Last updated at Wed, 30 Aug 2017 00:49:48 GMT

If you are just joining us, this is the second post in the series starting here.

Content is king. Research is what binds us, and you should not be surprised that some of the best in the game focus their annual research calendar on the Black Hat USA CFP. Offensive security research is the tail that wags the dog—many vendors and architects spend the year trying to get back in front of some of the bombs dropped at Black Hat each year.

There's a reason for the madness: Black Hat USA's CFP is arguably the most competitive and grueling in the game. (I might be a bit biased on that one.) In the Black Hat USA CFP, there is a bias toward offensive, bleeding edge, innovative research, with a soft spot for 0day, code, and tool releases. And there's going to be a lot of it.

Frankly, you will not catch it all.

You won't even catch a fraction of it.

Here's the kicker: Not all of it will be what you expected. When you're out there on the edge of the envelope, some of the content will be years ahead of its time, and may not make sense. Some content may only be accessible to the most technical attendees, while other sessions are aimed at executive management—there is something for everyone.

Pick SOME sessions.

Be deliberate in your selection process. Some folks are driven (obligated?) to sit in a talk every hour … and that's okay too.

Am I advocating you NOT doing that?

Yes—that is EXACTLY what I am advocating.

Someone has paid dearly for you to attend, and you should not be afraid to be fiercely protective of your time. (But please don't walk out in the middle of a session... if you can help it.)

The boss might ask, so here is my reasoning:

  • Humans are rarely great presenters. These topics are extremely technical, and speakers may not share your native language. (To be clear, very few speakers are not fluent in English). Taking the rich combination of highly technical information, fired at you faster than you can type by a nervous presenter, with the occasional what the heck did they just say moment— you'll need time after the talk to figure out what just happened. It may be weeks months or years before you completely unravel it. (It also may be that the speaker is half genius and half insane, which is also okay!)
  • Your tribe is as much around you as it is up at the podium (if not more so). Listen closely to the attendee murmur and questions - don't just seek out the speaker with your questions, target attendees you found fascinating or informed. THOSE PEOPLE are your tribe. They know about things you care about, they chose a session you chose, and were discussing/asking questions you share. (That said, don't spook them- more on this in an upcoming post…)
  • You need the time and mental space to capture what you're hearing. That means you need to be able to jot down notes, clarify follow-up items, shoot an email, and participate in social media conversations. If you don't fully grasp what you saw- you won't be ready for an after-event speaking slot sharing what you experienced. (Sound scary? That's a thing. Be ready. Expect it.)
  • You might hear about a phenomenon referred to as “Hallway Con” — i.e. meeting and mingling with peers in the hallways of the event — and it is a thing you should invest in. At no other time (ALL YEAR) will this many InfoSec brainiacs converge to share. Take or join them in sessions, or checking out other parts of the show.
  • THE TALKS ARE RECORDED. To be clear, that is NOT a reason not to go, you miss out on the people (seeing a pattern here yet?). Catch the talks you find most important or controversial— these stimulate conversation, and set the tone for the week, and many months to come. THIS is where you meet people. The stuff you found interesting you can watch back home with friends. Bet on yourself- buy the videos (or expense them, if you can)… or wait (what, 90 days?) until the videos get posted online.

So don't feel bad about inevitably missing talks. It's going to happen, either by accident or by design.

Sold? I hope so. Still debating? Fine. You're an adult, you'll do the right thing and play some hooky anyway (and we won't tell anyone—it is Vegas after all!)

How to pick the right sessions.

Several schools of thought, and I'll try to be brief explaining two of them.

  • The first and most obvious is capturing what is important to your day job and personal development (to prepare for your trip report,) justifying your trip this year, and hopefully in the future. We'll call this “Pragmatic Selection”
  • The second is a bit more opportunistic, based on what's available, looks interesting AND is feasible in your schedule. I'll give an inside look into how I tried to organize the schedule… just in case some inside baseball helps. We'll call this “Reverse Engineering the Schedule.”

Pragmatic Selection

When in doubt, this tends to be the session-picking criteria that a lot of people fall back on, and that's fine. To do this, there are a few key questions you'll need to answer here:

  • Which sessions at Black Hat will affect my employer and day job most?
  • The week after, when I get back to the office, which sessions will give me new perspective, making me more effective?
  • If my boss is a fan of specific work, what can I see that will give them FOMO for next year? (FOMO == Fear Of Missing Out, which might help guarantee your return trip, allocating budget for your boss and other teammates… you'll be a hero. Trust me.)
  • Are there talks your team is already interested in?
  • What (talks|speakers|sessions) will inspire me or challenge my way of thinking, leading to personal growth?
  • Go to a talk you are CERTAIN you won't understand. Osmosis learning is a good thing.

Answering these questions will narrow your selection quickly.

No doubt about it, this is a herculean task, so be absolutely ruthless in picking your 4 favorite talks.

Ruthlessness is important in the face of a dizzying array of options: The keynote, 13 hours of briefings content over two days, 9 tracks wide (not counting sponsored content, the Arsenal, and workshops!)

Point of performance: When you commit to a session, carefully choose a backup for that hour. PUT IT ON YOUR CALENDAR, including the backup and room info, with the abstract, and speaker bio in the notes.

Why all this talk about a backup? You'll be prepared for the curveball others weren't expecting—when two of your “must-see” talks land in the same hour, or when you show up for a talk to find it full. (Bet on it happening, more often than you'd think.)

Reverse Engineering the Schedule

By answering the question “What's hot this year?” you can choose sessions using predictive migratory patterns.

TL;DR for this section: Figure out which rooms are the biggest. The talks you find interesting in the big rooms will probably be the hottest talks.

Look at the scheduling grid, the ‘x' axis tracks rooms in any given hour, the rooms start small and get larger as ‘x' increases. The bigger rooms are the talks the conference organizers are betting have the strongest draw, most interest— due to the size of the associated research tribe, star power, or the controversial nature of the content.

The ‘y' axis represents the hour. Where possible, your content type (let's say Exploit Development) should have only one session per hour. This is almost impossible to achieve with content types that have overlap, like Mobile and WebApp Sec.

On Content Tracks

Think of content types as “conference tracks” — they just move from room to room. (In smaller events, you'd have a dedicated room for conference tracks, but not at Black Hat).

I keep talking about finding your tribe. If there is a very specific piece of research, that matters to your work or interests you in a unique way, there will be others drawn for that exact reason. GO TO THAT TALK.

Conference organizers take the track selections (let's say 10-15 selected talks) and stack rank them for popularity, then move to the schedule grid.

Any given venue will rooms ranging in size based on the needs of the event. Caesar's Palace, the previous venue, had 3 super large room options. Mandalay Bay, the 'new' venue, affords considerably more flexibility. At Caesar's, we placed the hottest talks in the large rooms, then populated the rest of the ‘tracks' through the hours, based on their relative stack rank.

What about the “Power Hour”?

On occasion, you'll have unavoidable conflicts where several hot talks, with strong presenters offering similar content types, hitting during the same hour. Colloquially this phenomenon is called a “Power Hour”- speakers love and hate them, and feel like they are competing with  friends, and missing talks THEY wanted to see.

Some say this is done on purpose, I leave that to your deliberation. As much as possible, organizers work with the Review Board to estimate the relative draw.

When one of the talks you want to see will hit during a “Power Hour” —get there early.


Fire code is the limiting factor, and safety is serious business.

Asking Questions

Questions asked should support the speaker, improve clarity, reduce ambiguity, and improve the audience relationship with the speaker. If you are new to this whole conference thing—and you're not already there with 500 of your closest friends— I urge you strongly to think twice before speaking up.

  • If you aren't 100% confident in the question you want to ask, you may be wise taking note of the presenter's Twitter handle & email address.
  • Maybe ask the question of the speaker privately afterwards the session ends.
  • Consider using your question to start conversations with other attendees.

In parting, I leave you the idiot's guide to asking questions during a presentation (author unknown), see image at right:

If I've missed something, you have sage wisdom to add, or want to join the conversation—or even ask a question!—please comment or hit me up on Twitter.


Continue on to Part 3 of this series: Networking at Black Hat Like A Boss

...Or go back and read Part 1: How to Survive Black Hat

Want more? You can catch all the entries in the Black Hat Attendee's Guide series here.