ZAST.AI, an AI-powered code security startup focused on eliminating false positives in vulnerability detection, has completed a $6m Pre-A funding round, positioning itself at the forefront of a shift in cybersecurity standards.
The round was led by Hillhouse Capital and brings the company’s total funding to nearly $10m. The latest investment signals growing confidence from the capital markets in a new approach to code analysis—one that aims to ensure that every alert raised by security tools represents a genuine, verified threat rather than a speculative risk.
High false positive rates have long plagued traditional static analysis tools. Security engineers frequently spend hours validating alerts that ultimately prove to be harmless, creating operational inefficiencies and so-called “alert fatigue”. In such environments, genuine vulnerabilities risk being overlooked. ZAST.AI was founded to tackle that problem head-on, shifting the emphasis from reporting potential issues to verifying real ones.
The company’s proprietary “Automated PoC Generation + Validation” architecture underpins this ambition. Rather than merely flagging suspicious code patterns, its platform uses advanced AI to conduct deep code analysis, automatically generating Proof-of-Concept (PoC) exploits and executing them to confirm whether a vulnerability is real. This approach enables what the company describes as a “zero false positive” standard, marking a departure from conventional code scanning methodologies.
The fresh capital will be used to accelerate core technology research and development, as well as to support global market expansion. ZAST.AI said it is aiming to build an end-to-end AI-driven security platform capable of delivering high-quality security assurance at scale while lowering costs for development teams worldwide.
The company’s technology has already demonstrated traction in live environments. In 2025, ZAST.AI identified hundreds of zero-day vulnerabilities in production-grade code. These discoveries were submitted to recognised vulnerability databases such as VulDB, resulting in 119 CVE assignments. Affected projects included widely used frameworks and components such as Microsoft Azure SDK, Apache Struts XWork, Alibaba Nacos, Langfuse, Koa, node-formidable and WordPress.
Beyond detecting common syntax-level weaknesses such as SQL Injection, the platform is designed to uncover more complex semantic-level flaws, including business logic vulnerabilities like IDOR and privilege escalation—areas that have historically proven difficult for automated tools to address.
ZAST.AI co-founder and CEO Geng Yang said, “In this industry, ‘Report is cheap, show me the POC!’ This was our founding intention. We believe only verified vulnerabilities are worth reporting.”
The company added that it already serves multiple enterprise clients, including Fortune Global 500 companies, underscoring growing demand for more precise, AI-driven security solutions.
Find more on RegTech Analyst.
Copyright © 2026 FinTech Global
