January 5, 2026, Seattle, USA — ZAST.AI announced the completion of a $6 million Pre-A funding round. This investment came from the well-known investment firm Hillhouse Capital, bringing ZAST.AI’s total funding close to $10 million. This marks a recognition from leading capital markets of a new solution: ending the era of high false positive rates in security tools and making every alert genuinely actionable.
In 2025, ZAST.AI discovered hundreds of zero-day vulnerabilities across dozens of popular open-source projects. These findings were submitted through authoritative vulnerability platforms like VulDB, successfully resulting in 119 CVE assignments. These are not laboratory targets, but production-grade code supporting global businesses. Affected well-known projects include widely used components and frameworks such as Microsoft Azure SDK, Apache Struts XWork, Alibaba Nacos, Langfuse, Koa, node-formidable, and others.
It was precisely within these widely adopted open-source projects that ZAST.AI discovered hundreds of real, exploitable vulnerabilities accompanied by executable Proof-of-Concept (PoC) evidence. Maintainers of these projects from top technology companies like Microsoft, Apache, and Alibaba have already patched their code based on the PoCs submitted by ZAST.AI.
“In the traditional field of code security analysis, high false positive rates have long been a core pain point plaguing enterprise security teams. Security engineers often spend significant time manually verifying alerts generated by tools, resulting in extremely low efficiency,” said Geng Yang, Co-founder of ZAST.AI. “‘Report is cheap, show me the POC!’ This was the original intention behind founding ZAST.AI — we believe only verified vulnerabilities are worth reporting.”
ZAST.AI’s core innovation lies in its “Automated POC Generation + Automated Validation” technical architecture. Unlike traditional static analysis tools, ZAST.AI leverages advanced AI technology to perform deep code analysis on applications. It can not only automatically generate Proof-of-Concept (PoC) code for exploiting vulnerabilities but also automatically execute and verify whether the PoC successfully triggers the vulnerability. The final report only presents real vulnerabilities that have been practically verified, achieving a breakthrough “zero false positive” effect.
“This isn’t an optimization—it’s a reconstruction,” said a representative from Hillhouse Capital. “ZAST.AI has redefined the standard for vulnerability validation, shifting from ‘potential risk’ to ‘confirmed vulnerability, here is the PoC.’ This changes the game.”
Regarding vulnerability coverage, ZAST.AI not only supports the detection of “syntax-level” vulnerabilities such as SQL Injection, XSS, Insecure Deserialization, and SSRF but also possesses the capability to identify semantic-level vulnerabilities. This includes complex business logic flaws like IDOR, privilege escalation, and payment logic vulnerabilities—areas long considered difficult for automated tools to reach. Imagine your security tool crying “wolf” every day, with a false positive rate above 60%. By the time the real “wolf” appears, the team might already be desensitized. This isn’t a people problem; it’s a tool defect—they can only speculate, not prove.
Currently, ZAST.AI already serves multiple enterprise clients, including Fortune Global 500 companies. By automatically discovering unknown vulnerabilities and directly providing runnable PoC vulnerability reports, ZAST.AI helps clients significantly shorten vulnerability remediation cycles, markedly reduce security operation costs, and has gained high recognition from customers. This round of funding will primarily be used for core technology R&D, product feature expansion, and global market development. CEO, Geng Yang stated: “Our vision is to build an end-to-end AI-driven security platform, enabling every development team to obtain the highest quality security assurance at the lowest cost. In the future, ZAST.AI will continue to deepen technological innovation in AI + Security, providing global customers with smarter, more precise, and more efficient code security solutions.”
