If you are here to view my presentation / research, that can be found here (currently working on this, please enjoy my latest presentation that was recorded at Recon Village).
I wanted to write a quick blog on what my experience has been like submitting and presenting a talk for conferences. I think that being able to present the same-ish topic multiple times allowed to know what works.
I plan on solely focusing on everything related to making and submitting a presentation. I won’t be talking about my presentation at length, at most only using examples to showcase my point in a couple sections.
Keep in mind, this is my experience and opinion on how presenting / CFP submissions should be. Take it with a grain of salt.
The following is in order of what should be done first. It is possible to do these steps out of order and be successful with being accepted to and speaking at a conference. However, the order below will help elevate any unforeseen stress and with being prepared / unprepared.
Intro #
First, if you want to present something then you have to understand why. The aim for a presentation is to share knowledge, but a key question here is why.
To be able to have a good presentation, it has to be something that you personally believe you want to share and it involves an idea (or ideas) that are new. This could be something that no one knows about or maybe an idea that is already been discussed but you are able to provide a different perspective and way of thinking on the subject.
Once there is an idea that you want to present, then comes the hard part.
Making the slides #
Most people think that presenting in front of people is hard. It has its challenges, but it wasn’t the hardest part of the whole process. From my experience, the hardest part was taking your idea / research and developing the slides for it. This will take time, but once the slides are finally done you hopefully don’t have to remake all over again.
Some things I would like to point out here are the presentations styles that I have seen, which are mainly:
- Picture slides
- Bullet-point slides
- Wall of text
Out of the 3 here, AVOID option 3. As for others, an example of picture slides can be found from a talk that John Hammond gave here. The main style of this presentation is having only pictures for the slides and the presentation speaking from memory. This type of style requires a bit more practice than the other styles.
As for bullet-point slides, this is the most common type that you will see. Though there is some nuance that comes with designing the slides. Some of the tips that I have heard and have implemented myself are the following:
- Have less than 5-6 bullet points a slide.
- Only have the text be in one sentence. A shorter sentence is a lot better.
- Try to include images in most of the slides. 80% - 90% of the slides should have images. GIFs also work very well too if you have internet.
- Make the bullet points easy to read. Large text with contrasting color to the background that is easy on the eyes.
One other tip that I would give is keep each slide on one “idea”. What I mean is that there should not be more than 1 thing that the audience has to follow. Do not try to cram a ton of information on slide even if its all “connected”, separate it out so its more digestible to think about and most importantly read.
Also, build the slides so that you know that if there is a specific thing that you want to cover, there is a slide for that. In the past, I had a couple of times where I would cover the slide present then go into the next bit of information only for that information to be on the next slide. Since I already talked about what was already present on the slide in the previous, the new slide kind of became a mute point.
One thing that using this type of presentation style is it helps with guiding you on what you are speaking on. The way I approached the slides was that the bullet points should act as reminders of what you are speaking about on the slide. This allows for more context and elaboration, and you won’t make the bullet points you have hold more information than they need to.
CFP Process #
Once you finally have your presentation ready, this is where you can finally submit it to conferences you want to present at.
Surprisingly, there is strategy involved with this process. Below if what I was able to gain in experience.
Where to submit #
One of the most important aspects of this whole thing. Where you submit to will dictate if your talk will be accepted and what the audience is like.
Some “reconnaissance” will be required in order to see if the talk submission will be successful are not.
For example, some considerations are:
- What is the general theme of the conference? It intended for general security or a specific field of security (offensive, defensive, CTI, etc.) ?
- Where is the conference located? Is the conference located at a college or a large venue?
- Are the talks that have been accepted in the past more geared towards beginners in a given industry, more experienced professionals, or all across the board?
- Are there any other conferences in the same area (city / state / province / country) and which one attracts more attendees? What is the level of complexity and depth of talks compared between both conferences?
- Does the conference only accept experienced speakers with advanced topics or accept new speakers with not as advanced topics? Or do they do both?
All these considerations where things that I picked up with my experience. Ultimately, how you feel about, who you think would benefit, and what information that you are sharing in your presentation will answer some of these questions. Though, it doesn’t hurt to submit your talk to conferences there you might think it won’t get accepted. More information on how to make your presentation more successful in being accepted in the future can be gained (more on that later).
Finally submitting (and what to submit) #
Once you have found a conference you want to submit to, there are always a few items that will be the same across the board. There are some conferences that might require more information depending on what they prefer and how big the conference is in popularity / recognition. All of them require basic first name / last name and contact info. The rest below are what to expect and some tips I would give:
Title #
IMO, the titles here should not be serious. What I mean is that the title should be corny, funny, satirical, on the nose, and other adjectives. If you look at the talks for a given conference, chances are that the titles that on the not-so-serious side grab your attention more. The ones that are more serious are able to already tell attendees what the presentation is about but it does not give the conference goer any intrigue into reading what the talk is since its already stated in the title. The formula that I prefer talks having are “General topic: funny descriptor” (Ex. Discord OSINT: Using the power of empathy banana).
There are other titles that don’t follow this format specifically that also do well. This all comes down to reviewing talk titles for various conferences, noting down what titles are most interesting to you (besides the topic itself), and take notes. Ultimately, the title for your talk should make people interested into wanting to know more.
Abstract / Description #
This is THE MOST IMPORTANT PART of the CFP submission. Most of your focus should be honing in on creating the abstract for your talk since this will be what attendees of a conference will read once your title has convinced them that this is something of interest. From my experience, it is best to do a full summary of what the talk is but don’t make it too long. What I mean is that if you are giving a talk on one subject that is fairly straight forward (ex. Pentesting SQLi), then the talk abstract should be about 1 paragraph, 5-6 sentences. If the talk is more specific, more generalized, or more detailed, then the abstract should be shorter or longer.
If you are giving a talk on research, then it is best to not to try and hide what you will be presenting about. For example:
With Discord becoming very popular, it can be used as an avenue for information gathering like any other social media platform. Discord would seem unsuspecting for any type of OSINT with the way people participate and join servers. However, all of this could be used against them. I will be going over how OSINT techniques and methods are applied in Discord and how it can provide a wealth of information on a person of interest. I will also be covering Discord-specific techniques that have not been publicly disclosed before. I provide insights into what requirements should be needed, evasion and social engineering considerations, as well as protections against this at the user and server level.
Now, compare this to another abstract
Open-source intelligence in Discord may seem surface level. Some techniques include searching through chat history using search operators similar to Google dorking and reviewing a user’s profile to look for any linked accounts tied to their Discord account. Going beyond this and analyze the servers that a user is a part of, more assumptions and inferences can be made based on those servers. I applied what I saw and experienced with Student Hubs and applied it to cybersecurity within Discord. The information from knowing what cybersecurity servers a person is in informed me of what their experience level was, the type of field they were interested / worked in, and potentially even where they lived.
However, you can only reach a certain point by joining servers within Discord. This type of approach can only be done at scale and this presents its own set of problems. Scaling this seemed unlikely to happen until a service known as Spy.pet was publicly disclosed in April 2024. Spy.pet was marketed as a data broker that was inadvertently a very capable OSINT tool that could be used for Discord. Knowing that it would be available for a short time before it got shut down, I was able to access Spy.pet to use and document what capabilities it had. Since then, there have been more data scrapers that have appeared with their own reasons. These include third-parties (malicious or not), academic researchers, and cybercrime groups. I will cover the capabilities and OPSEC failures from some of the data scrapers in the past year. Most importantly, I will go over protections at the user and server level.
The new abstract is able to talk about what is being presented while the old abstract still leaves some questions on what exactly is going to be talked about.
Note: The abstracts are about 1 year apart and the new abstract has new information in the presentation, both were going to present on Spy.pet.
However, if it is “new” research, you don’t have to exactly spell out the latest whatever that you found so other people can figure out what it is before you even speak on it. Even then, you will still have the opportunity to present on the subject if you get accepted.
Detailed Description #
This portion has always been a struggle for me to find the right balance for. Usually, I either make a more detailed abstract / description or just write an entire essay.
Thankfully, after asking for feedback on my CFP once I was no longer accepted for speaking, the key is to emphasize what you intend the audience to takeaway from your talk. This does involve making the abstract / description more detailed but also have more key takeaways and more specifics on what you will actually be talking about.
Some expectations on length, I would say 3 - 5 paragraphs on your talk would be sufficient. This is assuming that your talk is more than 30 minutes and the abstract / description that you did submit is around 1 - 3 paragraphs. TLDR, one page essay.
If you keep submitting #
Some more strategy will be needed here if you plan on submitting your talk multiple times.
The main thing is figuring out what conferences you are planning to submit to and timing CFP application form submissions. You also need to have some considerations in mind like the ones mentioned above.
You will have success on being accepted if your topic is new. And if you already have given the presentation, then noting down if there is any new information on the topics. This is usually within the CFP submission itself, either as general notes to add or a specific section on if you have presented it in the past.
Once you have been accepted / rejected a couple times, you should have a reference for what you put in your CFP submission and see what was accepted and what wasn’t. Most conferences will use Sessionize or Google forms (another one that I saw was pretalx). Sessionize will already have CFP history there for you to back and review if you need to. However, if the CFP submission is a Google form, I highly recommend that you enable the option to send back response to your email so that you can go back and review. If the option is not there, this is where noting down what you submitted will help. The goal is that you will have a reference of what works and what doesn’t.
If you don’t get accepted #
The best piece of advice that I would give is to reach out to the CFP reviewer for the conference and ask for feedback on your submission. This will give you INVAUBLE information on what made them not want to accept your talk. This can then help you in the future for submitting your talk to other conferences. This is where keeping a track record of what you submitted will help.
There are specific things that conferences and reviewers look for but the feedback should help increase your chances of getting accepted across most conferences.
Actually speaking #
Now that you have finally made your travel plans, did the verification with speaker ops, and showed up and got your free badge and merch for being a speaker, it is now time to present.
This ties back to what I already stated in the presentation section but my strategy has always been having the slides help guide me on what I am speaking about. Not only should the slides being easy for the audience to follow but you should also make the slides as notes for yourself so it can help guide you on what to talk about.
Tips, tricks, and advice #
Below are some other things that I picked up from speaking as well:
- Remember to turn off your blue light filter before presenting.
- Order an adapter for your laptop if you think it will give you issues ahead of time (the volunteers should have you covered if not).
- Remember to take the HDMI to Type-C adapter that you needed for your laptop and don’t leave it at a casino.
- Bring a bottle of water for when you are on stage if your talk is long.
- Have transitions in your slides that are for the audience to read so that you have that break to take a sip of water (take sips so you don’t choke on stage).
- Morning talks are the BEST slot for speaking at a conference (anytime before lunch preferably).
- If you care about anonymity, use your username / online handle for your first / last name when submitting.
- Ensure when you are taking screenshots, you capture the raw image first instead of adding blurs so that you don’t have to go back and redo the blurs.
Conclusion #
With that, that is what I had on presenting from my experience.
I do need to add some links that probably do a better job at explaining the CFP process:
- https://defcon.org/html/links/dc-speakerscorner.html#nikita-cfp
- https://defcon.org/html/links/dc-speakerscorner.html#leah-cfp-process
- https://jericho.blog/2013/06/07/so-you-want-to-present/
- https://www.shmoocon.org/cfp-checklist/
I should add that I do not agree with one of the points made above. I feel that presenting the same talk could be done more than 2 times. Though I would say 5 is the limit. The ultimate goal is to present at a large enough conference where you talk is recorded so it can be publicized and shared more easily. Once that is done, the hat can be hung up.
Lastly, lack of “experience” should not stop you from sharing a unique perspective.