Part 7, how to get people to sign up for the course?
Article Series: So you want to train at Black Hat (or other conferences)?
This is a series of articles about our experiences submitting, preparing and delivering training at Black Hat (and other conferences as well).
It has been quite the journey and it feels like we learnt a lot of things which were not obvious to us at the beginning or were just not documented.
In this series, we will try to set this information out in an organized way to hopefully help people in the future who are interested in going through a similar journey.
This series is ongoing with new posts released every few weeks. If you want to keep up with new posts, follow us on Twitter or LinkedIn.
Posts in this series:
Selling and Marketing your course
Published on 24 June 2025 by Josh Grossman
So you got your course accepted? Congratulations! That is a big achievement and demonstrates that your course sounds good to the review board. However, the next stage will be to get people to attend. In this post I will talk a little about the challenges of doing this. Up until this point, I think my advice has been pretty solid and demonstrated to be effective.
However, on this topic I cannot pretend to be an expert or to have seen unbridled success so I will try and provide my perspective and ideas but your mileage will certainly vary.
Three big factors in how easy it will be to sell your course will be:
For OWASP Global conferences, there are usually up to 10 courses being run at the same time with maybe 100 or so people typically attending the training.
For Black Hat USA, there will typically be ~140 courses. When I was there in person, there must have been at least a thousand people in the lunch room, if not more, on training days.
Whilst the ratio seems more favourable for Black Hat, it seems like the distribution is not necessarily even. When I walked around I could see that some courses were in giant rooms with many 10s of attendees and others were in smaller conference rooms.
You may therefore wish to think about ways to make your course stand out more. Things I tried including ensuring the course appeared relatively high up in the course list through an “optimised” title and also adding a video to the course description wherever possible (but more on videos further down).
I can’t say this brought me big numbers but I also don’t know what the numbers would have looked like if my course title started with a Z so 🤷♂️.
Either way, you probably want to see what sort of marketing you can do other than just appearing on the conference website.
Most conferences don’t do a lot of marketing of your course. OWASP and Black Hat will put out a couple of Tweets. OWASP might also do some LinkedIn posts. I’ve never trained for TyphoonCon but I think that is the only conference I have seen do something more (promoted tweets advertising individual courses).
You may be able to ask the conference organizers to amplify your own social media posts but they will only do that a few times. Realistically that also depends on you having a strong social media presence.
If you have a strong social media presence then you are clearly already good at self-promotion so that will help a lot in this context. You can probably skip this section (although I’d love to hear your tips 😀).
I made an effort to increase my social media activity a little (specifically on Twitter and LinkedIn) in the run up to these courses. I grew my follower count slightly and made an effort to post more frequently and try and engage with other posts. I would usually focus on subject matter related to my course including sometimes mentioning work I was doing on developing the course. Some interesting discussions developed from this and in general I think that having an active social media presence has professional benefits anyway.
Aside from social media, I also tried another couple of methods to try and build presence and awareness.
Another idea I had was to try and speak at international conferences, either on a topic related to my course or on whatever topics I could get accepted. I didn’t have the funding to fly to overseas although there are conferences which pay expenses for speakers if you look carefully enough.
Whilst I delivered my course at a few OWASP conferences, my largest target was Black Hat USA 2023 so I pushed particularly hard in late 2022/early 2023. This resulted in:
The idea was to try and increase my profile and increase social media presence. I would usually mention my training at the end of the talks and in discussions I had with people at the conferences.
For less travel, I found podcasts to be another way to try and build presence. Aside from the exposure to listeners of the podcast, I also found this a great way to get feedback and have discussions about topics related to the course and thereby refine the course material.
I found that several podcasts were open to me suggesting appearing as a guest as long as I had a potentially interesting topic or perspective to cover.
We did a very small amount of this on LinkedIn but we didn’t see any evidence of impact. It is something else that would probably have required more consistency and long term effort to get real value from it.
Ultimately, I found that the self-promotion took a lot of time and was not something I enjoyed. I personally find Social Media a little stressful and don’t like to travel too much either. Conferences also have a time impact and not just an expenses impact. This all meant that maybe I didn’t push hard enough or stay consistent enough to have a real impact.
For me, the bottom line was that every time I asked course attendees how they found out about the course, they almost exclusively said it was from browsing the conference website and not from social media posts or any other channel.
For recent courses, I have stuck to a few social media posts without too much pushing.
I mentioned in a previous post that at some point there will be a GO/NO-GO decision based on whether the course sells enough seats to meet your own financial breakeven and the conference’s financial breakeven.
This is always a little stressful and also potentially embarassing if the course gets cancelled when there are already attendees signed up.
At Black Hat USA 2023 I made this more stressful for myself by planning a family holiday around the conference. We would still have gone ahead with the holiday even if the training got cancelled but my flight would no longer have been covered and I would have had to decide if I still wanted to fund my way to the conference or not. I was stressing about it for many months but luckily it all worked out in the end and the relief and excitement I felt when Black Hat confirmed the course was going ahead was quite something.
Clearly sales and marketing is its own specialist subject. You will find many, many people more qualified to talk about it than me. Hopefully this section provided some useful context although I accept that it is not super actionable.
As I mentioned above, my main period of activity was late 2022 and early 2023 and whilst I don’t know what would have happened if I had been less active, the opportunity to train on-site and attend Black Hat/DEFCON definitely made it worth it.
You will need to decide what level of effort makes sense for your own personal goals.
Your course is confirmed and you are going ahead? Fantastic, that is a big achievement! In the next section I will talk about some of the preparations you may want to make before your course.
This post is part of a series: So you want to train at Black Hat (or other conferences)?
Other posts in this series: