Thomas H. Ptacek

Black Hat Submission Advice

There’s a model submission example on the CFP submission page but my general advice starts with: Don’t overthink it. Median accepted submission is probably just about ~1000 words.

DO. NOT. WRITE. YOUR. SUBMISSION. IN. THE. CFP. SUBMISSIONS. APP. Write it out fully somewhere else, then paste it in. Don’t draw ASCII art. The CFP app will ruin it.

Be careful what track you submit to. There is no reliable process inside BH for moving talks submitted from the wrong track to the right one. It might happen, it might not. Assume you’ll get 50% more attention from reviewers on your primary track than on your secondary one. (ie: reviewers covering Mobile Security track are interested in mobile; that’s why they’re there.) Make your primary track the one where you have the best pitch.

Each submission gets 10 different reviewers, each working through ~200+ submissions. They’ll give your submission a default ~5 minutes, so state clearly and repeatedly in every section what makes your work (1) novel and (2) impactful. Novelty and impact, stated clearly, in the abstract and outline. You’re already ahead of 80% of all submissions.

There is virtually no FOMO motivation in reviews. If you write a submission that is halfhearted about why it’s important, reviewers will assume it isn’t.

There’s so many submissions, a lot of reviewers are going to take any opportunity they’re given to quickly bucket your submission. So:

Warning: If you work for a company that does anything related to what your Black Hat submission talks about, find ways to make it clear that you won’t be talking about your employer. Reviewers are allergic to pitches and will assume that’s what you’re trying to do.

Warning: Getting into Arsenal can be hard hard. Unless you’re submitting to Arsenal, or the thing you built is literally one of the most important new things built this year, don’t make the core of your pitch be a tool you built. Everybody does that! Makes it too easy for reviewers to write a “would be good for Arsenal” review.

Warning: If you’re writing a “case study” talk, know that case studies are the easiest kind of talk to write, so you’re competing with dozens of other case studies. I like case studies and think we need more (I’m just one reviewer). But really play up what makes your case important.

Warning: Be careful about stale topics. I’m not going to say what they are; go look at last 4 years of BH. I’m not saying “don’t submit a machine learning cloud security” talk. I’m just saying probably don’t call it that.

Black Hat reviewers are overwhelmingly technical and most have spoken at BH previously. Don’t overwrite; assume we know what to look for in your technical details.

But: if you’re writing a talk like “I have a pattern of bugs that breaks every Relay and GraphQL application”, don’t assume reviewers super familiar with GQL. We’ll understand the talk but not necessarily why GQL matters. One of the best 2017 talks barely squeaked in because of this.

Seriously though: at ~1000 words, a decent CFP submission is less work than a medium-sized Reddit comment. It costs you very little time to submit. Whatever else you do, err on the side of submitting!