How We Share our Software Security Research: A Guide to the Conference Talk Process


Part of Security Compass’s mission of being leaders in the field of software security is conducting research on new and developing security challenges. We’re actively engaged in sharing our work at conferences in North America, Europe, and other places around the world, and most recently presented on topics like moving Beyond the OWASP Top 10, Building a Blueprint for Financial Industry Security, and the value of Security Training for large organizations.

Our Senior Security Researcher, Aaron Hnatiw, has picked up a lot of tips along the way for researchers—whether in software security, information security in general, or other technical fields—who are interested in presenting at conferences but might not know where to start building their submission and delivering on a strong final talk. Here’s his guide to the conference talk process.


So you’ve just finished work on an interesting research project, and now you’re ready to submit a proposal on the subject to a conference. This guide will walk you through the process of putting it all together to apply to speak at a conference, followed by some key points to keep in mind when putting together your presentation. The goal is to get right to the important points, without any extraneous details (something to also keep in mind when putting together your material). So let’s get right to it.

Important considerations before applying

Conference Dates

This may seem obvious, but is easy to overlook in your excitement to apply to as many conferences as you can (which is also something to be careful about, because if your proposal is as good as you think it is, you may find yourself booked up for an entire quarter just doing conference talks; not great for business, or for your personal life). Make sure you can attend the conference on the dates listed. It may be a good idea to book the time in your calendar once you’ve applied, in order to block off the time if your talk does get accepted.

Cost Coverage

Most conferences will help cover things like travel, accommodations, and conference passes for speakers, however, this is never guaranteed. Be sure to check on the CFP (call for papers) page of the conference you are applying to for what they are able to cover for speakers. If you’re applying to speak at a smaller conference, or one halfway across the world, your costs may not be covered.


Be cognizant of the typical audience for the conference you are applying to. If your work is deeply technical, or in a very niche subject, it will likely be irrelevant to upper management crowds. The way audiences are usually split is either technical/operations or management. Be sure your talk lines up with your target audience if you want it to be accepted, and to reach the ultimate goal of presentations—to provide value to the audience.

As a side note, if your talk is more educational, or if you are providing training, you might want to check out my conference talk on how to do security training effectively, where I go into more depth around this subject.


Common requirements—prepare these first

Crafting a Bio

Most conference CFPs will require a speaker bio. What they are often looking for is whether you’re an expert in the subject matter on which you’re speaking. You’ll want to demonstrate that you are the SME (subject matter expert) by speaking to specific professional and personal experience with the subject of your talk, and listing out other relevant credentials you may have. I usually choose to end with something fun about myself (usually a hobby or pastime), to make myself more personable to both the speaker review committee and the audience. A common requirement is that your bio be no more than 100 words; this varies depending on the conference, but be sure you check for this requirement beforehand and modify your bio accordingly.

You can find a few examples of professional bios on the Black Hat review board webpage.


Every CFP will require an abstract of your talk. This is basically a high-level overview of what you will be speaking about. This usually ends up on the conference website and schedule as the description of the talk. The key to the abstract is to keep it clear and concise, while describing what makes the subject matter interesting, and leaving just enough of a hook to make the audience want to attend your talk. But remember: this is the key component that the speaker review committee will be looking at to determine whether to accept your talk or not. So be sure to include some details on the meat of your research.

The general format I like to go for when writing an abstract is as follows:

1. Describe the problem you’re trying to solve, or the question you’re trying to answer with your research. This is the most critical part of any research, so be sure to make this component clear in your submission.

2. Briefly discuss your solution, or the findings of your work.

3. End with what the audience will take away from the talk. This is critical. The talk has to provide value to someone. The more value, the better.

There is also often a word limit on the abstract, usually somewhere around 250 words.

Side Note: Title

Your title and your abstract are what will draw people to your talk. You want to make it sound interesting and relevant to the target audience. Always keep this in mind. Without an audience, you’re just talking to a wall.

Detailed Outline

Some conferences require this, although most do not; I find that the more highly technical conferences are usually the ones that ask for it. If this is optional, submit it anyways, as it really gives the review committee more information that will help them in selecting your talk. All they want to see is that you’ve actually done the work on the talk, and aren’t just “fishing for conferences.” It is also a way for conferences to prevent “bait and switch” scenarios (please excuse all the angling references), where speakers propose one idea, but end up speaking about something different (usually promoting a product, service, or company, which is a big no-no unless you’ve been invited to do that specifically by the conference organizers). When putting together a detailed outline, I usually write it out with bullet points denoting the main speaking points, and briefly highlighting the subject matter for each of those main points. Be sure to demonstrate that you have some actual material; including some hard numbers and facts from your research will usually help support this. Here is a more detailed description of what a good outline looks like.

Additional Requirements

Some conferences add an extra text box for you to list any additional requirements you may have in order to present your material. Some things to consider:

● A/V (audio/video) needs

● Adaptors (VGA, HDMI, mini-displayport, etc.)

● Do you require an internet connection for your talk (be sure to specify wireless vs. wired, if this is particularly important)

Do you need a visa to speak at the conference? This is an important consideration when you’re looking at speaking in other countries outside of your own.

Sometimes you can ask for something fun, like a single green gummy bear, but gauge your audience for this one.

Not-so-common requirements (good to think about)

Some other requirements that I’ve seen for conference talk submissions are as follows:

Reason this topic should be considered

Do your best to tie the topic of your proposal back to the conference itself, as well as to the audience that will be attending. Show how your audience will gain immediate value from attending your talk—this is why they have put together the conference in the first place! Is the topic “hot” in the news today? Does it affect a large portion of the population or a wide range of industries? If it’s something that people are thinking about, or should be thinking about, really highlight that fact.

Why you would be a good speaker for this conference

Similar to the last point, a conference needs to know why you should be at their conference presenting to their audience. You should tie your personal and professional experience back to the industry or market that the conference caters to. Find a way to “mesh” with the conference’s target audience.

Previous speaking experience

Some conferences may be more selective about the speakers they want to have at their conference. If the previous point about why you would be a good speaker isn’t enough, they may also ask about your previous speaking experience. Keep in mind that this doesn’t have to be just experience speaking at other conferences; although if you have any, be sure to include the names of the conferences, and any recordings you may have available of your talk. Some other ways to show speaking experience can include speaking at local meet-ups, teaching, leading instructor-led training, attending Toastmasters meetings, or recording and sharing YouTube videos and other video content.

Other general tips

Submit early

You have a better chance of getting in early on, as there isn’t as much competition for the topics at hand. It’s especially important to submit in the first round of CFPs if possible.

Grammar and spelling

Make sure to proofread all components of your submission. Get a friend to look at it as well, if possible. You’ll generally lose marks with the review committee if you have grammatical or structural errors in your submission.

Creating a conference talk

First thing’s first, watch this video.


Have you watched the video? All the way through? Have you taken notes? Good. Now on to some of the finer points of creating and presenting a successful conference talk.

Have a start, a middle, and end

A good conference talk tells a story. It has a narrative that takes the audience through a particular subject, always with a main point of focus throughout. When I write my conference talks, they usually follow a similar format:

1. Introduction: Give a high-level overview of the topic you will be discussing. Know your audience (see the point on audience above), and use that as the starting point for assumed knowledge on the subject. It’s likely that very few people in the audience have thought about your topic as deeply as you have, so try to bring everyone to a common level of understanding required for the subject matter. You want them to know enough to understand the point you are trying to make.

2. Content: This section is usually split up into finer points, but this is where you put the meat of your talk. All the numbers, facts, and findings should be included in here. But remember- don’t bore everyone with just facts and figures. Keep things interesting by adding relevant photos to your slides (memes are usually a hit at infosec conferences with a technical audience). This is where you would perform your demo, if you choose to do so (see the point on demos below).

3. Conclusion: Summarize the main points of discussion here, and leave the audience with one final message. Keep this section clear and concise, as this is likely to be the main thing the audience remembers about your presentation. Remember the main point of focus I mentioned? This is where you make that point clear to the audience, and tie everything discussed back into that point.


A common question around conference talks is “how many slides should I have?” This question is difficult to answer, and completely unique to every presentation. If you’re completely unsure, try to go with roughly 1 visual change for every 30 seconds that you will be speaking; this could be introducing a new bullet point, showing a picture, etc. (the content must be relevant though, otherwise it will only distract the audience). Just enough to keep the audience engaged. Of course, some slides may take more time and explanation, but it’s important to keep the presentation moving along, and a change of slides helps with that. Make sure you go over your talk a few times out loud with a stopwatch at hand, so you know exactly how long to spend on each slide, and to make sure you don’t go over time. Adjust your slide count and content accordingly. Another good rule of thumb is to leave around 8 minutes of buffer time, in case of delays due to A/V preparation time, technical difficulties, and Q&A after.


Technical demonstrations are a good way to really drive a point home in your presentation; they can provide proof to support your claims, and leave the audience with something they will remember. They also serve to break up a talk, and keep the audience’s attention. Always have a backup video of the demonstration in case the demo gods are unhappy that day. On that note- don’t forget the sacrificial chicken on the day of your presentation as well; the demo gods are a fickle bunch.


This is probably the most important point. You can’t deliver a valuable presentation if you’re finishing the slides on the flight to the conference (happens way more than it should). If you’ve given yourself enough time to prepare, then just remember- you’re the expert, and you’ll be fine.

Final Notes

That’s all! At this point, you should be sufficiently prepared to submit a quality talk proposal to a conference of your choosing. Always remember the most important point of all- your goal should be to give the audience valuable information that they can use. Teach them, entertain them, and surprise them. But most of importantly, have fun. If you’re enjoying the experience, it’s most likely that they will as well.

Good luck, and I look forward to seeing where your research takes you!

Follow Aaron Hnatiw on Twitter @insp3ctre.

Find Security Compass’s most recent research paper, “Gap Analysis of Code Scanners: A Deeper Dive into the Problem of False Negatives,” here, and our previous report, “Managing Application Security: Insights From Financial Institutions” here.



Previous Article
Moving Beyond The OWASP Top 10, Part 1: Race Conditions
Moving Beyond The OWASP Top 10, Part 1: Race Conditions

Most organizations use the OWASP Top 10 as the standard against which they test for security vulnerabilitie...

Next Article
Petya Has Left the World Afraid of Cyberattacks — And Our Industry is to Blame
Petya Has Left the World Afraid of Cyberattacks — And Our Industry is to Blame

By Nish Bhalla, CEO of Security Compass Image via Bhalla’s BNN interviewThis is not another article about P...