a proprietary offering. I think a high product velocity is achievable in both cases, and becomes the real competitive differentiator. A rapid product release cadence is more driven by company leadership, culture, platform architecture and composability, versus the open or closed source posture.

Market Position and Competitive Landscape

GitLab’s vision to integrate the full software development lifecycle is compelling. The DevSecOps trend is gaining traction and enterprises are starting to realize the benefits of tooling that brings these traditionally disparate teams into closer functional proximity. As we learned in observability, there are clear benefits in tool consolidation. The “three pillars of observability” united metrics, logs and traces into a single view, with a single data source. This consolidation has benefited observability leaders like Datadog and Dynatrace, allowing them to execute a similar strategy of replacing point solutions and open source DIY efforts.

In pursuing their product vision, GitLab leadership sees a $40B near term market opportunity. If we include all the extensions in security, observability and compliance, that addressable market is likely much larger. From a competitive positioning perspective, they are focused on replacing all the point solutions that currently make up the earlier steps in the SDLC. GitLab leadership calls these DIY DevOps.

We believe the market we are targeting is very large and early stage in nature. We believe our One DevOps Platform is addressing an estimated $40 billion opportunity. We’re focused on selling a business outcome and a time to value. Thus, our competition is largely to Do-It-Yourself known as DIY DevOps solutions that companies have in place today.

We’re addressing this estimated large market opportunity with a compelling platform. GitLab’s One DevOps Platform provides one interface, one data, one set of reports, one spot to secure your code, one location to deploy to any cloud and one place for everyone to contribute. This empowers all of an enterprise’s teams, including development, security, operations, IT and business to collaboratively plan, build, secure, and deploy software across an end-to-end unified platform. We believe our platform is the only true cloud independent end-to-end platform that brings together all of DevOps capabilities in one place.

Gitlab Q1 fy2023 earnings call

They see a huge opportunity in this consolidation of the DevOps (and security) toolset into a single platform. Industry analyst firm Gartner contends that 80% of the addressable market uses the DIY DevOps approach currently, with only 20% moving to a consolidated platform so far. However, this split is shifting rapidly towards consolidation. In their view, by 2024, the penetration of platforms will increase to 60% of the market, representing a tripling of usage over the next 2-3 years. This provides a huge growth opportunity for GitLab.

GitLab Investor Presentation, Q1 FY2023

Against that large opportunity, GitLab has a lot of work to do. The product roadmap discussed earlier demonstrates that GitLab’s vision is broad, but their feature completeness is not that deep yet. By their own transparent rankings, only 5 out of the 10 software lifecycle steps have product segments that they consider to be feature complete. Among those, just Create and Release even approach 50% of sub-categories that are labelled as “Lovable/Complete”. The remaining steps and sub-categories are rated by GitLab as Viable or Minimal.

They couch this as an opportunity, illustrating how large the scope of their platform can be. And, as I said, we have to give them credit for their transparency. I can’t see favorites like Crowdstrike, Datadog and Cloudflare labelling some of their product offerings as Minimal. Even on a recent analyst call, GitLab’s CEO mentioned that only 20% of their platform is what he would consider best-in-class.

This candid assessment is reflected in reports issued by industry analysts like Gartner and Forrester. On a dedicated web site section for industry analyst reports, GitLab identifies a broad swath of analyst categories that are relevant for their platform. This list is enormous. As an investor, I could either be very excited about the scope and size of addressable market, or concerned that GitLab is trying to compete too broadly. Here is the list of analyst categories that they list as within product scope:

  • API Security Testing
  • Application Performance Monitoring (APM)
  • Application Security Testing (AST) / Static Application Security Testing
  • Browser-based IDEs
  • Container Management / Public Cloud Container Services
  • Design Management
  • DesignOps
  • DevOps
  • DevSecOps
  • Enterprise Agile Planning Tools (EAPT)
  • GitOps / Infrastructure as Code (IAC)
  • Hypothesis-Driven Development
  • Incident Response / Incident Management
  • Integrated Software Development Platforms
  • IT Infrastructure Monitoring
  • MLOps / ModelOps
  • Observability
  • Performance Engineering
  • Progressive Delivery
  • Software Composition Analysis (SCA)
  • Software Supply Chain Security
  • Value Stream Delivery Platforms (VSDP)
  • Value Stream Management (VSM)
  • Value Stream Management Platforms (VSMP)
  • Zero Trust Security

Just cherry picking a couple of categories, we find a few of these where GitLab isn’t in the analyst’s vendor consideration set at this point. For example, the 2022 Gartner Magic Quadrant for APM and Observability does not include GitLab, even in the Honorable Mention section. The same applies to the Gartner Magic Quadrant for Security Service Edge in 2022, which is Gartner’s new categorization for Zero Trust Security. In these cases, the GitLab implementation is missing features that Gartner requires for inclusion.

For the Gartner Magic Quadrant and Forrester Wave reports that include GitLab, the results are mixed. GitLab has an Analyst page on their web site, which highlights commentary from third-party industry analysts. Near the top of the page, they list a set of Featured Reports in which GitLab is included in the rankings. The three categories in the Featured Reports are Enterprise Agile Planning (Gartner), Application Security Testing (Gartner) and Cloud-Native Continuous Integration Tools (Forrester). A brief look at these reports provides some insight into GitLab’s progress in penetrating these categories and broader opportunity to move upmarket.

Enterprise Agile Planning

Enterprise Agile Planning is Gartner’s category for products that facilitate the definition, planning and management of development work. This is housed under the umbrella concept of agile, as that is the prevalent software development work planning methodology in practice today. For the GitLab platform, Enterprise Agile Planning falls into their SDLC steps of Manage and Plan and the relevant analyst category listing of “Enterprise Agile Planning Tools (EAPT).”

Gartner defines enterprise agile planning (EAP) tools as products that enable organizations to scale their agile practices to support a holistic enterprise view. These tools act as a hub for the definition, planning and management of work. Just as agile is an evolution of development methodologies, EAP tools are an evolution of project/team-centric tools to support a business-outcome-driven approach to managing agile software development. This evolution is highlighted by the fact that several of these tools also offer project portfolio management (PPM) and strategic portfolio management (SPM) capabilities. Value stream mapping is gaining in popularity, and this is reflected in EAP vendors now supporting the convergence of functionality with value stream management platforms (VSMPs) and value stream delivery platforms (VSDPs).

Gartner MagiC quadrant for Enterprise Agile Planning Tools 2021

In Gartner’s 2021 report, GitLab was placed in the Leaders quadrant, along with Atlassian and several other vendors. Microsoft (GitHub) was relegated to the Challengers quadrant.

Gartner Magic Quadrant for Enterprise Agile Planning Tools, April 2021

In response to the report, GitLab issued a press release and some commentary in the Analyst section of their web site in April 2021.

We are thrilled to be recognized by Gartner as a Leader in the 2021 Magic Quadrant for Enterprise Agile Planning Tools report and excited to see our unique and holistic take on end-to-end visibility and actionability validated by industry experts. GitLab believes our recognition as a Leader in the Magic Quadrant represents a growing market understanding of the value of a platform-based approach, in which agile planning and execution occur within a single source of truth.

As an end-to-end DevOps Platform, GitLab allows users to visualize and contribute to the value delivery of their projects and programs at every stage—from planning, to development, to testing, to deployment and monitoring. Without any customization or integration, GitLab surfaces detailed information from throughout the lifecycle and allows project planners and owners to participate directly to move initiatives toward delivery.

Gitlab Web site, Industry Analysts section

In April 2022, Gartner repeated their evaluation and published this year’s Magic Quadrant. In this report, GitLab was moved back into the Challengers quadrant. Atlassian gave up its top position to Digital.ai, but remained in the Leaders Quadrant. Planview, Broadcom and ServiceNow also retained their spots as Leaders. Targetprocess was renamed Apptio. In summary, of the 7 vendors in the Leaders Quadrant in 2021, GitLab was the only one that moved out of that quadrant.

Gartner Magic Quadrant for Enterprise Agile Planning Tools, April 2022

Microsoft was also dropped from the Magic Quadrant report in 2022, which seems a little odd. Gartner offered this commentary “Microsoft provides two independent EAP tools called Azure Boards and GitHub Enterprise. The objectives and priorities of the developer tools at Microsoft, including these two tools, no longer align to Gartner’s definition of this market.”

In terms of GitLab’s change in position, Gartner attributed it to their view that enterprise agile planning is increasingly incorporating measures of business value associated with product delivery. This includes tracking of software product portfolio management, portfolio financial management and strategic alignment. GitLab’s focus is more developer-centric, and the interface lacks a “rich visual oversight of financial investment and business outcomes” according to Gartner.

GitLab didn’t update their Featured Reports section of the Analyst page with reference to the 2022 report. They also didn’t issue a press release. Gartner reports can be tricky if their view of the industry direction doesn’t align with a company’s vision. In this case, I think GitLab’s focus leans more on the DevSecOps workflows, given their current audience, versus expanding to financial analysis and portfolio management. This is an area for which GitLab could increase coverage in the future.

Application Security Testing

Gartner defines the application security testing (AST) market as including products and services designed to analyze and test applications for security vulnerabilities. The market comprises tools offering core testing capabilities in the areas of static, dynamic and interactive testing, and software composition analysis (SCA).

Core capabilities that represent foundational application security testing capabilities include:

  • Static AST (SAST).  Analyzes an application’s source, bytecode or binary code for security vulnerabilities, typically during the programming and/or testing phases of the software development life cycle (SDLC).
  • Dynamic AST (DAST).  Analyzes applications in their running state during testing or operational phases. DAST simulates attacks against an application (typically web-enabled applications, but, increasingly, APIs), analyzes the application’s reactions and determines whether it is vulnerable.
  • Interactive AST (IAST). Instruments a running application and examines its operation to identify vulnerabilities. Most implementations are considered passive, in that they rely on other application testing to create activity. IAST tools then evaluate the output.
  • SCA is used to identify open-source and, less frequently, commercial components in use in an application. From this, known security vulnerabilities, potential licensing concerns and operational risks can be identified.

Gartner also looks at a number of optional capabilities, which provide more specialized forms of security testing and verification, and typically supplement the core capabilities based on an organization’s application portfolio or application security program maturity. These include API testing, application security orchestration and correlation (ASOC), business-critical AST, container security, fuzzing, IaC testing and mobile app security testing.

Gartner Magic Quadrant for Application Security Testing, 2021 and 2022

The Magic Quadrant for Application Security Testing was published in April for both 2021 and 2022. GitLab was placed in the Challengers quadrant in both reports. They appears to have made some progress between the two years, moving slightly up and to the right from 2021 to 2022. Given that trajectory, they may break into the Leaders quadrant next year. At the same time, Synopsys and Checkmarx moved further up and to the right as well. As an aside, Snyk moved from the Visionaries quadrant to the Challengers, representing more market penetration but less product completeness relative to other vendors.

GitLab included both reports on their Analyst page. They also issued a press release highlighting the 2021 inclusion.

Cloud-Native Continuous Integration Tools

Going back a couple of years, GitLab highlighted their inclusion as a Leader in the Forrester Wave 2019 Cloud-Native Continuous Integration Tools report on their Analyst page. The scope of this report falls into GitLab’s Verify step in the SDLC, and primarily includes the Continuous Integration function. In their platform roadmap, GitLab categorizes this feature as “Lovable/Complete”.

Forrester Wave Cloud-Native Continuous Integration Tools, Q3 2019

For 2020, the report category changed to Continuous Delivery and Release Automation (CDRA) and was issued in Q2 2020. CDRA focuses heavily on the release/deployment automation portion of the software delivery lifecycle, assuming that vendors already support a solid CI implementation to automate builds and tests as table stakes.

GitLab commented on this report in a blog post in July 2020. Forrester’s scope expanded to include their functions in the Release step, as well as the base in Verify. In their product roadmap, GitLab lists the Release step as part of their Current Expansion.

Forrester Wave Continuous Delivery and Release Automation, Q2 2020

In the 2020 report, GitLab moved back to Strong Performers. Microsoft and CloudBees made significant moves up and to the right. This report may not be as relevant given that it is two years old. I included it to be complete, as it was referenced on GitLab’s Analyst page. In GitLab’s commentary, they acknowledged their commitment to rapidly improve their automation capabilities in deployment and release.

Competitive Take-aways

GitLab’s variability in progress on analyst reports is a little concerning. I generally like to see software providers steadily moving up and to the right on these analyst diagrams. Both the Magic Quadrant and the Wave are oriented towards this motion. An ideal situation is when a vendor enters the report in a lower position one year and then makes measured progress each subsequent year, eventually landing in the Leaders section.

As an example, Datadog accomplished that between 2020 and 2022 for the APM and Observability Gartner Magic Quadrant. They rapidly closed the feature gap with competitor Dynatrace. In 2020, they landed in the Visionaries quadrant for APM. Then, entered the Leaders quadrant in 2021 and captured the top position in 2022. This demonstrated a gradual, but consistent, expansion of their feature completeness and market penetration relative to other providers.

For GitLab, three different analyst reports showed either marginal or backwards progress. While the category criteria can be a moving target and GitLab may be focusing on a different audience or approach to each, I find it a little surprising that they aren’t ascending rapidly in the categories examined (or at least one of them). Those are core components of their platform strategy and represent recent investment areas. Given leadership’s commentary about a rapid product development process and the benefits of the open core model, it’s likely they will continue to improve their feature coverage.

In reviewing their reports and commenting on the findings, the GitLab leadership team demonstrates a strong feedback and learning process. They acknowledge room for improvement and try to incorporate it into the next set of releases. This customer-focused, iterative development process should allow them to meet market expectations, whether those are aligned with industry analysts or not.

If we assume that they will apply this feedback loop and keep expanding their feature coverage in key categories, then customers should begin to value the breadth of their offering as an integrated platform over being considered the best-of-breed offering in each segment. This should allow them to continue their rapid pace of platform lands with enterprises, and then expand as they flesh out each step in the SDLC leveraging their captive audience.

Like some other software infrastructure providers, GitLab leadership contends that their primary competitor is open source or DIY efforts within enterprises. As highlighted by the metric mentioned earlier, Gartner estimates that 80% of enterprises are using DIY or open source solutions currently. The platform share is expected to triple from 20% to 60% by 2024. According to GitLab leadership, they only compete with other platform providers about 20% of the time. When they do, they typically run into Microsoft, Atlassian and Jenkins.

Their customer traction indicates that the platform approach is valued highly and that the criteria of industry analysts may not be as critical to purchasing decisions. In Q1, their base customers (defined as those spending over $5k in ARR) grew by 64% to 5,100. Similarly, customers spending over $100k in ARR increased by 68% year/year to 545 total.

GitLab Investor Presentation, Q1 FY2023

This reflects a very strong motion in new customer lands and the ability to drive healthy expansion. Their dollar-based net retention rate remained strong in Q1 and exceeded their reporting threshold level of 130%. This metric was reported at an exceptionally high 152% in Q4. Their Q1 Investor Presentation shows a broad array of enterprise customers across many segments of the economy, likely cushioning them from acute IT budget cuts in a particular industry.

At the same time, if GitLab doesn’t improve their feature completeness in some of the newer categories (and particularly the competitive ones like security and observability), then they risk capping their expansion opportunities outside of the core SDLC steps in SCM and CI/CD. As they move upmarket and into production environments, they will encounter more entrenched competition. This also assumes they can maintain competitive parity with Atlassian and market behemoth Microsoft.

Hyperscalers

It’s worth discussing GitLab’s relationship with the hyperscalers. GitLab has strong relationships with AWS and GCP. Due to the competitive relationship with Microsoft, it’s understandable that Azure would keep GitLab at an arm’s length. Of course, GitLab’s services work on Azure, so they aren’t cut out of customer deployments on that public cloud.

Having a competitive relationship with one of the hyperscalers can actually be favorable, as I discussed in a prior post. As other examples, Snowflake and GCP have an antagonistic relationship. Crowdstrike and Microsoft compete in security. While that might seem problematic on the surface, the reality is that the other two hyperscalers will often form tighter relationships with the software provider, in order to create a competitive bundle of offerings for a large enterprise customer. AWS actively co-sells with Snowflake, for example, in order to provide a best-of-breed analytics and ML combination for an enterprise’s big data needs.

The same benefit confers to GitLab, as they work with AWS and GCP. In June, Google announced that GitLab had won the 2021 Google Cloud Technology Partner of the Year award for application development. GitLab also enjoys a strong relationship and deep integrations with AWS.

“This award recognizes GitLab’s commitment to customer success, and its delivery of innovative and impactful solutions on Google Cloud in application development,“ said Bronwyn Hastings, VP of Global ISV Partnerships and Channels, Google Cloud. “We’re proud to recognize GitLab as our Technology Partner of the Year for Application Development, and we look forward to continuing our work together building and creating business value for customers with cloud technologies.”

GitLab Press release, june 2022

Investment Plan

GitLab is officially on my watch list and I might consider opening a tracking position. I think their vision is compelling, particularly where they consolidate tooling in the earlier stages of the SDLC. I agree with their supposition that tying together functions in planning, coding, build, packaging and release in one platform represents a compelling value proposition for a modern DevOps team. Weaving security through those steps in the same platform provides further benefit. As GitLab’s leadership asserts, it is much easier to address software packaging issues and potential vulnerabilities while the developer is actively writing code instead of during final integration testing.

This value proposition appears to be reflected in their customer growth and financial metrics. With paying customers increasing by over 60% a year, GitLab is clearly attracting new users to the platform. Additionally, their expansion into enterprises through the Ultimate tier is driving larger customer spend. Growth in $100k ARR customers (up 68% y/y) and DBNRR (over 130%) reflect this enterprise adoption and expansion.

RPO is growing faster than revenue, at 92% and 75% y/y for Q1 respectively. This shows that their backlog of customer commitments will provide a baseline of revenue for future quarters. Total RPO of $336M in Q1 is almost 4x revenue for the quarter. Further lands and expands should then compound this.

The product roadmap is ambitious to say the least. If GitLab can pull this off, they stand to become of the larger software infrastructure providers. At the same time, they are facing significant competition in several of their aspirational SDLC categories like security, observability and infrastructure configuration. Industry analyst reports show GitLab making marginal progress or even losing ground to competitors in some categories. Their product roadmap is squarely targeting on these opportunities though, so it’s likely they will make up ground going forward.

Additionally, the value proposition for a fully integrated platform, delivered from a single pane of glass is compelling. GitLab also doesn’t need to win every category if they can form partnerships with leading providers in some categories and provide clear lines of delineation through deep integrations. This may become a viable strategy for observability, incident response and security functions. Several of the leading providers in those IT categories were also sponsors of GitLab’s user conference in 2021.

Since GitLab has been a public company for only three quarters, I would like to track their performance for a bit longer before deciding on a meaningful portfolio allocation. I will watch customer expansion metrics and pay close attention to progress on the product roadmap. I also want to see how they navigate partnerships with leading providers in some categories. Based on financial metrics from the last two quarters, GitLab is demonstrating strong growth momentum currently.

NOTE: This article does not represent investment advice and is solely the author’s opinion for managing his own investment portfolio. Readers are expected to perform their own due diligence before making investment decisions. Please see the Disclaimer for more detail.

Additional Reading

  • As mentioned above, Cestrian Capital Research provides a great overview of GitLab’s financial metrics and some technical charts. This complements my product-focused analysis for a fuller picture.
  • Muji at Hhhypergrowth has some insightful pieces on trends in DevOps and Observability. These provide more background on the market and competitive dynamics.

10 Comments

  1. MBH

    Thank you very much for everything you do. I did find this writeup very useful since I do have an initial position. Do you have any comment on their minority interest i JiHu, their joint venture in China?

    Much appreciatied Peter!

    • poffringa

      Thanks for the feedback. My understanding is that JiHu is simply GitLab’s mechanism to gain access to the Chinese market. For technology companies, this can be a challenge, so GitLab created a separate entity in China to handle the distribution of their self-managed version and host the SaaS version. I think this partnership makes sense and was likely necessary to address the Chinese user audience.

      • Michael Orwin

        It might be rare but there can be problems, google “Arm China finally boots rogue CEO”.

  2. Alex

    Your analyses are absolutely fantastic, thanks for sharing them!

    To me it seems that the DevSecOps platform that Jfrog offers is similar to Gitlab’s. It would be great if you have interest and time to share thoughts on how they compare and, more generally, on Jfrog.

    Thanks!

    • poffringa

      I haven’t covered JFrog at this point, but am familiar with their toolset. Their Artifactory offering has a lot of overlap with GitLab in the Secure and Package steps. On the earnings call, the GitLab CEO spoke about dislodging JFrog installations. I think there is a real risk to JFrog growth from GitLab, assuming GitLab can continue to make progress in software packaging and verification of software supply chain.

  3. Ruben

    What are your thoughts on the switching costs for a platform like GitLab? Once implemented, is it easy to switch to GitHub or Atlassian or are there significant switching costs to take into account? How commoditized is this space?

    • poffringa

      That’s a good question. It depends how many steps of the SDLC are being used, but even migrating off of the source control management (SCM) and CI/CD platform would require work. It’s more on the level of changing a database solution. To move off of GitLab and onto GitHub would require a migration of the code and getting everyone to switch over at once. For the CI/CD and release pipelines, the same would apply. Those systems would have to switch to a new source code repo and then replace their deployment targets.

      So, I would say that switching costs would be high for a platform like GitLab, once it is entrenched in all the DevOps workflows.

  4. Scott

    Really like this one for understanding the software development landscape. Had heard of all these companies but didn’t know how they completed with each other.

  5. Anand Narayan

    Peter, thoughts on developers moving towards github co pilot and github codespaces? These two tools offers devs enormous productivity boost. I am not sure if Gitlab will have answers for these. Especially co pilot, as it leverage a lot of OpenAI (a MSFT investment)

    • poffringa

      Hi Anand – I agree with your view that these GitHub capabilities provide them with a real competitive advantage. Co-pilot can create a productivity boost and would take time for GitLab to replicate (unless they acquire the capability). Codespaces extends the IDE and provides a dev environment. This might be easier for GitLab to duplicate, but I don’t see it on their roadmap.

      This highlights one of my concerns for GitLab long term. While their product roadmap is ambitious and covers a lot of segments (large TAM), they risk getting out-maneuvered in each step of the SDLC by competitive offerings that go much deeper in functionality. The same applies to monitoring, security, configuration, etc. The big question will be whether the value of platform integration outweighs the incremental benefit of full-featured point solutions (like GitHub). Or, GitLab can strike thoughtful partnerships with the best-of-breed offerings in each segment, like Datadog for APM or PagerDuty for on-call scheduling and incident response.