No More Crying Wolf: ZAST.AI’s $6M Bet to End False Alarms in Code Security
Subtitle: A Seattle startup claims it can finally silence the “false positive” epidemic plaguing security teams worldwide.
For years, security teams have lived in a digital hall of mirrors-endless alarms, most of them false, drowning out the rare real threat. But what if an AI-driven tool could cut the noise, leaving only verified, actionable vulnerabilities? This is the bold promise from ZAST.AI, a Seattle-based startup that just secured $6 million in Pre-A funding to scale its “zero false positive” code security platform. Is this the start of a new era in vulnerability detection-or just more cyber hype?
ZAST.AI’s breakthrough is rooted in a simple but radical idea: only report vulnerabilities that are proven to be exploitable. Traditional static analysis tools flood teams with speculative alerts-often with a false positive rate exceeding 60%. Security engineers spend endless hours investigating phantom threats, eroding trust in their tools and missing real attacks hiding in the noise.
“Report is cheap, show me the PoC!” says Geng Yang, ZAST.AI’s co-founder, referencing the mantra that inspired the company. Instead of relying on static code scanning alone, ZAST.AI’s platform uses advanced AI to deeply analyze code, automatically generate Proof-of-Concept exploits, and validate them by executing the PoC against the live application. If the exploit works, it’s a real vulnerability. If not, it’s never reported-cutting false alarms to zero.
The results have been dramatic. In 2025 alone, ZAST.AI’s system uncovered hundreds of zero-day vulnerabilities in widely used open-source frameworks like Microsoft Azure SDK, Apache Struts XWork, and Alibaba Nacos. The company submitted working PoCs to project maintainers, who swiftly patched the flaws-evidence that this approach isn’t just theoretical.
But ZAST.AI isn’t stopping at common bugs like SQL Injection or Cross-Site Scripting. The platform also hunts for “semantic” vulnerabilities-complex logic flaws such as Insecure Direct Object References (IDOR), privilege escalation, and payment logic weaknesses-areas where traditional tools often fail. By focusing on proven exploits, ZAST.AI aims to make every alert actionable, slashing the time and cost of remediation for its enterprise clients.
Industry observers are taking note. A Hillhouse Capital spokesperson calls this “a reconstruction, not an optimization”-a shift from “potential risk” to “confirmed vulnerability, here is the PoC.” For security teams exhausted by false alarms, the promise is seductive: a tool that never cries wolf.
As ZAST.AI gears up to expand globally, the real test will be whether its technology can scale and adapt to the ever-evolving threat landscape. For now, the company’s vision is clear: eradicate false positives, empower developers, and restore faith in code security tools. If they succeed, the era of endless, empty alerts may finally be over.
WIKICROOK
- False Positive: A false positive happens when a security tool wrongly labels a safe file or action as a threat, causing unnecessary alerts or blocks.
- Proof: A Proof-of-Concept (PoC) is a demonstration showing that a cybersecurity vulnerability can be exploited, helping to validate and assess real risks.
- Static Analysis: Static analysis examines code without running it to detect errors or vulnerabilities early, helping improve software quality and security.
- Zero: A zero-day vulnerability is a hidden security flaw unknown to the software maker, with no fix available, making it highly valuable and dangerous to attackers.
- IDOR (Insecure Direct Object Reference): IDOR is a vulnerability where attackers access unauthorized data or functions by manipulating object references, due to missing access checks.




