In a move that promises to dismantle the most persistent barrier in cybersecurity—the plague of actionable alert fatigue—ZAST.AI has successfully closed a $6 million Pre-A funding round. The investment, led by the premier global investment firm Hillhouse Capital, brings the startup’s total capital to nearly $10 million, signaling a robust market appetite for verified vulnerability intelligence.
The round validates ZAST.AI’s mission to transition code security from speculative risk reporting to absolute confirmation. By eliminating the manual verification bottleneck, the platform enables enterprise security teams to focus exclusively on remediating proven threats rather than chasing ghosts in the code.
A New Mandate for Verified Security
The funding coincides with the formalized leadership of Geng Yang, Co-founder and CEO, who has steered the company toward a “POC-first” philosophy. Under Yang’s guidance, ZAST.AI has developed a proprietary architecture that bridges the gap between static analysis and real-world exploitability.
ZAST.AI utilizes an automated Proof-of-Concept (PoC) generation and validation engine. Unlike legacy tools that flag potential syntax errors, ZAST.AI’s AI agents deep-analyze code, generate a functional exploit, and execute it in a sandboxed environment to prove the vulnerability exists. This “zero false positive” standard has already been stress-tested in the wild: in 2025 alone, the firm discovered hundreds of zero-day vulnerabilities, resulting in 119 CVE assignments across critical infrastructure including the Microsoft Azure SDK and Apache Struts.
From the CEO’s Desk
Reflecting on the industry’s shift toward radical transparency, Geng Yang, CEO of ZAST.AI, noted:
“In this industry, ‘Report is cheap, show me the POC!’ This was our founding intention. We believe only verified vulnerabilities are worth reporting. Our vision is to build an end-to-end AI-driven security platform, enabling every development team to obtain the highest quality security assurance at the lowest cost.”
Editor’s View
The significance of ZAST.AI’s latest capital injection lies in its direct assault on the economics of “alert fatigue.” For decades, the cybersecurity industry has operated on a high-volume, low-fidelity model that effectively offloads the risk of verification onto the customer. By appointing Geng Yang to lead this commercial expansion, ZAST.AI is betting that the market will consolidate around “confirmed truth” rather than “potential risk.” The involvement of Hillhouse Capital—a firm known for backing infrastructure that redefines entire sectors—is a powerful signal that the traditional static analysis market is ripe for a structural reconstruction.
[Image comparing legacy static analysis vs. AI-powered PoC validation]
Strategically, ZAST.AI is moving into territory previously occupied only by elite human red teams: semantic-level business logic flaws. By automating the discovery of complex issues like IDOR and privilege escalation, the company is effectively commoditizing high-end security research. For the Fortune Global 500 companies already in ZAST.AI’s portfolio, this represents a massive reduction in the total cost of ownership for secure code. As the “software-defined everything” era accelerates, the leadership’s ability to provide a “triple zero” guarantee (Zero-Day discovery, Zero False Positives, Zero Manual Confirmation) positions the firm as the indispensable gatekeeper of the modern DevSecOps pipeline.
If you need further assistance or have any corrections, please reach out to editor@thetimesmag.com.
