Seattle, USA, January 5, 2026 — ZAST.AI announces the completion of a $6 million Pre-A funding round. The investment comes from well-known investment firm Hillhouse Capital and brings ZAST.AI’s total funding to nearly $10 million. This marks recognition from major capital markets for a new solution that ends the era of high false positive rates in security tools and makes every alert truly actionable.
In 2025, ZAST.AI discovered hundreds of zero-day vulnerabilities across dozens of popular open source projects. These findings were submitted through trusted vulnerability platforms such as VulDB and resulted in 119 successful CVE assignments. These are production-grade code that supports global business, not lab targets. Notable projects affected include widely used components and frameworks such as Microsoft Azure SDK, Apache Struts XWork, Alibaba Nacos, Langfuse, Koa, and node-formidable.
It is precisely within these widely adopted open source projects that ZAST.AI has discovered hundreds of real-world exploitable vulnerabilities with viable proof-of-concept (PoC) evidence. Administrators of these projects at top technology companies such as Microsoft, Apache, and Alibaba have already patched their code based on the PoC submitted by ZAST.AI.
“In the traditional field of code security analysis, high false positive rates have long been a core problem plaguing enterprise security teams. Security engineers spend a lot of time manually validating alerts generated by tools, resulting in very low efficiency,” said Geng Yang, co-founder of ZAST.AI. “‘Reports are cheap, show us your POC!’ This was the original intention behind the founding of ZAST.AI – we believe that only verified vulnerabilities are worth reporting.”
ZAST.AI’s core innovation lies in its “Auto POC Generation + Auto Verification” technology architecture. Unlike traditional static analysis tools, ZAST.AI leverages advanced AI technology to perform deep code analysis of your applications. In addition to automatically generating proof-of-concept (PoC) code to exploit vulnerabilities, you can also automatically run and verify whether the PoC successfully triggers the vulnerability. The final report presents only real vulnerabilities that have been tested in the wild, achieving a revolutionary “zero false positive” effect.
“This is not an optimization, it’s a restructuring,” said a Hillhouse Capital representative. “ZAST.AI has redefined the standard for vulnerability validation, moving from ‘potential risk’ to ‘a confirmed vulnerability, this is a PoC.’ This changes the game. ”
In terms of vulnerability coverage, ZAST.AI not only supports the detection of “syntax-level” vulnerabilities such as SQL injection, XSS, unsafe deserialization, and SSRF, but also has the ability to identify semantic-level vulnerabilities. This includes complex business logic flaws such as IDOR, privilege escalation, and payment logic vulnerabilities. These areas have long been considered difficult for automated tools to reach. Imagine a security tool screaming “wolf” every day with a false positive rate of over 60%. By the time the real “wolf” shows up, the team may already be desensitized. This is not a human problem. That’s a flaw in the tool. They can only guess, not prove.
Currently, ZAST.AI already serves several corporate clients, including Fortune Global 500 companies. By automatically discovering unknown vulnerabilities and directly providing actionable PoC vulnerability reports, ZAST.AI helps significantly shorten vulnerability remediation cycles and significantly reduce security operational costs, earning high praise from customers. This round of funding will primarily be used for core technology research and development, product feature expansion, and global market development. CEO Geng Yang said, “Our vision is to build an end-to-end AI-driven security platform that enables any development team to obtain the highest quality security assurance at the lowest cost. ZAST.AI will continue to deepen our AI + security innovations to provide customers around the world with smarter, more accurate, and more efficient code security solutions.”
Source link
