Startup StashStartup Stash

Your company runs on apps you never approved. We built Reco for that.

Gal Nakash co-founded Reco after watching security teams lose track of their own environment. Here is how the platform works, and why he thinks "visibility" is the wrong word to lead with.

Gal Nakash

Gal Nakash

Co-founder & CPO, Reco · May 28, 2026 · 9 min read

Gal Nakash
Startup StashStartup Stash

You can't secure an app you don't know exists. Most companies are full of them.

Gal Nakash

Co-founder & CPO, Reco

with Startup Stash

IDENTITY & APP SECURITY

What is Reco, and what problem does it solve?

Reco is a security platform for everything your company connects to. That means your business applications, the identities inside them, the data moving between them, and the AI tools your teams have started wiring in. We connect to your environment, build a live map of it, and then tell you what is risky and what to fix first. We support more than 200 applications today, and when a customer needs one we do not cover yet, we add it in days, not quarters.

Why did you start Reco?

I started Reco because security teams had lost track of their own environment. They spent twenty years getting good at the network and the endpoint. Then the whole company moved into applications that nobody in IT ever provisioned. A marketing person signs up for a tool, connects it to Google Workspace, grants it broad permissions, and security never hears about it.

We kept meeting teams who could not answer basic questions. Which applications are connected to our core systems? Who has admin? Which accounts belong to people who already left? That gap is the entire reason Reco exists.

How does Reco work?

Four moves: connect, map, see, catch. I will draw it for you, because the whiteboard version is the one that makes it click.

That is the loop. The integrations are the easy part. The thing that makes Reco useful is the map in the middle. Once every identity, application, permission, and data path lives in one graph, the questions answer themselves.

How Reco works, on a napkinconnect · map · see · catch1RecoConnect your apps2Reco maps it allthe Knowledge Graph3appsidentitiesdataAI toolsSee everything, daily4!Catch what matterschecks daily · threats in ~15 min

The whiteboard version. Connect what you run, let Reco map it, see the whole picture, and catch the risk that matters first.

What makes Reco different from other security platforms?

What makes Reco different is the map in the middle. Most tools hand you visibility, and visibility without priority is just a longer list. If I give you ten thousand findings, I have not helped you, I have buried you.

Reco's Knowledge Graph connects findings into a single story: this admin account, on this application, with no MFA, holding access to this sensitive data, owned by someone who left in March. That one sentence is worth more than ten dashboards.

We score every posture check by severity, from Critical down to Low, so the first thing you look at is the thing that can actually hurt you. That is the difference between a security platform and a search engine for problems.

Why a map beats a listten thousand findings, one that mattersA longer list10,000 rows, no priorityadminno MFAsensitive dataleft in MarchOne risky chainthis is what to fix first

A graph, not a spreadsheet. Reco connects findings into one story, so the highest-risk path stands out instead of getting lost in the pile.

How does Reco secure AI tools connected to company data?

Reco treats AI tools as part of the same map as everything else, not a bolt-on product. Teams connect them to their core applications and data exactly the way they connect anything else, usually faster and with less review.

Reco's Connected AI Apps view shows which AI tools are connected, what they can reach, and runs posture checks against them. The point is not to have a separate "AI security" thing sitting in the corner. An AI tool with broad access to your data is just another high-risk identity, and it should show up in the same graph as everything else.

How does Reco find apps and accounts no one approved?

Reco runs discovery daily and surfaces every application connected to your core systems, including the ones it marks Unsanctioned because no one approved them. The same map shows the accounts behind them: admins, accounts with no MFA, and accounts that belong to people who already left.

You are not waiting for someone to file a ticket. If it connected, it shows up, and it shows up tomorrow too, because the scan runs again.

What does getting started with Reco look like?

Getting started is fast. You connect a few core systems, let the graph build, and almost everyone finds something in the first week: forgotten admin accounts, applications connected by people who are long gone, AI tools nobody flagged.

The mistake teams make beforehand is waiting for a clean inventory before they start. You never get one, because the environment changes every day. Reco re-discovers applications daily and re-scans posture daily, so the picture stays current without anyone babysitting a spreadsheet. It is not a six-month rollout before you get value. The value is the moment you can finally see the room.

Would you build Reco the same way again?

Yes, but I would draw the picture sooner. We spent our early months explaining the product in long decks, and people nodded politely and forgot it. The thing that actually made it land was a sketch on a whiteboard. Connect, map, see, catch. Four words and four doodles. So now we lead with the napkin, and we save the dashboards for later.

Interview conducted and condensed by the Startup Stash editors. Read more interviews with more startup founders.