Revolutionary Approach to Code Security

Seattle-based security startup ZAST.AI has announced the completion of a $6 million Pre-A funding round led by Hillhouse Capital, bringing total funding to nearly $10 million. The company is addressing one of cybersecurity's most persistent challenges: the overwhelming false positive rate in security tools that leaves teams drowning in unverified alerts.

In 2025, ZAST.AI made headlines by discovering hundreds of zero-day vulnerabilities across popular open-source projects, resulting in 119 CVE assignments. The affected projects include widely-used components from Microsoft Azure SDK, Apache Struts XWork, Alibaba Nacos, and other critical infrastructure powering global businesses.

From "Potential Risk" to "Confirmed Vulnerability"

Traditional static analysis tools suffer from a crippling limitation: they can only flag potential issues, not prove them. This results in false positive rates often exceeding 60%, forcing security teams to manually verify each alert—a time-consuming process that breeds alert fatigue.

"Report is cheap, show me the POC!" said Geng Yang, Co-founder of ZAST.AI. "This was our founding principle—we believe only verified vulnerabilities are worth reporting."

Automated PoC Generation + Validation

ZAST.AI's breakthrough lies in its dual-layer approach:

  1. Automated PoC Generation: Advanced AI performs deep code analysis and automatically generates exploit code
  2. Automated Validation: The system executes the PoC to verify the vulnerability is real and exploitable
The result? Only confirmed vulnerabilities with working proof-of-concept code reach the final report—achieving what the company calls "zero false positive" detection.

Beyond Syntax-Level Flaws

While traditional tools struggle to detect anything beyond SQL injection and XSS, ZAST.AI identifies complex semantic vulnerabilities including:

- Insecure Object Direct Reference (IDOR)
- Privilege escalation flaws
- Payment logic vulnerabilities
- Business logic defects
- SSRF and deserialization issues

These business-critical flaws have historically required manual security review to discover.

Real-World Impact

Major technology companies including Microsoft, Apache, and Alibaba have already patched vulnerabilities discovered and verified by ZAST.AI. Fortune Global 500 companies are now using the platform to shorten vulnerability remediation cycles and reduce security operation costs.

"This isn't an optimization—it's a reconstruction," said a representative from Hillhouse Capital. "ZAST.AI has redefined the standard for vulnerability validation, shifting from 'potential risk' to 'confirmed vulnerability, here is the PoC.' This changes the game."

What's Next

The new funding will accelerate core technology R&D, expand product features, and drive global market development. CEO Geng Yang outlined the vision: "We're building an end-to-end AI-driven security platform, enabling every development team to obtain the highest quality security assurance at the lowest cost."

TL;DR

- ZAST.AI raised $6M Pre-A funding from Hillhouse Capital for AI-powered code security
- The platform discovered 119 CVEs in 2025 across Microsoft, Apache, Alibaba projects
- Achieves "zero false positive" by auto-generating AND validating exploit PoCs
- Detects both syntax-level and complex semantic vulnerabilities
- Already serving Fortune 500 clients with verified vulnerability reports

Source: The Hacker News