ZAST.AI, a FIRM focused on eliminating false positives in code security analysis, has raised fresh capital as it looks to expand its technology and global reach.
The firm positions itself at the forefront of a new era in code security, aiming to ensure that every vulnerability alert is actionable rather than speculative.
The company announced it has secured $6m in a Pre-A funding round led by Hillhouse Capital. The latest investment brings ZAST.AI’s total funding to nearly $10m to date, marking what the company describes as strong validation from capital markets of its “zero false positive” approach to AI-powered code security.
At the heart of ZAST.AI’s offering is a proprietary “Automated PoC Generation + Validation” architecture. Traditional static code analysis tools often flag potential issues without verifying whether they can be exploited, leading to high false positive rates and alert fatigue among security engineers.
ZAST.AI instead uses advanced AI to conduct deep code analysis, automatically generating and executing Proof-of-Concept (PoC) exploits to confirm whether a vulnerability is real. The company claims this process enables it to achieve a breakthrough “zero false positive” standard, fundamentally changing how security teams prioritise and respond to threats.
The new funding will be used to accelerate core technology research and development as well as to support global market expansion. ZAST.AI says it is already working with multiple enterprise customers, including Fortune Global 500 companies, and plans to further scale its platform to meet rising demand from development teams seeking higher-quality security assurance at lower operational cost.
The firm points to real-world results to demonstrate its capabilities. In 2025, ZAST.AI discovered hundreds of zero-day vulnerabilities in production-grade code. These were submitted through established vulnerability platforms such as VulDB, leading to 119 CVE assignments. The affected projects included widely used frameworks and components such as Microsoft Azure SDK, Apache Struts XWork, Alibaba Nacos, Langfuse, Koa, node-formidable and WordPress.
Beyond common syntax-level issues like SQL Injection, the company says its technology can detect complex semantic-level vulnerabilities, including business logic flaws such as IDOR and privilege escalation—areas that have historically proved challenging for automated tools.
ZAST.AI co-founder and CEO Geng Yang said, “In this industry, ‘Report is cheap, show me the POC!’ This was our founding intention. We believe only verified vulnerabilities are worth reporting.”
CEO Yang added, “Our vision is to build an end-to-end AI-driven security platform, enabling every development team to obtain the highest quality security assurance at the lowest cost.”
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
