I'm Bernhard Wannasek, an application security lead from Austria. This site is where I write about AI, software security, and digital autonomy — and about what happens where the three meet.
What you'll find here
- Application security — threat modeling as it actually happens, supply-chain defenses that survive contact with a real pipeline, and the distance between frameworks and practice.
- AI security — what agents and language models do once you wire them into real systems, tested locally before anyone gets advice.
- Digital autonomy — running your own models and owning your own publishing. This site practices what it argues: hand-built theme, self-hosted fonts, owned end to end.
Background
I work as a Senior Manager for application and AI security at KPMG Austria in Vienna: security assessments, AI security strategy, and the engineering questions in between. I came to consulting from the building side — research software at the University of Vienna, then an Austrian internet service provider — which is why my assessments tend to start from the code. I studied at TU Wien, where I also taught distributed systems for a while.
- Since 2025Senior Manager, Application & AI SecurityKPMG Cyber Security Advisory · ViennaBuilt and lead the Application & AI Security service line: AI security assessments, threat modeling, software supply-chain security, and secure-development compliance under NIS2 and ISO 27001.
- 2020–2025Assistant Manager, then ManagerKPMG Lighthouse · ViennaCoordinated developer teams and owned the technical architecture of the solutions the division built and licensed to clients, including a cloud-native ESG platform adopted by several large banking and financial-services groups across Europe.
- 2018–2020Software Engineer, then Development Team LeadAustrian internet service provider · ViennaSoftware development on the provider's web systems, then led the development team.
- 2013–2018Software DeveloperUniversity of Vienna · Pharmaceutical ChemistryResearch software for pharmaceutical science in Prof. Gerhard Ecker's group, including data-management coordination for the EU project K4DD and talks at project meetings.
- 2015–2017Teaching Assistant & Research InternTU Wien · Distributed SystemsTaught Bachelor students the fundamentals of distributed systems — sockets, RMI, concurrency, basic security. As research intern, built a stream-processing engine whose topology could change at runtime without significant downtime.
Certifications
- Google Professional Security Operations Engineer, 2026
- OffSec Web Expert (OSWE), 2025
- Google Cloud Professional Cloud Architect, since 2023
- Offensive Security Certified Professional (OSCP), 2022
- Microsoft Certified: DevOps Engineer Expert, 2021
Elsewhere
I speak at security conferences now and then — see Speaking. The tools I actually run are on Uses. New essays land in the RSS feed.