For a long time, I kept seeing the same pattern in AppSec.
Security leaders and CISOs were being asked to make high-stakes decisions based on partial signals. Scans, models, and dashboards that described how software should behave, or how it was expected to behave, but rarely how it actually behaved once it was live.
The industry normalized this gap. We accepted inference, sampling, and assumptions as the best we could do. Over time, those approximations hardened into workflows, best practices, and entire product categories. Yet the risk never really moved. The noise increased. Confidence rose. Outcomes did not.
That disconnect was hard to ignore as an investor.
When I first encountered Rein, what stood out immediately was what it was not trying to do. Rein was not promising better prioritization on top of existing signals. It was not claiming broader coverage, faster scans, or smarter scoring. Instead, it was anchored on one simple and rare idea in AppSec: security decisions should be grounded in the reality of production behavior.
That framing mattered. It shifted the conversation away from estimating risk and toward observing truth. It also reframed what security tooling could be responsible for. Not prediction, not proxy, but direct understanding of how applications actually operate in the environments that matter.
This difference becomes even more important when you look at why consolidation in AppSec has been so difficult. The market has fragmented because most tools are additive by design. Each new product solves a narrow problem, produces its own data, and requires its own workflows. As a result, stacks grow larger, not simpler.
True consolidation rarely comes from bundling features. It comes from platform shifts or genuine technological breakthroughs. We have seen this in adjacent markets like endpoint detection and response or cloud security, where a new source of truth made entire categories redundant rather than complementary.
AppSec has largely lacked that kind of breakthrough.
Rein changes that equation.
By anchoring security in application reality, it has the potential to replace entire categories of tools instead of sitting alongside them. It does not need to aggregate more signals because it starts from a more fundamental place. What is the application actually doing, and what does that mean for risk?
That is why I view Rein not as an iteration on existing AppSec techniques, but as an entirely new way of approaching a foundational problem. Modern software is dynamic, distributed, and constantly changing in production. Trying to reason about its security posture without observing that reality is increasingly untenable. Rein addresses this gap at the root, not at the edges.
The technology alone would have been compelling, but what ultimately sealed my conviction was the team. Matan and Netanel were unusually clear about what they would not build. No more layers of prioritization. No more redundant data. No more noise disguised as insight. Their discipline around first principles was evident in every conversation.
That clarity extended beyond the product. In discussions with CISOs, it was obvious that the problem Rein was addressing resonated deeply. Many had felt the same frustration but lacked a viable alternative. What stood out was that the founders shared that same clarity about both the problem and the path to solving it. There was no over-selling, no trend-chasing, and no attempt to retrofit old ideas into a new narrative.
Glilot Capital led the Rein round because we believe the company brings AppSec closer to truth, both technically and culturally. Security improves when teams are grounded in reality, not assumptions. Markets consolidate when new technologies change what is possible, not when they add more complexity.
Rein represents that kind of breakthrough. Those are the moments that create lasting companies and meaningful category shifts.
