Discovery is becoming abundant. Actionability is still scarce.
I recently joined Cyber Defense TV to talk about one of the biggest problems in application security today: the industry is getting better and faster at generating findings, but proving which ones are real is still the harder part.
That changes how security teams work. When a finding cannot be verified, teams end up debating reachability, severity, and priority. A working PoC usually settles that discussion much faster than a long argument ever will.
At ZAST.AI, our approach is built around that reality:
Analyze — combine static analysis, code property graph analysis, and LLM reasoning to understand flows, assets, trust boundaries, and business logic
Generate — produce PoC candidates from the relevant execution context
Verify — run those PoCs against test targets to determine whether the path is actually exploitable
So far, that workflow has helped us turn candidate findings into verified results, contribute 150+ CVEs across projects including Microsoft Azure SDK, Apache Struts, and WordPress, and uncover hundreds of “forever days” in legacy IoT firmware.
One of the main points from the interview was simple: as AI-generated reports continue to multiply, verification becomes more important for everyone in the process — researchers, vendors, CNAs, and defenders trying to prioritize what actually matters.
If you want the full conversation, the episode is here:
🎥 Full episode: https://lnkd.in/gDHy4wTN
