Industry Observations

How to Get Accepted at Blackhat

One of the most common things I get asked as part of my Review Board for the Blackhat security conference is, “How do I get my submission accepted?” It’s a fair question and it’s understandable how it would appear to be a total black box. But there are actually a fairly clear set of criteria that the board uses. We aren’t strict about these rules, which can vary from Review Board member to Review Board member. However, this is a pretty good list of things to think about when you’re submitting a talk:

  1. Make sure your content is original. This might seem obvious but it apparently isn’t to the vast majority of people who submit talks to Blackhat. Most of the submissions we receive are actually just re-hashes of other people’s presentations, either blatantly or inadvertently. Quite often people will try to package it as if they were the first ones to find it, even coming up with their own acronyms. This is a pretty sure-fire way to get rejected.
  2. Make sure your content impacts a lot of people. This is also often called the “marketing” requirement. Blackhat needs to get people to care about your presentation. If your wonderfully researched presentation filled with interesting technical detail impacts you and your friend but no-one else in the world, frankly, we applaud you, but we can’t fill a room with a presentation like that. Ideally your research should impact everyone, but think big. If your parents wouldn’t care if they saw the impact of your research on the news, chances are no one else will either.
  3. Make sure you fill out the CFP completely. If you forget to fill fields out, we will reject you. So don’t leave anything blank.
  4. Make sure you fill out the CFP correctly. Your outline matters. The tags you use matter. When we ask you why this would be a good presentation don’t tell us because you like Blackhat. We appreciate that, but it’s important for you to actually answer the question. We read everything.
  5. Make us understand what you actually want to present. This might actually require some work on your part. We might be too dumb to grok your genius without some pretty pictures. But the short of it is if we don’t understand what you’re trying to say, we might assume you don’t either. Outlines are important for us to understand the flow of your presentation and see what kind of guidance we might want to give you. Make sure your outlines are as detailed as you can get. Don’t be afraid of writing a lot, we’ll read it.
  6. Respond to the board when they ask questions. If you don’t reply to us, we may have to assume you’ve gone radio silent and aren’t interested in talking anymore. If we ask you a question and you do respond, please respond with as much detail as possible. We often have to get clarity on the vulns you’re sending us to make sure there isn’t overlap with existing research or other people who are presenting. Don’t worry, we keep our mouths shut – we’re all under confidentiality agreements.
  7. Demos, tools and 0days are much beloved. If you have a demo, that’s great. If you’re going to actually release (not just show) a tool, that’s even better. But the best is when you give us 0day. That always draws a crowd! Unfortunately the harsh reality is that offensive research always draws more asses-into-seats than defensive research. However, we are going to start having a defense-only track just for people who are interested in it. But if you say you’re giving us an 0day and then tell us that you told the company and it’s now been fixed, that’s not exactly an 0day now is it? Call it what it is, a non-issue for anyone who has patched.
  8. Make sure you speak the language, or get a translator. We definitely want people from all over the world to come and present. But please make sure that you are fluent in the language, and feel confident you can deliver your presentation without reaching for the words. Worst case, we’ll get you a translator, but we need you to tell us that you need one.
  9. Make it technical. Technical presentations are the cornerstone of Blackhat. If you aren’t technical, you’ll have to really step up your game to get past that threshold. Keynotes, for instance, don’t have to be technical, and some legal discussions can miss that too. But you really should try to submit a talk that is technical. Don’t underestimate how technical the audience can be. At the same time, you’ll need to explain yourself to those who aren’t as technical. So make sure you understand it well enough to explain it to your audience when they ask questions.
  10. Don’t submit a sales pitch. If you are selling product, great. If you work for a company, great. If you give a presentation about your product features and your client list and pricing, etc… you’ll never speak at Blackhat again. If we get a whiff of you submitting a talk that is a sales pitch, you’ll get rejected. We really really don’t like that. Really.
  11. Don’t spam the review board. Occasionally someone from some big company gets the crazy idea to submit dozens of presentations that are all the same or almost all the same. You spent countless hours doing the research and writing up all of those submissions and we rejected all of them without reading any of them in 10 seconds. Don’t do it.
  12. Don’t ask for 3 hours when you can do it in 15 minutes. This is a tough one because so many presentations could go on forever with all of the issues related to them, but when in doubt go to the shorter time slot. We have more of the shorter slots so you’re more likely to get approved. If we see something is three hours we will do about three times the scrutiny of a one hour submission. It’s a big commitment to give someone a room for three hours, so if you’re going to ask for it you had better be able to back that up with three solid hours of good research.
  13. Be entertaining. Some people are just awesome. They’re charismatic, funny, well spoken, or just have amazing slides. Be that person. It helps.
  14. Don’t mess up! Just because you got accepted to Blackhat doesn’t mean you are instantly a hero. It’s actually probably the hard-swallow followed up by a “Dear lord, what have I just signed myself up for” moment. You now need to spend between 2-4 months to get your research in order. People who don’t put that much time in almost always come across as under-prepared. People who don’t practice their presentation will naturally score lower. The reason you see researchers coming back to do more than one presentation is because they did good research and presented well. If you mess up you’ll probably never be speaking at Blackhat again, or at least not until you up your game. I am proof that Blackhat forgives — I gave a not-so-hot presentation when I was very young — but my advice would be to not mess up in the first place.

Occasionally when I tell people what they need to do, they say things like, “I don’t really have anything that would get past that gauntlet.” To which I have to tell them the hard truth is that we get many hundreds of submissions and reject most of them. Yes, some people are destined to never speak at Blackhat. But there are many other conferences out there for less-technical content.

I’m on several other review boards as well for other conferences, and for the most part these rules all still apply, with the exception of the types of presentations that we’re most interested in. So this is a fairly good rule of thumb for all up-and-coming presenters. We love new presenters. Some of the best presentations I’ve ever seen were by untested new presenters, so don’t think that you have to be a seasoned old-timer to get into Blackhat or really any conference. Just make sure you’re as awesome as you can be! Also, be sure to check out Jer’s thoughts on the same topic for his take on things you should be thinking about.

That said, please submit!