ZAST.AI Secures $6M Pre-A to Scale Zero-False-Positive AI Code Security
4 min. read 
Updated on
Seattle, USA — ZAST.AI, an AI-driven code security startup, has closed a $6 million Pre-A funding round led by Hillhouse Capital, bringing its total financing to nearly $10 million. This fresh capital will help the company expand its core technology and take its no-false-positive vulnerability scanning platform to global markets.
ZAST.AI claims its platform can automatically generate and validate proof-of-concept (PoC) exploits for software vulnerabilities, ensuring that every reported weakness is real and actionable. The approach aims to eliminate the noise and inefficiency caused by false alerts in traditional code security tools.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
“In this industry, ‘Report is cheap, show me the POC!’ This was our founding intention,” said Geng Yang, Co-founder and CEO of ZAST.AI. “We believe only verified vulnerabilities are worth reporting.
”ZAST.AI’s automated architecture combines AI-assisted deep code analysis with PoC generation and execution. If the PoC successfully triggers a vulnerability during automated validation, the report includes confirmed exploit code. This “zero false positive” claim is central to the company’s value proposition for enterprise DevSecOps teams.
“ZAST.AI has redefined the standard for vulnerability validation, shifting from ‘potential risk’ to ‘confirmed vulnerability,’” said a representative from Hillhouse Capital. “This changes the game.”
Impact in 2025: Verified Vulnerabilities Across Major Projects
In 2025, ZAST.AI says its platform discovered hundreds of zero-day vulnerabilities in widely used open-source projects. The company submitted these findings to authoritative databases such as VulDB, resulting in 119 CVE assignments.
Among the affected components and frameworks were Microsoft Azure SDK, Apache Struts XWork, Alibaba Nacos, Langfuse, Koa, and node-formidable. These are production-grade modules powering applications used by businesses around the world.
ZAST.AI’s approach goes beyond typical syntax errors like SQL injection and cross-site scripting. It aims to detect semantic vulnerabilities and complex business logic flaws such as insecure direct object references (IDOR), privilege escalation conditions, and payment workflow issues.
How ZAST.AI’s Technology Works
| Component | Function |
|---|---|
| Automated PoC Generation | Uses advanced AI to craft exploit code for vulnerabilities uncovered during analysis. |
| PoC Validation | Automatically runs generated code to confirm that the vulnerability can be triggered. |
| Zero False Positive Reporting | Only confirmed vulnerabilities with actionable proof are reported to clients. |
| Deep Semantic Analysis | Extends beyond syntax issues to detect logic flaws that traditional scanners often miss. |
The platform is designed to integrate with DevSecOps pipelines, helping security teams detect and address real weaknesses early in the software development lifecycle.
Real-World Use and Enterprise Adoption
ZAST.AI reports that it already serves multiple enterprise clients, including Fortune Global 500 companies. By automatically discovering unknown vulnerabilities and providing runnable PoC reports, clients can reduce the time and cost associated with manual verification and remediation.
The new funding will support core technology research and development as well as global market expansion, particularly in regions where demand for autonomous code security is growing rapidly.
Geng Yang emphasized the company’s long-term vision: to build an end-to-end AI-driven security platform that gives every development team “the highest quality security assurance at the lowest cost.”
FAQ: ZAST.AI Funding and Technology
What is ZAST.AI’s funding round size and lead investor?
ZAST.AI raised $6 million in a Pre-A round led by Hillhouse Capital, taking total funding close to $10 million.
What sets ZAST.AI apart from other code security tools?
Its platform automatically generates and validates PoC exploits for vulnerabilities. Only confirmed issues with PoC code are reported, significantly reducing false positives.
How many vulnerabilities has ZAST.AI helped assign CVEs to?
In 2025, findings submitted by ZAST.AI led to 119 CVE assignments across widely used open-source projects.
Which types of vulnerabilities does ZAST.AI detect?
It supports detection of traditional syntax-level bugs like SQL injection and XSS, as well as semantic-level logic flaws such as IDOR and privilege escalation.
How will the new funding be used?
The company plans to accelerate core technology R&D, enhance product capabilities, and expand operations globally.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages