Selling and Marketing your course

Part 7, how to get people to sign up for the course?

Article Series: So you want to train at Black Hat (or other conferences)?

This is a series of articles about our experiences submitting, preparing and delivering training at Black Hat (and other conferences as well).

It has been quite the journey and it feels like we learnt a lot of things which were not obvious to us at the beginning or were just not documented.

In this series, we will try to set this information out in an organized way to hopefully help people in the future who are interested in going through a similar journey.

This series is ongoing with new posts released every few weeks. If you want to keep up with new posts, follow us on Twitter or LinkedIn.

Posts in this series:

Selling and Marketing your course

Published on 24 June 2025 by  Josh Grossman

Introduction

So your course got accepted? Congratulations! šŸŽ‰ Thatā€™s a huge win and shows your proposal resonated with the review board. But now comes the real challenge: getting people to actually attend.

However, on this specific topic, I cannot pretend to be an expert or to have seen major success when doing this. I will try and provide my perspective and ideas but your mileage will certainly vary. There are plenty of other things you might want to try and maybe even consult with other people with more expertise.

Size of the Field, Size of the Audience

Before diving into promotion tactics, itā€™s worth understanding the competitive landscape.

Three big factors influence how easy or hard it will be to sell your course:

  1. How many people usually attend training at the conference?
  2. How many other courses are being offered?
  3. Can you attract people to attend the conference specifically for your course?

Cybersecurity

For example:

  • OWASP Global AppSec events often run up to 10 courses in parallel, with around 100-200 total attendees at the training and around 800 attendees at the conference.
  • Black Hat USA, on the other hand, may feature ~140 courses. I remember seeing a lunch room packed with 1,000+ people during training days.

Whilst the numbers at Black Hat may sound particularly promising, note that distribution isnā€™t equal. Some courses are held in huge rooms with dozens of students, while others are tucked away with small groups.

This makes it crucial to stand out. Iā€™ve already discussed finding your niche at length in previous posts. In addition to this, I have also tried ensuring the course appears relatively high up in the course list through an ā€œoptimisedā€ title and also adding an explanatory video to the course description wherever possible (but more on videos further down).

I canā€™t say it dramatically boosted my numbers, but who knows what wouldā€™ve happened if I had named the course ā€œZebra Security Essentialsā€? šŸ¤·ā€ā™‚ļø

Either way, donā€™t rely solely on being listed on the website. You probably want to do more than that.

What You Actually Get from the Conference

Many conferences do minimal marketing for individual courses.

Most conferences might tweet or post once or twice on LinkedIn or other social media networks. I havenā€™t trained at TyphoonCon, but itā€™s one of the only instances Iā€™ve seen a conference do promoted tweets for individual courses.

You can sometimes ask organizers to amplify your own posts ā€” but their support is limited and often hinges on you already having a strong social media presence.

Cybersecurity

Building Your Social Media Presence

If you have a strong social media presence then you are clearly already good at self-promotion so that will help a lot in this context. You can probably skip this section (although Iā€™d love to hear your tips šŸ˜€).

I made an effort to increase my social media activity a little (specifically on Twitter and LinkedIn) in the run up to these courses. I grew my follower count slightly and made an effort to post more frequently and try and engage with other posts. I would usually focus on subject matter related to my course including sometimes mentioning work I was doing on developing the course.

I also made an effort to prepare some short videos as this seemed to be a good way of communicating information in an effective way and be in line with how many people seem to consume information right now. I was also able to outsource the video editing which saved time. I varied between videos specifically about the course and also short videos on related topics.

Some interesting discussions developed from both text and video posts and in general I think that having an active social media presence has professional benefits anyway. It does however require a lot of effort to have an impact.

Cybersecurity

Other Ways to Build Awareness

If social media isnā€™t your thing (or isnā€™t enough), here are some alternative channels I explored:

šŸŽ¤ Conference Talks

Speaking at conferences, specifically on your training topic or even on other related topics, is a great way to build credibility, expand your presence in the industry, and push your course at the same time.

I couldnā€™t fund travel to overseas events, but I looked for conferences that cover speaker expenses. My largest target was Black Hat USA 2023 so I pushed particularly hard in late 2022/early 2023.

This resulted in:

  • October 2022 - OWASP Global AppSec San Francisco (Training + Talk)
  • January 2023 - NDC Security in Oslo + OWASP Oslo Meetup
  • February 2023 - OWASP Global AppSec Dublin (Training)
  • April 2023 - QCon London (Speaking)
  • June 2023 - DevTalks Bucharest (Speaking)

Iā€™d often mention my course at the end of talks or during conversations at these events.

Cybersecurity

šŸŽ™ļø Podcasts

Podcasts are another great channel. Less travel but plenty of reach.

I got some great benefits from being a podcast guest including:

  • Exposure to new audiences
  • Valuable feedback on course content
  • Deeper conversations that helped refine the material

Many podcasts welcome guest suggestions ā€” especially if you have an interesting perspective or topic to pitch.

šŸ’ø Paid Marketing (Spoiler: Meh)

We tried a small LinkedIn ad campaign. Honestly? No real impact.

Paid ads likely require consistent investment and long-term strategy to pay off. Not ideal for one-off training sessions or a short-term effort.

The Hard Part: Self-Promotion is Draining

In truth, I found this part exhausting.

  • Iā€™m not a fan of social media pressure.
  • I donā€™t want to be constantly travelling.
  • Conference prep takes a toll on time, not just money.

All this meant I wasnā€™t as consistent or aggressive in promoting as I could have been.

For me, the bottom line was that every time I asked course attendees how they found out about the course, they almost exclusively said it was from browsing the conference website and not from social media posts or any other channel.

So lately, Iā€™ve toned it down. Just a few social posts and thatā€™s it.

The Stress of GO/NO-GO

As I mentioned in a previous post, thereā€™s often a GO/NO-GO decision looming.

  • Will enough seats sell to justify running the course?
  • Will it hit both your and the conferenceā€™s break-even point?

That decision can be stressful. And a little embarrassing if the course gets pulled after a few people have already signed up.

In 2023 I made this more difficult for myself as I planned a family vacation around Black Hat USA. If the training had been cancelled, Iā€™d have had to pay all my own expenses to get to the conference or skip the conference but still travel to the US for holiday.

Luckily, it worked out. But I stressed about it for months. The feeling of relief and excitement I felt when Black Hat confirmed my course was running was unreal.

Cybersecurity

A Specialist Discipline

Letā€™s be realistic, sales and marketing is a specialist skillset. Youā€™ll find countless experts who can speak to it better than I can. Hopefully this section provided some useful context although I accept that it is not super actionable.

My most active period was late 2022 through early 2023. While I canā€™t say how much the self-promotion effort changed the outcome, the opportunity to train at Black Hat and attend DEFCON made it absolutely worthwhile.

Only you can decide how much time, energy, and budget to invest in promoting your course. Whatā€™s right for you might not be right for someone else.

Next Post: Make Your Preparations

If your course is confirmed, amazing! In the next post, Iā€™ll walk through the preparations youā€™ll want to make to help ensure itā€™s a success.

This post is part of a series: So you want to train at Black Hat (or other conferences)?

Other posts in this series: