Application Security Expert Author Conference Speaker

Julian Totzek-​Hallhuber

Lead Solutions Architect at XBOW. 20+ years securing software at scale. Author, conference speaker, and occasional code reader — helping security and engineering teams actually work together.

20+Years in Cybersecurity
1Book Published
15k+Audience at WeAreDev '26
📖 My Book 🎤 Speaking View CV
Mastering the Art of Application Security Testing — book by Julian Totzek-Hallhuber 📕 New Book — Available on Amazon

"…one of the most recognised names in the history of application security."

What you'll find here

Three things I care about

📘

The Book

Mastering the Art of Application Security Testing — a practical guide for development managers, DevSecOps leads, and CISOs evaluating SAST, DAST, SCA, and container security tools.

Read more →
🎤

Speaking

I speak at international conferences on AppSec program design, DevSecOps transformation, and AI in security testing. Next up: WeAreDevelopers World Congress, Berlin, July 2026.

See my talks →
💼

Experience & CV

20+ years building and leading solutions architecture teams at Veracode, Deny All, and across DACH, EMEA, and APAC. Available as PDF download.

View my career →
Upcoming

Next on stage

🇩🇪
WeAreDevelopers World Congress 2026
8–10 July 2026  ·  CityCube Berlin  ·  15,000+ attendees  ·  Application Security track
Confirmed Speaker
Writing

From the Blog

23 February 2026 LinkedIn Article

The Myth of Self-Healing Code: Why Claude Code Security Isn't Replacing Application Security

Anthropic recently launched Claude Code Security — an AI-powered vulnerability scanner that can analyse your codebase, trace data flows across files, find bugs, and even propose patches. A meaningful advance. But does it replace your AppSec programme?

Read on LinkedIn →
7 May 2026 LinkedIn Article

Before You Replace Your SAST Tool With an AI Model: Three Questions Nobody Is Asking

The last few weeks have been loud. Anthropic's research found thousands of unknown vulnerabilities in weeks. The question nobody is asking: should that headline change how you think about your SAST tooling?

Read on LinkedIn →
See all articles →
About Julian

Bridging the gap between security and the people who build software

I've just started a new chapter as Lead Solutions Architect at XBOW — bringing 20+ years of application security experience to a new challenge.

Before joining XBOW, I spent nearly a decade at Veracode as Senior Principal Solution Architect, leading teams across EMEA and APAC. Most recently, I worked closely with the product management team to help shape the direction of our products — turning field insights and customer realities into roadmap decisions that actually stick.

In 2026 I published Mastering the Art of Application Security Testing — a practical guide for development managers, DevSecOps leads, and CISOs navigating SAST, DAST, SCA, and container security tools. I'm also a regular speaker at international conferences on AppSec, DevSecOps, and the evolving role of AI in security testing.

On the technical side: I would never call myself a developer — but I can read, write, and occasionally survive code, which apparently puts me in a very niche and dangerous category.

SASTDASTSCA Container SecurityIaC DevSecOpsAppSec Programs Sales EngineeringOWASP
🚀

Lead Solutions Architect, XBOW

New chapter, day one. Bringing 20+ years of AppSec expertise to XBOW — where the work is just getting interesting.

📘

Author — Mastering AppSec Testing

A practical guide for managers and security leaders evaluating SAST, DAST, SCA, and container security tools. Foreword by Chris Wysopal.

🎤

International Conference Speaker

Regular speaker at DevOpsCon, Enterprise:CODE, BSides, and OWASP events. Next up: WeAreDevelopers World Congress, Berlin, July 2026.

🏢

Formerly — Senior Principal SA, Veracode

Led EMEA/APAC solution architecture and worked closely with the PM team to shape product direction. Scaled APAC from 0 to 27 engineers.

⬇ Download CV (PDF)