Now that we are in the heart of security conference call for presentation (CFP) season, the time to act is now – actually, maybe yesterday – if you’re considering submitting to any of the big-name conferences. DEF CON’s CFP closes on May 1st, Black Hat USA’s shuts on April 4th, and there are a whole miscellany of conferences that might not be as well-known accepting submissions, too.
To beat out the competition for presentation spots and get your shot at glory, your CFP submission needs to stand out among the other countless entries you are up against. Competition, after all, will be fierce for those coveted slots.
So how do you guarantee that your submission will get the eyeballs it needs to be accepted? Given that we’ve presented regularly at DEF CON, Black Hat USA, and other leading security conferences for over a decade, we can share some tips that will help increase your likelihood of submission success.
By somewhat “baked,” we mean that your idea meets the following criteria:
If you plan to have a proof of concept included in your talk, you need that proof of concept to work
If you’re focusing on a vulnerability, confirm that the vulnerability really exists
If you’re showing off an exploit, you don’t need the full exploit ready to go; however, you do need to know the core concept is ready
If you’re building a tool, the tool needs to exist in literal form and not merely hypotheticals; you should be able to demo it. (This is one of the biggest SNAFUs that occurs during conferences – a presenter promises to demo a tool, and the tool malfunctions at the last minute. Try to circumvent that nightmare-fuel scenario as much as possible.)
If you’re introducing the world to a new technique, the technique needs to actually work
The thread between all these situations is that it’s not enough to just refer to things in the hypothetical “this could exist;” whatever is at the core of your research needs to demonstrably exist. Otherwise, as we mentioned earlier, you might run into technical issues (e.g., your vulnerability doesn’t exist, your POC fails to work the way you intended, etc.) This might seem like an obvious recommendation, but this happens so much in security conference submissions that it bears repeating.
A straight-to-the-point litmus test is: If your idea seems like it might not tangibly pan out, your idea is not fully baked and thus not ready to submit.
A CFP submission is made up of a content “pyramid” so to speak: There’s the title, the abstract, and the body of meatier information (aka the outline and any requested additional details). The title is the super critical top of the pyramid: It’s your most important part. It needs to grab people’s attention. After all, this might be the only part of your talk people pay attention to; make it count! You also typically have just a handful of words to work with, so keep things pithy and to the point. A long meandering title will lose readers with each word; this is not the time or place to pull a Fiona Apple.
Choosing an irrelevant title will also alienate and confuse people (e.g., if your title is completely unrelated to what you’re planning to talk about). It’s important to say exactly what you mean; don’t lean on fluff or general nonsense. At its most basic, your title should reflect your understanding of your topic and make sense.
And taking a page from SEO, it’s helpful to insert logical keywords into your title. If your talk is about an iOS exploit, put iOS and/or Apple in the title. This is an important touch because if your talk ends up being accepted, people will often control F on the conference’s agenda, searching for topics that are of interest to them. So if your title is irrelevant or missing keywords, you could be limiting your potential audience.
Although having some humor in titles is certainly encouraged, don’t lean so hard on being witty or cutesy that you don’t convey enough of your talk’s gist. Then your title ends up being all style, but no substance. And finally, if your talk’s title is misleading in any way or just entirely untrue, you have turned your talk into clickbait – and you risk building some not-so-good will by doing that.
To illustrate the above points, here are some example titles we’d want to avoid if we were submitting to a security conference:
Vulnerabilities in iOS – This isn’t really that bad of a title, but it could stand to be slightly more specific. What kind of vulnerabilities? And what version of iOS? It builds intrigue, but it’s just too vague. Now, if you have a title like “0day RCE Vulnerabilities for iOS 12,” make sure the vulnerabilities you’ll be discussing during your presentation actually are 0days, or you could come off as misleading.
Hacking Cool Stuff – This one is pretty obvious. Yeah, it has a fun goofy humor to it, but it’s an unhelpful title. See also: the “general nonsense” category. In reality though, no titles are quite this bad (we hope).
A common formula that works well is “funny name: literal description of the talk’s contents.” Some real-world Bishop Fox examples of this formula in action include “Hacking Smart Safes: On the "Brink" of a Robbery” as it shares the talk’s subject and incorporates a play on Brinks (the safe manufacturer). Another example is “Game Over, Man! Reversing Video Games to Create an Unbeatable AI Player” as it again highlights the talk’s focus and pairs it with a famous movie quote.
Ultimately, for your talk’s title, you want something that is possibly fun and intriguing, but mostly relevant and to the point. A Bishop Fox example of this is Andrew Wilson’s talk from CactusCon 2021, which was simply “Reverse Engineering Websites.” This title is a great example because it’s concise and accurate. It doesn’t risk misleading the audience and although it might not be the most stylistic choice, it works excellently.
The title might be your enticing hook, but the abstract – the second part of the successful CFP content pyramid – sells the reader on attending the talk. You want to get the reviewers’ attention; you’re convincing them that they want to see this talk and aren’t just being led on by the promises of the title. Write your abstract with the goal in mind that you want people to watch you present, be they virtual or otherwise.
This being said, it’s imperative that you keep your abstract short; it is an abstract, not a full-length book that you are writing. Plus, the more information you cram in your abstract, the more likely people are to gloss over it. Remember that essay structure from elementary school? That very same structure – introduction, body, conclusion – applies here. The three-paragraph CFP structure goes as follows:
First paragraph: This is the introduction to the story you are telling. Here, you are describing the why, the problem that is the impetus for you wanting to present, and the high-level overview of your talk.
Second paragraph: The second paragraph is your body, where you can get more in the weeds. Here, you can add more depth, and explore the concept at a greater length. You can give the reader a realistic preview into what your talk will be like in this second paragraph.
Third paragraph: Finally, the third paragraph is your conclusion and your CTA, aka your “call to action.” Here, you need to leave people hanging and wanting to know more. This should be what persuades the reader into attending your talk. Bishop Fox co-founder Fran Brown really mastered the art of doing this; read one of his abstracts for an example of a good conclusion paragraph.
A common abstract mistake to steer clear of – aside from including way too much information – is simply providing bullets and no further information. This is lazy, and it really doesn’t provide the reader with much to go off of when making a decision about your talk. Additionally, an abstract is not a condensed version of your talk. If you give all your secrets away in your abstract, what motivation will anyone have to attend your presentation?
Another way to picture your abstract is similar to a movie trailer. If you were making a movie, you’d want to market it with a trailer that doesn’t give away all the good, juicy parts. What you’d want is a movie trailer that pushes people in the right direction and captivates people so they are moved to see it upon release. The same can be said of your abstract.
Consider the example of the original 1980s “Empire Strikes Back” trailer versus the fan-made modern “Empire Strikes Back” trailer. The original trailer simultaneously manages to be a mess while giving away too much information; the modern trailer is far more alluring and leaves you wanting to learn more (even if you already know that Darth Vader is Luke and Leia’s father). When writing your abstract, go the path of the modern “ESB” trailer, not the original.
The last part of the successful CFP content pyramid is the more detailed content: the outline and additional materials. In most CFP submission forms, there’s usually a freeform area, which is where reviewers really want you to talk to them about your topic. This is the area that allows you to decide: Is my humble idea actually worthy of a conference talk? Is the research that impactful? Will others be able to use it in the future as a foundation for further research? If you are accepted, you must fill the allotted time slot (or at least close to it); so, there must be enough content for an actual talk – and not just hoping that the audience asks you a lot of questions.
Another function of the outline and additional materials is that it pushes you to consider how you are presenting your information. Do you have a way of talking about this topic that’s interesting? Some presenters tend to overly focus on their slides. While slides certainly are an important asset, they don’t tend to matter as much as the story you are telling during your talk.
The outline and additional materials also can help prod you to consider if your talk is interesting and relevant to people. Nowadays, there are so many different vehicles for content. You can publish a blog post, create a social media thread, make a video, launch a GitHub page – why should your idea be presented in a conference talk above all other platforms?
Finally, this part of the CFP submission gives you a chance to win over the reviewer by providing insight into why you have a compelling talk on your hands. Show that you are doing the necessary work to make your talk a success. Include the source code for your exploit if you have one; call out the impact of your findings and any greater takeaways. Convince the reviewer that your idea not only exists but is worth sharing with the world.
Submit as early as you can in your desired conference’s submission window. Procrastination is tempting and we all fall prey to it at times, but in this case, you need to resist it. The earlier your submission gets in, the greater your likelihood of acceptance. Lots of people like to wait to the last minute, so if you’re doing that, your acceptance odds are lowered. You are all fighting for a tiny sliver of spots – and as time goes on this sliver becomes smaller and smaller. Submit ASAP to avoid the crowds and catch your reviewers while they aren’t quite as swamped.
Be sure to thoroughly proofread your CFP submission before sending it off – enlist a friend, family member, or colleague to give it another read, too. Proofreading software and reading your submission out loud can help, but sometimes it’s just useful to have another set of (human) eyes.
Hopefully, now you are a bit more prepared to submit your idea to the security conference(s) of your choice. Good luck, and happy hacking!
DEF CON Speaker’s Corner – This official resource from DEF CON has some great pointers for submitting to DEF CON as well as other conferences. And who better to listen to other than the DEF CON Goons?
Submitting a Talk for a Call for Presentations – Here’s another resource from the experts themselves – this time, the good folks at SANS. (It also has some helpful hints for creating a bio, which many people find painful.)
Create Good CFP Responses – This is the CFP guide linked to on Black Hat’s official website. It might be about a decade old, but it still contains some valuable advice.