So You Want to Give A Talk: How to Write a CFP

Good morning everybody. Welcome to Bides Las Vegas 2025. How's everybody feeling? There we go. I like those woos. Makes me feel good. First, a couple quick announcements. Silence your cell phones. Be courteous to those around you. Uh there's no uh photography without explicit uh permission from anybody who's in the frame. Just a reminder though, this is being live streamed and uh recorded. It's going to be put on YouTube. So, uh you can gather it there. Now, first thing we like to thank our sponsors. Uh we're going to go with uh uh the diamond sponsors Adobe and Aikido. Uh and our gold sponsors uh is going to be Drop Zone AI and Profit. Their support along with the donors and

volunteers make this event possible. Uh see, thank you. Thank you. He was moving it because it was making the screen. >> Oh, okay. Yeah, >> we're getting some last minute tech stuff handled. >> Go for it. Yeah, you can keep you can keep going. >> What's that? >> You can keep going here. >> Now, guys, kicking off this session is uh somebody who knows exactly what it takes to grab a mic and crush your very first talk. Phil Young, better known as the soldier of Fort Ran. He's been with Bides Las Vegas since 2012 where he gave his first talk. Uh since then he's mentored countless speakers, coach voices at Bsides and Black Hat and built

mainframe penetration testings uh programs for Fortune 500 companies uh with expertise in everything from RACF to IMF. His he is a force in the world of mainframe security and today he's here to help you bring your ideas to life on stage. Please join me. Give me a huge bsides welcome to Phil Young, the soldier of fortrin. Um morning still. Uh, I know I'm the last I'm I'm keeping you. I think there's a talk after this one, right? I think so. Anyways, um so this talk came about uh I live in San Diego and the local group there uh has talks once a month and so I gave a talk. I do a lot of CFP reviews

and I remember the first time I gave a like the first time I submitted a talk was bad like bad just rejections across the board. It took me a while. The only place I would take it was besides in their like you need help program that I now run, right? And so after that I was at Black Hatch Mukon and like and writing a safe is kind of an art, but it's also very scary if you've never done it before. There's there's lots of guidance, but there's also too much guidance and everyone has their own take on it. So this is my take as a CFP review person at Bsides. The last time we had a talk like this was 2016 and it

was a panel about CFP like just just a panel. So I wanted something a little more structured that sort of walks you through what to expect, what a CFP is, all those things. So like I said, I'm the chair for proving ground. If you've never ever given a talk before, submit to that track. The talks are 20 minutes. You are assigned a mentor, right? We're a little more lenient on the CFPs because most people's first time, right? So long as you follow the rules on the website, uh lots of people don't follow the rules and then we would just reject their talks, right? So just follow the rules, you'll be fine, right? But anyway, so great program for first- time

speakers. Um I also am a reviewer for Besides Singapore. I'm a black hat speaking coach. Uh, I speak I'm actually speaking at Black Hat on T on Wednesday and then again at Defcon on Sunday. If you're looking at it, yes, it is at Sunday 10:00 a.m. So, there will be probably less people there than there are here in this room right now. All right, that's fine because it'll be on video and it'll get like a thousand something views. Alrighty, so you want to give a talk, right? Why? Why would you want to do that? That's a terrifying proposition for some people, right? Why would you do that? There's like a bunch of reasons why you want to

do that. You've got a cool new tool that you developed. You spent six months developing solving a problem and developing a tool and you want people to know about it. You learned so much figuring out how to do that that you want to teach other people so they can stand on your shoulders. Great. Uh, you like giving talks, right? I was a theater major in high school. I did improv. I like being up on stage, right? I'm not a good actor. So, this is what I do. Okay. You like giving talks. Um, there's something that people should know. Like they said, I do mainframe talks, right? Mainframes are like systemic platforms that drive the economy, drive airlines, logistics,

trains, governments. Nobody was talking about them and they weren't as secure as people thought. So, I had to start talking about it because no one would, right? So, there's a thing you're worried about. I call those awareness talks. The thing you're worried about, it's time to get the awareness about it. uh you want to share your novel research. You're thinking like again like the main frame. Why is no one talking about this? This is terrible that guess what? You're the one that's going to talk about it, right? That's just how it works. Let's see. Uh you want to improve your personal brand. Gross. Okay. Uh don't don't give a talk just to improve your personal brand. It's a side

effect, but don't do it just to improve your personal brand. Uh I love this one. You're the one, you're the person who says, "Actually, it's more of a comment than a question." If you, if you're that guy or gal, just come up here and give a talk, okay? If you have more opinions than questions about a topic, should be up here being the person that has to listen to someone say, "Um, actually, I have a comment, not a question. Um, oh, this one's good. You think I suck and you could do better." You probably could, right? That's probably, right? But you won't know until you're up here doing the talk. So whatever the reasons are,

right? These are just like some dumb examples. There's a million reasons why you want to be up here, right? But doesn't what the So all kinds of reasons, but it's scary, right? It's super scary. The worst thing. So like let's talk about the CFP process. The CFP process is pretty much the same across the around the world. Um, most CFPs are volunteer run. Right now, I'm talking about the I'm not talking about like an Ale E symposium. I don't know. Those people might be paid to do reviews, right? But for the most part, all of the reviewers here at Bides, Defcon, Black Hat, it's a volunteer thing because we love doing it, right? It's um RSA and Black Hat do have some

vendor tracks. So those are tracks where you just pay to play. There's no there might be some mild CFP reviewing, but like if anyone ever remembers the talk from like five, six years ago about time AI at uh about crypto like AI was inventing new crypto and something it was all garbage. It was a vendor talk at Black Hat, right? So um it's it's it's really a a passion for lots of us. I know there's another C a few CFP reviewers here in the room and so it really is just a passion project for us. the when when they want to pick a talk, right? When you want to pick a talk to give, we

call that a CFP process. It's called for papers. I have never seen someone submit a white paper to call for papers. It's just a holdover from like academia where that's what it's called because you literally submit your paper. But in in like places like Bides, you don't please don't submit a paper. We're not going to read like 70 page dissertation for a 45 minute talk. All right, don't do that. Okay, lots of places have different processes for CFPs. Some of them use Google Sheets, right? Uh actually BSI used to use Google Sheets. Okay. Uh some of them use a platform like pre-talk or sessionize. Sessionize is great. Like besides uses pre-talks, pre-talk is also good. But

sessionize is cool where you submit your talk to a con, you get rejected or you know it was a small room, it wasn't recorded, you can literally resubmit it to any con you want to submit it to, right? Um and then black black hat and those things they have their own thing. And then defcon uses shareepoint now like forms. So 20,000 person conference using forms. Okay. They all have the same requirements that we're going to talk through. You got your talk title, your abstract, your outline, your bio, and then some of them have bonus things that you got to do. Typically, it takes three to four like typically they open three to four months before the con. You

will submit, you have a large window to submit it. Um, notifications go out about one to two months before the con. One conference that's in the mainframe space, you get five days. They open the CFP and then they close the CFP. So, you got to be on it, right? Nothing precludes you from pre-writing it beforehand and then submitting it when the window opens. Um, rejections usually follow notifications. Some conferences have backup speakers, all kinds of stuff. Uh, the review board is made up of of people like me. Um, five to 10 experts. Sometimes they're not experts in your specific field, but we kind of know what makes a good talk, right? Um, they all read the

submissions and all that stuff. And then what happens after after all those reviews come in, the track chairs will aggregate all the scores and tell you, hey, this is no good or no, I don't want to pick this talk. And then they they pick all the talks based on the scores and we just sort it by highest ranking to lowest and then we go through and then we we just do it once over make sure it makes sense. So is it scary submitting a CFP? Yeah, it is super scary the first time you do it. Okay, the first time you do it, it is super scary. After that, it's not such a big deal. Why? So, what is

this? I I have a I have a prize that I brought from Comic-Con. It was free, so don't but like it's a fan. But so I'll ask what is So you submit your CFP. What is the worst thing that can happen after you submit your CFP? >> Hi. They laugh at you. >> They don't give you any feedback. >> They don't give you any feedback. They say no. You're all very close. >> Your talk could be accepted. That is the most terrifying part because now you actually got to do it. Okay, like you got to make slides and content and all that stuff. Okay, let's talk about the sections. This is the most if you get anything out of this talk, this

is the most important part of the talk. This talk may go a little long, but it's important you understand the sections of a CFP. They're not explained very well. You get to one and they're like, I need an abstract. And you're like, what's that? Right? I need a I need an outline. What does that look like? So, I'm going to walk you through those and uh hopefully we'll start you'll start thinking like, "Oh, okay. I know what to do now." The title, the title should be, let's see, what did I put there? Should be less than 75 characters. Can be longer, right? So long as it's real good, right? But it doesn't need to be super long. This sort

of serves um as your like like like your your first your first impressions on someone, right? This is the first thing they're going to see when they open up your CFP, right? And so if your title is super boring or super dry, that can sometimes go like, I don't know, what am I getting into? Right? But also, if it's too me'd up, I'm also like, I don't know, what am I in for? Right? So, it's a little balancing act. Uh, let's see. So, here's some examples of bad a bad one. This is a bad one. Buffer overflows in gaming. It's fine, right? But what could this talk be about? Anybody want want to guess, right? Like, could be about anything.

Now, I got to go read the abstract. Hang on. I don't got time for that. Well, in the conference, right? You answered the yes, right? Yeah. Okay. Um, so that's a bad title. A better title is this, right? Koopas and fireballs Nintendo Switch buffer overflows using Yoshi and Raw, right? Much more descriptive. It's f it's a little funny, right? You now now people are like like if the previous talk you have if you didn't know it was about Nintendo Switch, probably wouldn't go. But now you're like, "Oh, dang. It's about the Switch. I got one of those. I'm going to go watch this talk." Right? Um here's one. This is an example from Black Hat,

right? It's catchy. It's kind of funny. It's a little long, right? This is a very long title. I'm not going to read it. I don't have time. But like, but this is the kind of examples of of good titles. Okay. Now, the most important part. Now, we're going to talk about the abstract. This is your marketing, your talk. Okay? You shouldn't give away all your content. Why would I go to a talk when I've already read the entire abstract, right? Uh, also a lot of cons put word limits in here. So, even if you wanted to go nine pages of of abstract, you can't because they limit you to like 500 words or something like that, right? But this is the

marketing for your talk. At a conference like this, there are four tracks, five tracks, six county sky talks. you are competing against all those other talks. Okay. So, how do you get people to come to your room? It is through your abstract. This abstract will be published on the conference website. Uh it is like a book like that's the back of a a book blurb about your talk, right? Or like a movie the quick movie review on like IMDb that doesn't give tells you what's happening but doesn't give away the plot, right? you kind of want to live a little bit of mystery, but people should know what they're going to be in for when they see

your talk, right? Um, and then the same things, right? If you if you go away and come back to your abstract, would you want to watch that talk? Right? All right. Uh, at a minimum you need to cover what the talk is about, why people should attend your talk, what's novel about it, the call to action, what cool they're going to see, right? Demos. Are you going to have demos or not? People want to know that. Are you releasing a new tool? But be careful about this because we get a lot of tool talks and sometimes we're like, this tool talk could be a lightning talk that's 15 minutes long, right? So, like you really need to make sure it's not

it's not I'm going to talk about this tool I made. I'm going to talk about this research I did into this protocol that resulted in this tool. Okay? And then you need at least three takeaways, right? Uh after this talk, attendees will be able to get the fastest speedrun time in Super Mario World for the SNES. Cool. I know now when I sit in this talk, I know what I'm going to get out of it, right? That's the whole point. So this is this is an example from Blackhat. My a friend of mine Lydia who's on the Black Hat review board, she gave a very similar talk at Blackhat and she gave me her slides. So I so I stole

this from her slides, right? With consent. She said I could do that. So here's your hook, right? This is how you get like, oh damn, this is an interesting talk. Then you get your selling points and then like it's an elevator pitch, right? You have your hook, your selling points, and then whoops, that did not need to show up. So then you get your lessons. That's the attendees will learn X, Y, and Z, right? Uh, this was supposed to spin in, but I guess my animation didn't turn on. Uh, please, please, please do not use Gen AI for any of your CFP up front. You can use it to review your CFP. That's totally fine. We can tell. In fact, one

of my buddies who's on the CFP review board re for for proving ground review and was like, "How many of the like I've already commented like five times that this was written by AI. We can tell, right? You you all can tell, right? There's just little things here and there and you're like and you don't want to be like the question like because then we question whether or not you should be up here if you're not the expert in that field, right? Your bio, this one lots of people struggle with. You got to write in third person. Why should you be the one? Especially for the CFP review board, why should you be the one up here talking about that talk?

If we get four talks about AI and LLMs, we only we're only going to pick like two, especially if they're all on the same topic, why should you be the one we pick over someone else, right? And if your bio doesn't say, look, I've been I've been working with AI. I'm a prompt engineer, yada yada yada, and the other person does, we're going to pick the other person, right? also for your audience. The audience should know why should I listen to this person, right? Like coming up here gives you a little bit of authority, but really you need to know especially for CFP reviewers, why are you the one giving this talk and not someone else?

Um, so also your bio does end up on the website and all that stuff. Okay, outline. This is by far the most important part. I know I got a minute left, but I'm going to go long. I got approved to go at least five minutes longer. So your your outline, the most important part for a CFP. No one else will see your outline except for the review board. This is where you sort of give up everything about your talk. Okay, this is an example from a talk that I submitted to Black Hat. Okay, that got accepted. It's very clear what I'm going to talk about for the whole 45 minutes. If you're up on stage

for 45 minutes, the CFP board wants to know what are you actually going like your abstract should will not tell us exactly what you're talking about. Oftent times people will just take their abstract and put it in the outline. I'm like, yeah, the abstract outlined my talk. Like, no, your outline is a minute-by-minute breakdown of exactly what you're going to talk about. The best part about writing your outline, which I love, these all become the titles for my slides. So now I'm not stressing out about what am I going to do for my slides? I don't know what you've already solved your slides. Now you just got to fill it with contents. But you already know what

you're going to put, right? That's the beauty of your outline. There's so many You have no idea. So many times I'll submit a talk, five months go by and I'm like, "Shit, what? I don't remember what I was going to talk about and I pull up my outline, I'm like, "Oh yeah, I now I remember. Oh yeah, I want to talk about that. I want to talk about this." It's a It's a great tool. So many people don't do it. Also, please don't use AI to write your outline. We can tell because AI throws in a ton of emojis. And even if you delete all the emojis, it's awkwardly enthusiastic, right? and like it's just weird. Okay,

so please outlines super important. If we don't if we don't have an outline and you we have a similar talk that does even if you're the expert in that field, we won't take the talk. We just don't know what you're going to talk about, right? Why? Like I wouldn't tell a mechanic, hey, come over and just do to my car, right? I would tell him like, what are you going to do? Okay, that's fine. Go ahead. Right? Like like not just like, "Hey, come over and it up." Right? Um again, without your outline, your CFP is just going on vibes. Okay? We're we're just kind of like, "Oh, I hope could be good. I don't

know." Um again, like I said, cons that get more than one submission. It's down to like the outlines and then we're comparing like, "Oh, this person said they're going to talk about this, which is fundamental. this person did not, right? It gets down to that that level of detail sometimes. Okay. So, what's in it for you? You get accolades, right? People will come up to you after your talk and it's like, "Hey, that's a great talk." People will you get adoration and fame and fortune. You know how much I'm You know how much money I got paid to give this talk? You get recognition for being great. you get a bunch of followers on Mastedon and stuff like that,

right? Uh, okay. So, what's in it for real, right? Those things are all lies. Okay, you'll get none of those. You might get some adoration from like your best friend, right? Who's right here in the audience? So, what's in it for you for real? You establish yourself as a thought leader in that space. Okay? Yes, that's a very barfy thing to say, but you are the one because obviously you're up here because you're passionate about a topic. Other people will come and reach out to you. It helps you find your tribe. You're not the only one doing that research. It lets you, like I said, it lets you find like-minded research and peers in the industry. You give a

talk up here, it goes on YouTube. Months from now, someone might reach out to you and then they become like your bestie. Okay? It's that's happened to me, right? So, it's it helps you find other people who are into the same research. Um, best one, you get a free conference pass. You guys know how expensive Black Hat is? It's free. And some conferences like Black Hat will pay for your flight, hotel. Uh, there's like a conference in Sweden that flew me out because I got a talk accepted all the way to Sweden to get a talk, right? Flight, hotel, conference pass, bunch of free drinks. Too many free drinks. Um, so and sometimes you get an

honorarium, right? Like I think black hat for first- time speakers, it's $1,000 is what you get for speaking. Uh, uh, besides Las Vegas, you owe them. That's not true. That's not true. That's not true. Don't Don't put that on YouTube. But like, you're up here because you're passionate about it. It's not about the money. Keynote speakers make $60,000 a talk, right? But that's only like the upper echelon of of speakers, right? not people like me. All right. Um, here's some best practices. Have fun with your talk. We can tell, right? If if you're not having fun writing your CFP, if you're not having fun and are like, "Wow, I'm so I'm super excited about this topic,

it'll come across in your CFP." Don't let imposttor syndrome get you down. You might be the only person who submits a talk on that topic. You might be one of six people who submit it and yours is the best, right? But when you're alone in your in your like office and you're putting together a CFP by yourself, it can feel very lonely and you're like you start questioning, should I be the one doing this? Um, also can consider the conference you're submitting to. I submitted a talk to it took me four years to get a talk except at RSA. Uh and my talk was the title was um uh synergy leveraging synergies between legacy system and enterprise infrastructure.

Okay, I don't know what that means. It was a talk about mainframes, right? But like consider the like but I had to write it up all businessy for RSA, right? If you're submitting to Defcon, it's a hacker con. It's got to be all hackery, right? Consider the conference you're submitting to. Some a little bit more best practices. I don't know why that font is super tiny. So, good luck reading that in the back. It says keep a copy of your submission. Most places will not keep a copy. Especially like a SharePoint form or a Google form, it's gone. You won't see it again. So, you can't resubmit it, which sucks. But also, months later, you won't

remember what you said you're going to do. And that, right? So, keep it. And it's also a good reminder of all the talks you've given. It's a good reminder of like and you can watch your growth or like I use just Google I use Google Docs. Each TFP is in a Google doc first. Also Google Doc will help you spellch check and all that stuff before you submit it. Please spell check. Um collaborate with others. You don't have to go it alone. Giving a code talk is uh paradoxically harder. It's like three times the work than a normal talk, but it can help you. Like, especially if you're using first- time CFP, send it to other people to

review it. People other people will be happy to take a look. Here's some worst practices. Don't use LLMs to write your Please, your slides, your CFP. Um, don't submit your slide deck. Okay? We're not going to look at it. and the slide deck typically doesn't give enough context for what you're going to talk about and how you're going to talk, right? Um, don't submit the exact talk to everywhere. See, a lot of CFP reviewers are at multiple cons and if they see the same talk like didn't they submit there? They didn't make any changes and they submitted it over here too, right? Don't do that. Make minor changes. What's the difference? Right? Say no to co talks if

it's your first time speaking. Okay? Code talks again are paradoxically way more work than a single talk. Um, all right, you're down. Let's do this. Reach out to me. I'm Mastedon. I'm very happy to help if you need help. Uh, you'll see that in a second. Um, others here will be happy to help you, right? Um, it says yes, it's open. Uh, it's not, but it will be open. It typically opens around May 1st for Defcon. Typically beginning of April for the other two. If you're interested, follow the conferences you want to watch on like go speak at on X. Click that little bell and you'll be notified when they say our CFP is open.

Okay, that's because a lot of times it's hard to find that information. All right, last thing. Don't I'm not going to go through these. Oh yeah, don't sell stuff up here. Okay, just don't do that. That sucks. All right, so I know I went way over. So, thank you everybody for hanging out with me for a little bit extra. I apologize to the next speaker, but if you have any questions, reach out to me on Mastadon. Yeah, if you want to take pictures. Oh, not Oh, the slide. Oh, >> what's that? >> Yeah. Yeah, but they have a good example you can find on the archive. >> What's that? >> Uh there's g they're gonna start a new

one up. Nice. Nice. >> Uh any any questions? You can come like uh there's is there a talk after this one? >> No. >> Who said no? >> What's that? >> It's lunch. Anybody? Okay, good. Anybody have any questions? I feel bad if I'm like great. You got questions? Too bad. >> Anybody Any questions? Any Yes. question?

Yeah. I mean, you might want to review it. Oh, yeah. That's a good question. So, the question was, if you get if you get rejected, but no feedback, can you just like shotgun it somewhere else? Right. There might be a reason why it was rejected, right, that you're not aware of. So, maybe go back and look at it. But sometimes talks are rejected just because they got a lot of submissions and yours was just edged out, right? There's there's some people who give lots of talks that are famous and their talks will get picked over yours because they know them. they're a reliable speaker and and people will come and watch those talks, right? So,

sometimes it's not your fault your talk gets rejected. Sometimes it just happens to be that you just got too many submissions, right? And yours just got edged out by the voting, right? It comes down to like 01 of the scoring. Uh any other questions? All right. Well, thank you for having me. This has been awesome. I really appreciate everyone being here and uh participating.