Your course is confirmed and you’re ready to go? Fantastic! That’s a major milestone worth celebrating. 🎉 Now that you’re past the proposal phase, it’s time to think about the practical preparations that will ensure your course is not just delivered, but delivered smoothly and memorably.

In this post, I’ll walk you through essential pre-course considerations, from visa planning to organizing handouts, so that nothing catches you off guard when it’s go time.

Visa Considerations: More Than Just a Stamp

While not strictly a financial issue, visa planning is a must-do if you’re delivering a course abroad. Skipping this step could derail your training before it begins.

Getting a Visa to Enter the Country

Ask yourself: How easy is it for me to enter the country where I’ll be training?

If you don’t have the privilege of a streamlined entry process (like the US ESTA or the upcoming EU ETIAS), start early. Some visa applications take weeks or even months. Even the time between your course being accepted and the conference date might not be enough, especially if there is a backlog.

Getting a Visa That Lets You Get Paid

Here’s where things get tricky. I’m not a lawyer (technically, I’m an accountant but I’ve never practiced), so this isn’t legal advice. However, be aware: Getting paid to train abroad might require a different visa than just attending a conference.

Check whether you’ll legally be allowed to work (i.e. deliver training) and get paid while in that country. Conferences often won’t have definitive guidance on this either so it’s your responsibility to do the homework.

Note that the US in particular has gotten stricter about this and in some cases people were detained at immigration for attempting to come in to work on the wrong visa.

Supplementary Materials: Going the Extra Mile

Beyond your core curriculum, it’s a great idea to prepare supplementary materials that enhance the learning experience. These can include physical goodies, printed handouts, or digital resources. Let’s break them down.

Goodies and Extras

If you’ve promised participants anything extra (such as stickers, USB drives, branded gear) now’s the time to deliver. But beware: You might not know your final headcount until right before the event.

At Black Hat 2023, my attendee numbers jumped by 50% in just two weeks.

So, plan generously. It’s better to have a few extras than run out and disappoint attendees. For expensive items, consider a cutoff: for example, “Free hardware kit for sign-ups received 3+ weeks in advance.”

Course Materials

For in-person training, I’m a big fan of printed materials. When exercises require referring to multiple documents, printed copies save participants from constantly alt-tabbing between different screens.

I always print and bring these materials myself to ensure quality and timing. The exception? At Black Hat, they print a course workbook for you which is a nice touch!

Pro Tip: Never pack your printed materials in checked luggage. Ask me why one day :)

On one occasion where I wanted to go a little above and beyond, I ordered plastic document folders via Amazon to the venue. Each participant got one to organize their handouts, plus some extras like sticky dividers and branded stickers.

Printed materials are great during the course, but soft copies are critical for long-term reference. I provide PDFs unless I want students to edit the files themselves.

I “drip feed” exercise materials throughout the course, which adds a bit of complexity but keeps students from jumping ahead. For slides, I always ensure the numbering on the handouts matches the numbering on screen. This keeps everyone on track.

Don’t Overthink It: Focus on Delivery

While all this prep helps, don’t lose sight of what truly matters, the content and the experience. Your delivery, your energy, and the interactions you create with participants are what make your course memorable.

Handouts and goodies? They’re just the icing on the cake.

Looking for more?

That’s a wrap for now but I have more ideas in the pipeline. Did you find this helpful? Let me know what you’d like to hear more about or which questions you want answered next.

Let’s make your next training the best one yet. 🚀

So your course got accepted? Congratulations! 🎉 That’s a huge win and shows your proposal resonated with the review board. But now comes the real challenge: getting people to actually attend.

However, on this specific topic, I cannot pretend to be an expert or to have seen major success when doing this. I will try and provide my perspective and ideas but your mileage will certainly vary. There are plenty of other things you might want to try and maybe even consult with other people with more expertise.

Size of the Field, Size of the Audience

Before diving into promotion tactics, it’s worth understanding the competitive landscape.

Three big factors influence how easy or hard it will be to sell your course:

1. How many people usually attend training at the conference?
2. How many other courses are being offered?
3. Can you attract people to attend the conference specifically for your course?

For example:

• OWASP Global AppSec events often run up to 10 courses in parallel, with around 100-200 total attendees at the training and around 800 attendees at the conference.
• Black Hat USA, on the other hand, may feature ~140 courses. I remember seeing a lunch room packed with 1,000+ people during training days.

Whilst the numbers at Black Hat may sound particularly promising, note that distribution isn’t equal. Some courses are held in huge rooms with dozens of students, while others are tucked away with small groups.

This makes it crucial to stand out. I’ve already discussed finding your niche at length in previous posts. In addition to this, I have also tried ensuring the course appears relatively high up in the course list through an “optimised” title and also adding an explanatory video to the course description wherever possible (but more on videos further down).

I can’t say it dramatically boosted my numbers, but who knows what would’ve happened if I had named the course “Zebra Security Essentials”? 🤷‍♂️

Either way, don’t rely solely on being listed on the website. You probably want to do more than that.

What You Actually Get from the Conference

Many conferences do minimal marketing for individual courses.

Most conferences might tweet or post once or twice on LinkedIn or other social media networks. I haven’t trained at TyphoonCon, but it’s one of the only instances I’ve seen a conference do promoted tweets for individual courses.

You can sometimes ask organizers to amplify your own posts — but their support is limited and often hinges on you already having a strong social media presence.

Building Your Social Media Presence

If you have a strong social media presence then you are clearly already good at self-promotion so that will help a lot in this context. You can probably skip this section (although I’d love to hear your tips 😀).

I made an effort to increase my social media activity a little (specifically on Twitter and LinkedIn) in the run up to these courses. I grew my follower count slightly and made an effort to post more frequently and try and engage with other posts. I would usually focus on subject matter related to my course including sometimes mentioning work I was doing on developing the course.

I also made an effort to prepare some short videos as this seemed to be a good way of communicating information in an effective way and be in line with how many people seem to consume information right now. I was also able to outsource the video editing which saved time. I varied between videos specifically about the course and also short videos on related topics.

Some interesting discussions developed from both text and video posts and in general I think that having an active social media presence has professional benefits anyway. It does however require a lot of effort to have an impact.

Other Ways to Build Awareness

If social media isn’t your thing (or isn’t enough), here are some alternative channels I explored:

🎤 Conference Talks

Speaking at conferences, specifically on your training topic or even on other related topics, is a great way to build credibility, expand your presence in the industry, and push your course at the same time.

I couldn’t fund travel to overseas events, but I looked for conferences that cover speaker expenses. My largest target was Black Hat USA 2023 so I pushed particularly hard in late 2022/early 2023.

This resulted in:

• October 2022 - OWASP Global AppSec San Francisco (Training + Talk)
• January 2023 - NDC Security in Oslo + OWASP Oslo Meetup
• February 2023 - OWASP Global AppSec Dublin (Training)
• April 2023 - QCon London (Speaking)
• June 2023 - DevTalks Bucharest (Speaking)

I’d often mention my course at the end of talks or during conversations at these events.

🎙️ Podcasts

Podcasts are another great channel. Less travel but plenty of reach.

I got some great benefits from being a podcast guest including:

• Exposure to new audiences
• Valuable feedback on course content
• Deeper conversations that helped refine the material

Many podcasts welcome guest suggestions — especially if you have an interesting perspective or topic to pitch.

💸 Paid Marketing (Spoiler: Meh)

We tried a small LinkedIn ad campaign. Honestly? No real impact.

Paid ads likely require consistent investment and long-term strategy to pay off. Not ideal for one-off training sessions or a short-term effort.

The Hard Part: Self-Promotion is Draining

In truth, I found this part exhausting.

• I’m not a fan of social media pressure.
• I don’t want to be constantly travelling.
• Conference prep takes a toll on time, not just money.

All this meant I wasn’t as consistent or aggressive in promoting as I could have been.

For me, the bottom line was that every time I asked course attendees how they found out about the course, they almost exclusively said it was from browsing the conference website and not from social media posts or any other channel.

So lately, I’ve toned it down. Just a few social posts and that’s it.

The Stress of GO/NO-GO

As I mentioned in a previous post, there’s often a GO/NO-GO decision looming.

• Will enough seats sell to justify running the course?
• Will it hit both your and the conference’s break-even point?

That decision can be stressful. And a little embarrassing if the course gets pulled after a few people have already signed up.

In 2023 I made this more difficult for myself as I planned a family vacation around Black Hat USA. If the training had been cancelled, I’d have had to pay all my own expenses to get to the conference or skip the conference but still travel to the US for holiday.

Luckily, it worked out. But I stressed about it for months. The feeling of relief and excitement I felt when Black Hat confirmed my course was running was unreal.

A Specialist Discipline

Let’s be realistic, sales and marketing is a specialist skillset. You’ll find countless experts who can speak to it better than I can. Hopefully this section provided some useful context although I accept that it is not super actionable.

My most active period was late 2022 through early 2023. While I can’t say how much the self-promotion effort changed the outcome, the opportunity to train at Black Hat and attend DEFCON made it absolutely worthwhile.

Only you can decide how much time, energy, and budget to invest in promoting your course. What’s right for you might not be right for someone else.

Next Post: Make Your Preparations

If your course is confirmed, amazing! In the next post, I’ll walk through the preparations you’ll want to make to help ensure it’s a success.

You’ve figured out your finances, carved out your niche, and built exercises that pack a punch. Now comes a critical step: getting your course accepted by a conference.

In this post, we’ll dive into how to write a compelling Call for Training (CfT) submission that catches the eye of both review boards and potential attendees.

Plan Ahead: Timing is Everything

CfTs (Calls for Training) often open earlier than the main Call for Papers (CfP). For example, Black Hat and OWASP usually open their CfTs more than six months before the event, and they might only stay open for a month.

Failing to plan here could mean missing your window altogether. This means you are going to want to put CfT dates in your calendar and prepare your materials well in advance.

Know Your Audiences

Crafting a strong CfT submission requires you to speak to two distinct audiences:

1. The Conference Review Board

This group is experienced, discerning, and reviewing dozens (if not hundreds) of submissions. You generally have lots of space to provide them with information about the course and you want to try and differentiate it from the many other submissions they are reviewing.

The key things they care about will be:

• How your course stands out from the rest.
• Its technical depth and relevance.
• Your credibility as a trainer.
• How interactive your course is.

💡 Pro Tip: Include testimonials, past success stories, and why you’re uniquely positioned to teach this subject.

2. Your Potential Attendees

Potential attendees will often only see a small portion of your submission — usually the abstract or summary. You need to ensure that you include the right information to help them make a decision. You may also have character/word limits to comply with here. (However, I invite you to compare the Black Hat abstract word limit to the length of the abstracts on the training pages 🙃)

Potential attendees are going to want to know:

• “Is this course useful to me?”
• “Will it help me solve real problems?”
• “Will I walk away with tangible skills?”

Arguably the third audience is your potential attendee’s manager who they are going to have to justify the course to but I think the considerations are similar to those of the potential attendee. To be absolutely clear, you are writing a sales pitch and you need to be thinking and writing accordingly.

Writing for Both: Key Tips

Here’s my approach to balancing both needs:

• Keep it short, punchy, and scannable.
• Address a relatable pain point. You want to make your reader think, “That’s me! I need help solving that problem!”
• Be clear on what participants will do during the course.
• Make it sound like fun to take part in the course!
• Highlight clear, actionable takeaways.

Align with Conference Guidance

Each conference will have its own specific perspective and content that it is looking for. If you are clearly not aligned with that, your submission may be doomed from the start.

Read the CfT guidelines carefully and align your submission accordingly. If the guidance includes sample abstracts or criteria, read through them and ask yourself how well your submission compares to them.

For First-Time Trainers

New to delivering public training courses? You’ll likely need to prove you can teach effectively. For example, Black Hat requests new trainers to provide ~60 slides of training material plus other information as well so make sure you have that ready in time for the CfT as well.

Any prior experience or videos or whatever else you can provide at this stage will help if you are not a well known trainer. I have also provided ratings and testimonials I have received when training and speaking at other venues.

Mission Essential Task List (METL)

Full credit for this point has to go to Daniel Cuthbert from the Black Hat Training Review board who has made it clear on a number of occasions that this is something he expects to see from submissions. Also to AviD, my boss at Bounce Security who has made this standard procedure within Bounce for training course preparation.

A METL is a detailed course breakdown, how long you’ll spend on each topic and what will be covered.

This shows you’ve done more than brainstormed ideas, you’ve planned and structured the course in a logical way. It should include:

• Topic breakdowns with time estimates
• Timings for hands-on to show the lecture-to-exercise ratio
• How learning outcomes map to course segments

As a some-time CfT reviewer, I can tell you: if your submission lacks this level of clarity, it’s unlikely to make the cut.

Get Feedback Before You Submit

Even seasoned trainers benefit from a second pair of eyes.

Tips:

• Ask a former CfT reviewer if possible.
• At the very least, someone familiar with the material.
• If English isn’t your first language, get a native speaker to review.

At Bounce Security, our internal review process made a huge difference — right down to workshop titles and tagline polish.

It is highly unlikely you will get feedback from the conference or the review board during the CfT process, regardless of how early you submit. It is possible you might be able to get some feedback if the submission gets rejected but that is already a little too late…

Add Goodies (If You Can)

Extras can make your course more appealing:

• Hardware courses might include take-home tool-kits.
• Some courses provide pre-configured VMs or helpful documents.
• One course at Black Hat even included a laptop for every attendee (ambitious, but memorable!).

I don’t think these bonuses necessarily replace a compelling course proposition but they might sweeten the deal..

I include special working documents in my course. We’ve also considered offering follow-up consulting hours though we haven’t gone forward with that for now. I did notice however that this year Sensepost is offering an extended Q&A session after their courses.

The Waiting Game

Once you’ve submitted… now you wait.

Don’t be discouraged by rejections, they happen to all of us.

I have been rejected multiple times, even after I have been accepted at previous events from the same organisation. E.g. I have never been accepted by Black Hat Asia and was accepted by Black Hat EU for a couple of years but then rejected the following year.

Always ask for feedback (if available) and iterate on your submission.

Coming Up: Selling Your Course

If you got accepted, congrats! That’s a huge achievement. 🎉 🎉

But now comes the next big challenge: getting people to sign up.

In the next post, I’ll talk about marketing your course in an attempt to turn your hard work into a full classroom.

Let’s be honest: nobody’s signing up for a training course just to sit and listen to someone talk for 7–8 hours a day.

People come to do the things, to get their hands dirty, apply what they’ve learned, and leave with new skills they can actually use. And that’s your edge.

In this post, I talk about how to make the hands-on elements of your course not just functional, but an integral part of the course.

Splitting the Day: Labs vs. Lectures

The Black Hat Call for Training (CFT) recommends at least 40% of your course be practical. That’s great news as it means you only need to talk for 4–5 hours a day.

But here’s the catch: you now need to figure out how to entertain your attendees the remaining time.

I can tell you that the practical segments are the part attendees remember most and will define their takeaway experience. You therefore need to make these segments sound compelling enough for the review board and the potential attendees.

Traditional, Practical Labs

If you’re teaching a very hands-on skill such as offensive security, reverse engineering, cloud config hardening, practical labs are likely your core.

But just saying “we have labs” isn’t enough, how are these labs going to work.

Initial Considerations

Here’s what you need to think through — trust me, these details matter:

• How do you make tasks challenging yet solvable?
• Are the exercises accessible and achievable by people at a variety of skill levels?
• Will you want to centrally track attendee process and if so, how?
• Is it a competition or self-paced?
• Can you stretch your most advanced students?
• How can you test that your labs still work before each run? Is that manual or automated?
• How will you keep lab content up to date if your subject moves fast?
• How many students can you realistically support and troubleshoot for at once?
• Do you have an automated way to reset your labs to a known good state?

Providing Lab Access

One of the biggest questions: how will students access the labs?

• Do they need to install software?
• Is specific hardware/software required?
• Do they need a virtualization tool?
• Will they need admin access?

If the answer to any of these is yes, expect friction and maybe a few frustrated emails.

Hosted Labs: The Modern Standard

In the old days, trainers would lug laptops and servers into conference venues. Now? Cloud-hosted labs are the norm.

Sensepost set the gold standard for this almost 10 years ago as they discuss in their blogpost here. Nowadays, this should probably just be the standard.

But don’t let the cloud fool you into thinking it’s simpler. It comes with its own set of questions:

• Can your labs scale to support dozens (or hundreds) of users?
• How will you automate provisioning for each user?
• Do students authenticate individually? How will you set this up
• Have you secured your environment from… creative attendees?
  • Yes, someone once deployed ransomware in someone’s training lab environment. Be ready!
• Will students have post-course access? (Bonus points if yes.)

When “Hacking” Isn’t the Goal: Creative Practical Exercises

What if your course isn’t about hacking or coding? Then you’ll need to get creative.

In my case, I built two distinct types of exercises from scratch and they actually became the highlight of the course.

(I go into quite a lot of detail here but I hope it helps other people with their thought process. Feel free to skip if you don’t want the details)

Vulnerability Triage

The first was a vulnerability triage challenge.

Students worked in groups, reviewing fictional findings from tools like SAST, DAST, and SCA. They had a simulated codebase or running app as a reference, but running tools wasn’t the goal or even part of the exercise.

Instead, they had to prioritize the vulnerabilities and more importantly, explain their reasoning.

Why? Because the course and therefore the exercises focused on process and decision-making, not tool mastery.

This exercise built on the lectures and gave students a chance to the new ideas in a low-stakes setting.

Organisational Process

The second type of exercise asked: How do you roll out a security tool across an organisation?

Students had to plan an implementation using a working document based on the content in the lectures. Sounds fun, right? Well I had to work a little on the fun part.

Since attendees came from diverse backgrounds I created a fictional company case study for everyone to work from. I also prepared a tech stack, fake team leads, and a slightly sinister app to keep things fun. All teams worked from the same case study as I felt it would make it easier for teams to compare notes afterwards.

But how would they provide their feedback?

Enter: The Simulated Stakeholder

Rather than each team presenting their plan to the entire class (which might be a little repetitive), I introduced the simulated stakeholder, in most cases the CTO of the simulated company.

(I think this was probably inspired by exercises we did back when I worked at Deloitte as part of training for more senior roles.)

Each team nominated one person to role-play the CTO. All the “CTOs” joined me in a breakout session, where I worked through the working document with them and guided them on the kinds of questions and expectations a real executive might have and how best to interact with the teams.

Then, each CTO joined a different team, and that team had to justify their plan to a skeptical senior stakeholder.

Aside from the simulated stakeholders getting much amusement from their sudden promotion to CTO (although I think on one occasion a stakeholder was actually a CTO in their day job), this was a great way to give the teams something to work towards and also stimulate discussion.

It was also an important illustration of one of the key lessons from the course which is the importance of getting senior level buy-in.

Other Ideas

I’ll save the story about the time I built a multi-player game based on the ASVS entirely in Google Sheets for another post, or over a beer. 🍻

Just know that even if it sounds weird, it might actually work.

The Real Point

Yes, I wanted to show off some my cool ideas but the real message is this: You can go beyond traditional “labs” and build creative, impactful exercises that magnify the impact of your course.

Don’t limit yourself to hacking and code. Remember that the rarest and most valuable skill in security is the ability to communicate and persuade. Think about courses which build that muscle as well.

Next Post: Putting pen to paper

So now, having figured out your financials, your niche, and your exercises, you now need to actually get accepted by a conference.

In the next post, I’ll walk through how to write a compelling Call for Training (CFT) submission.

If you’re thinking about creating a training course, one of the biggest questions you’ll face early on is: Will anyone actually want this? In this post, we’ll explore how you can evaluate whether your course idea stands a chance in an already packed marketplace for professional training.

Market Research

In a previous post, I mentioned that I already had a good grasp of the application security training landscape, which gave me an edge in knowing which topics were oversaturated. If you’re not yet as familiar with your own niche, I would suggest you do some market research. Here are some areas you might want to consider.

History of training courses at your target conferences

Conferences will often maintain historical websites where you can see the courses they have previously offered.

Black Hat maintains an archive of past training courses with predictable URL patterns, making it easy to explore previous years’ offerings. Keep in mind that not all Black Hat events are created equal, Black Hat USA is significantly larger than its counterparts in Asia and Europe.

As for satellite events like Black Hat Spring Trainings, I have never seen a formal Call for Training. It’s possible these are invite-only affairs, favoring trainers with a strong sales history, but that’s just a theory.

If you’re targeting an OWASP event, they also have a historical record of courses available though it might require a bit of sleuthing. (Hint: all recent OWASP websites have been based in GitHub).

For smaller or more specialized conferences, you’ll need to do your own detective work to uncover historical data.

Check out Offensive Security

Offensive Security offers a well-known set of training programs. You can probably guess where their focus lies. If your topic overlaps with theirs, take a hard look at how your course differentiates itself. Their content is well-established and widely respected so if you’re in their arena, you need a unique angle.

Review the SANS catalogue

SANS offers a massive range of courses often at premium prices but keep in mind that many of them run for six full days. That means a shorter, more affordable course on a similar subject might still appeal to time and budget conscious learners.

Explore other sources

Don’t stop there. Depending on your topic, there may be other educational offerings in your space: self-paced labs, YouTube tutorials, Massive Open Online Courses (MOOCs), and more.

Ask yourself: What will learners gain from your course that they can’t easily get from free or low-cost resources? Your value proposition needs to go beyond content, it should include engagement, interaction, depth, or application.

Finding the niche

The sweet spot for your course lies at the intersection of three things:

1. A subject you’re passionate and knowledgeable about
2. A real gap in the current training market
3. A compelling reason for someone to pay for it

If you’re struggling to identify that gap, don’t be discouraged. It is a tricky balancing act. The ideal topic needs to be fresh and interesting to the conference review board and relevant enough that your potential attendees can justify the time and money it takes to attend.

On the other hand, the cybersecurity field in particular is constantly evolving. New technologies and threats emerge regularly each one a chance for you to carve out your own area of expertise. There are plenty of unsolved problems and overlooked areas that need attention.

Remember, your audience will often have to convince their manager that your course is worth the investment. Help them make the case by choosing a topic that solves real problems, enhances valuable skills, or supports strategic goals.

Next Post: Practical Exercises

In the next post, we’ll focus on the major differentiator that can elevate your course above the rest: hands-on activities. Because let’s face it no one wants to sit through two days of lectures. What participants get to do during your course is just as important as what they learn.

Introduction

In my previous post, I briefly touched on the financial realities of delivering training courses. In this post, I’ll explore this topic in greater depth.

Making your millions??

If your goal is a big financial success, training courses will probably not be your golden ticket. That is why I want to tackle this topic up front. You will need to think about this but you also need to be realistic.

Developing a course requires significant upfront investment, and even after launch, it demands ongoing “care and feeding”. Keeping content fresh and relevant is crucial, and that means regularly:

• Updating material to reflect industry changes
• Incorporating new insights and experiences
• Ensuring training exercises still function as intended
• Revising and updating technical components of exercises
• Adapting exercises to maintain relevance
• Applying feedback from previous course sessions

If you can identify a subject that is broad enough to appeal to a large audience, different enough from existing options to generate demand, and also low-maintenance in terms of updates, then you might have a high-profit opportunity.

But let me know if you do manage that as it is pretty tough…

In my case, the course I built falls into a slightly specialized category. While maintenance isn’t overwhelming, I have only delivered it 5–8 times so far.

Non-financial benefits

On the other hand, there are other benefits that may be attractive to you.

The experience of preparing and delivering a course at this level may itself be valuable to your professional development. It may also bring a boost to your public profile and your resume.

Depending on your planned career trajectory, these aspects may be more valuable than money. However, your current employer may not see things this way. 🙃

Recouping your investment

Before you make a profit you are going to need to cover your initial investment.

The most basic investment is any actual money you spend to deliver the course in person. There are a bunch of considerations for this so I will cover it in more detail a little further down.

The real cost however is (or at least should be) the time you spend building the course. You certainly don’t want to spend a lot of time building a course which no one wants to attend.

To try and mitigate this risk for my course, I took a phased approach. I started by delivering a one-hour overview at the Open Security Summit, followed by a one-day version at OWASP Global AppSec.

These smaller commitments helped me gauge audience reception and refine my content. The one-day course also allowed me to test my experimental exercises (more on that later). While this phase didn’t compensate for all the time investment, it provided some validation that the course was worthwhile and effective and therefore I should continue investing in it.

Striking the right balance is key: invest enough to prove the concept and demonstrate viability, but avoid committing excessive resources to an untested idea that might not work out.

Breaking even on an single course session

If you are able to afford to pay expenses to deliver training “for the exposure”, then you don’t need to worry about this. In most cases however, you will need to have a plan.

Virtual training is simpler financially: as long as you cover your time cost, you’re in the clear. In-person training, however, introduces a host of additional expenses and complications and I will try and cover some of these here.

For in-person training, you need to figure out what your break even point is. Specifically, how many people need to register to get the revenue required to break even. Obviously the first thing you need to know is what share of the course income you will receive from the venue which is hosting the training. This might be fixed or flexible depending on the conference.

You can then start building a break even and profit calculator based on your expected expenses. I usually prepare an Excel spreadsheet or Google Doc to work this out and recalculate dynamically.

Key Expenses to Consider

Different conferences handle costs in different ways. Expenses that conferences might cover for you (wholly or partly) include:

• Flight costs
• Hotel costs
• Venue costs including food and beverage.

Examples that I have seen:

• Black Hat publishes information on the public CFT page.
• OWASP covers all venue costs but not hotel and flight.
• Other conferences equally split costs and then equally split the profit as well.

All conferences I have seen also give trainers a free conference ticket which could also be worth a lot.

Beyond travel and accommodation, factor in additional costs such as:

• Airport transfers
• Meals and per diems
• Printed materials or giveaways for participants, (I have a bunch of print-outs I prepare and hand-out over the duration of the course and I often buy and bring snacks as well)

The Hidden Cost: Your Time

If you’re self-employed or consulting, or you are doing this separate to your employer, your time has an opportunity cost. Time spent training is time you could have spent on client work or other revenue-generating activities. Don’t forget to include travel days as well.

Revenue Per Course Day

Different conferences handle pricing and revenue shares in various ways:

• OWASP charges attendees a flat daily rate for training, meaning a three-day course costs three times as much as a one-day course, with no discounts. Trainers receive 40% of net revenue up to $10,000 USD, and 50% of net revenues above $10,000 USD (this is public information).
• As can be seen on the public training page, Black Hat training ticket costs vary between courses and there are also various early-bird stages. Interestingly, a four-day Black Hat course doesn’t necessarily cost attendees twice as much as a two-day course.
• Some conferences pay a fixed rate per course, contingent on meeting a minimum number of registrants.

Note that at Black Hat USA, trainers can deliver the same two-day course twice (Sat-Sun and Mon-Tues).

Set Your minimum up-front

Most conferences will ask what your financial minimum is upfront and you should be able to use the information above, plus the conference’s specific terms, to figure that out. You’ll need to maintain close communication with them to determine when to make a GO/NO-GO decision.

The conference’s minimum

Conferences themselves will generally have financial break-even points, and they won’t run training that doesn’t meet minimum registration numbers. Be clear on these thresholds and when there conference team will make their final decision.

Also, keep in mind that waiting on a conference decision could mean higher flight costs if you delay booking.

Next Post: Figuring out your selling point

The financial aspects are only a small part of the equation. To truly succeed, you need a compelling reason for people to choose your course over others in a crowded market. In the next post, I’ll discuss how to carve out your unique value proposition and attract the right audience.

Introduction

In this post, I’ll share some personal background about how I started delivering public training courses and why I pursued this path. My aim is to provide context for the later chapters and help you reflect on the motivation required for such an undertaking.

Admittedly, this chapter focuses more on my experiences than actionable advice, so if you’re confident in your motivation, feel free to jump to the bottom line: what to expect from this journey.

Some Background

At my previous employer, I had always looked admiringly at the posters on the wall of the office from when my previous boss (AppSec legend, Erez Metula) had delivered some of the early mobile security training courses at Black Hat USA. (I have my own poster up on the wall as an homage to that, as you can see in some of my videos).

While the company had moved away from training by the time I joined, the prestige of Black Hat training always stood out to me as a mark of excellence.

Separately, I had the opportunity to review training course submissions for Global AppSec Tel Aviv 2019, as well as for local conferences.

These experiences, combined with my background in developing and delivering training, gave me a solid understanding of the application security training landscape.

Starting at Bounce Security

However, I’m not sure that my new boss (AppSec legend, AviD) had any of that in mind when he asked me, shortly after I had started working with him, if I was interested in developing any training courses. Avi is well known for his threat modeling training which he has been delivering for many years now and working with him, it was a natural thing for him to ask.

Little did we know the journey this simple question would take us on…

Scratching an Itch

As I considered Avi’s question, I reflected on a common challenge I had observed at several client organizations. Many had adopted tools like SAST, DAST, and SCA, only to become overwhelmed by excessive findings, technical hurdles, and conflicts over who was responsible for addressing issues. Instead of improving security, these tools often created frustration, reduced morale, and, paradoxically, worsened overall security outcomes.

The more I thought about it, the more it seemed like a gap in a crowded market for AppSec training courses. Most courses focused on the technical aspects of tools—installation, configuration, and automation. Having seen these tools in real-life, it seemed like no one wanted to talk about the people and process aspects of using these tools. (Hindsight has shown how much of a problem this is in AppSec in general, not just related to tools which provided the inspiration for the next evolution of this course.)

My Motivation

With Avi’s encouragement, I began drafting an outline for a 2-day course to address this gap. I poured my experiences and observations into a detailed structure, focusing on practical, actionable content.

And this is a critical point. I don’t love designing training courses, I don’t love writing slides. Maybe some people do, I don’t know…

However, I felt strongly enough about this and was passionate enough to push through and pull all of this together. And then stick with it when things got harder later on. I was determined that this was valuable content and that I wanted to do the work to get this released.

Your Motivation

The key takeaway here is that creating, marketing, and delivering a training course is a demanding and time-intensive journey. If you’re new to teaching or presenting, it may push you out of your comfort zone, requiring you to build skills like public speaking and effective communication.

Before starting, ensure you are genuinely passionate about the subject. Passion will sustain you through the challenges and keep you motivated to deliver valuable content.

Next Post: The Financial Aspect

For me, the motivation to create this course wasn’t financial. Much of the work occurred during downtime between projects, and while course revenue has offset some of the investment, it hasn’t fully covered the effort. However, the experiences and opportunities it created have been invaluable.

In the next post, I’ll discuss the financial realities of creating and delivering training courses in detail.

Introduction

Welcome to a new blog series exploring the process of preparing, submitting, and delivering training courses at conferences such as Black Hat, OWASP Global AppSec conferences, and NDC Security. In this introductory post, I will provide an overview of what this series entails and share the inspiration behind it.

Background

The idea for this series has been on my mind for some time, but it was only during a recent flight that I felt ready to begin writing. Over the past few years, I have embarked on an unexpected journey that has been both rewarding and challenging. This experience has equipped me with valuable insights and lessons that I am eager to share.

This series aims to inspire and guide individuals considering a similar endeavor, offering practical advice and serving as a planning resource. Whether you are contemplating delivering a course or simply curious about the process, I hope these posts provide clarity and motivation.

Chapters in the Series

The blog series is structured into chapters that follow the chronological steps of my journey. While the posts are designed to be read sequentially, I recommend reading the entire series to gain a comprehensive understanding before deciding if this path aligns with your goals.

The planned chapters include:

• Introduction (this post)
• What Was My Motivation? What Motivation Do You Need?
• How Do the Financials Work for a Training Course?
• What Is the Niche/Selling Point for Your Course?
• Planning the Practical Side: How Will You Make It Engaging?
• How Should You Write Your Submission to Maximize Acceptance Chances?
• How Can You Effectively Market Your Course?
• What Preparations Should You Make Before Traveling?
  

A complete list of published posts can be found at the top of this page.

I welcome your feedback, questions, and suggestions for additional topics to cover. Feel free to reach out to me on Twitter or LinkedIn. As this series evolves, following me will ensure you are notified when new posts are published.

Next Post: My Motivation

In the next post, I will go into my personal motivations for delivering public training courses and share the factors that guided me along this path. I hope it provides insight and encouragement as you consider your own journey.

AppSec architects (sometimes known as AppSec engineers) have a tough job. As a small team within a larger development organization, they are tasked with figuring out how to ensure that software is being built securely and being available to provide support in doing this.

Amongst other things, this involves being aware of what development activity is actually going on.

And as GI Joe famously taught us:

For some of our clients we operate as part-time AppSec architects either joining their existing team or becoming their team. As we are acting as virtual employees, we generally request some access to internal systems to get some situational awareness into development activity (or activity in general) within the organization. Otherwise we are operating completely at “arms length” without insight into what they are working on and how they work.

Additionally, most organizations nowadays are distributed in some way. That might be by having multiple international offices or a remote/hybrid working environment. This makes access to their internal communication systems even more important in order to be able to effectively interact with the team.

Since it came up recently, I thought it would be valuable to go into a little more detail about the sorts of systems we request access to and how this can help us.

Some of our uses here are a little more unorthodox and many will be useful ideas for regular, full time employed, AppSec architects as well.

So take a look and also let me know if you think there is anything I have missed 😀

For each system, I will give:

• Explanation - A brief overview of each system type and what it does
• System examples - Some examples that you might see “in the wild”
• Information provided - What useful information can we gather from the system to increase our situational awareness?
  • In some cases we might be able to use some slightly more sneaky tricks to discover useful information.
• Usage cases for AppSec - How we can use the system for our own purposes

Security systems and platforms

I am not going to mention these in detail as it almost goes without saying that these would be useful for AppSec work. My intention in this post is to focus on the more mainstream organizational systems.

Developer Ticketing system

Back to top ↑

Explanation

This will be the system that the development organization uses to guide developers on what they will be working on at any point in time. It might be used just for regular work tracking, (e.g. you are working on this piece of functionality today,) or it might also be used for bug tracking as well, (i.e. QA will open tracking tickets when they find quality bugs.)

Either way, it tends to be a key system that developers (and maybe other development staff) use to organize their day.

System examples

Examples of systems like this include:

Information provided

We can use this system to discover information including:

Usage cases for AppSec

This system can be useful for our own work, allowing us to:

Company email

Back to top ↑

Explanation

A personal mailbox in the company’s internal email system. I think we know what email is by now but the scope here is to have an account where when we send an email, it doesn’t have a scary “this is an external email” message at the top.

System examples

Examples of systems like this include:

Information provided

We can use this system to discover information including:

Usage cases for AppSec

This system can be useful for our own work, allowing us to:

Company calendar

Back to top ↑

Explanation

The place where employees plan their meetings and potentially structure their day in other ways.

System examples

Mostly the same systems as for internal email.

Information provided

We can use this system to discover information including:

Slightly sneakier information we can gather from it

If we are struggling to get traction or cooperation within development teams, calendars can sometimes also reveal some other interesting information.

This could include:

• Looking at the meetings which people have on their calendars in order to understand who is meeting with whom and about what. This might reveal information on new developments or new development plans.
• Planning documents or other notes documents might also be attached to meeting invites and therefore reveal information about what they are working on.

Usage cases for AppSec

This system can be useful for our own work, allowing us to:

Internal chat system

Back to top ↑

Explanation

Most organizations will have a more informal system for internal ad hoc conversations without the overhead and formality of email. It will usually include both person to person conversations and also groups.

System examples

Examples of systems like this include:

Information provided

We can use this system to discover information including:

Slightly sneakier information we can gather from it

If we are struggling to get traction or cooperation within development teams, chat systems can sometimes also reveal some other interesting information. This could include:

• Search for secret information or secrets being shared. Maybe you need test credentials but can’t anyone who will provide them…
• Lurking in groups to discover potential issues. I was once lurking in a group where someone asked for the easiest way to forge a production token so as to do some testing.

Usage cases for AppSec

This system can be useful for our own work, allowing us to:

Internal conference platform

Back to top ↑

Explanation

The audio/video conferencing platform which the company uses for its internal meetings.

System examples

Examples of systems like this include:

Usage cases for AppSec

There probably isn’t much data we can gather from this but this system can be useful for our own work in lots of ways, allowing us to:

Internal documentation / file storage platform

Back to top ↑

Explanation

The place where employees document long form information about the company, the application, etc. This could include both simple documents but also larger files such as meeting recordings.

System examples

Examples of systems like this include:

Information provided

We can use this system to discover information including:

Usage cases for AppSec

This system can be useful for our own work, allowing us to:

Source control system and Continuous Integration

Back to top ↑

Explanation

The system the company uses to store their source code and also to perform compilation/build processes.

System examples

Examples of source control systems include:

Examples of CI systems include:

Information provided

We can use this system to discover information including:

Usage cases for AppSec

This system can be useful for our own work, allowing us to:

Cloud Management Platforms

Back to top ↑

Explanation

Most organizations are using cloud hosted infrastructure to host their applications. Some may be entirely cloud based or cloud native. There will generally be a management platform where all of this infrastructure is managed. Visibility of this platform will be even more important if the company is not using “Infrastructure as Code” to configure it.

For our purposes, access to the API might be even better than the graphical console.

System examples

Examples of systems like this include:

Information provided

We can use this system to discover information including:

Usage cases for AppSec

This system can be useful for our own work, allowing us to:

Observability

Back to top ↑

Explanation

This is the posh new word for logging :) The overall goal is to give developers and operations team more insight into what is going on in the running application, especially in production.

System examples

Examples of systems like this include:

Information provided

We can use this system to discover information including:

Usage cases for AppSec

This system can be useful for our own work, allowing us to:

In conclusion

This post got a little long but hopefully provides you with a useful overview of how you can use organizational systems to operate more effectively as an AppSec architect.

What did I miss out? Let me know on Twitter, Blue Sky or LinkedIn!

My previous post was about better understanding the situation when you make software security recommendations and how that can often be quite tricky. I illustrated this with the way that the Prisma ORM handles SQL injection.

As it turns out, I proved myself correct almost immediately by discovering that I had overestimated the strict accuracy of the documentation and underestimated the ability of developers to get the job done in whatever way possible.

In this post, I’ll explain what happened and the revised guidance around Prisma ORM.

Suggesting the “safe” method

Original documentation

So my previous post was very much in line with how I understood Prisma’s documentation of the $queryRaw function, (or at least how their documentation used to look). You can see an extract here:

(See original documentation at this archive link.)

My feeling from the documentation was that the $queryRaw and $executeRaw functions were safe but if you wanted to generate a query dynamically into a variable somewhere other than directly in these functions, it would not be possible.

I was currently looking at a use case which required this type of dynamic query generation so I was expecting that developers would therefore not be able to use $queryRaw and that instead they would need to use $queryRawUnsafe.

Inconceivable…or is it?

But, as I said above, I had underestimated developers…

(Developers clearly make the best hackers!)

They came up with something like this stunning piece of code which got me scratching my head as to why on earth it worked.

import { PrismaClient } from '@prisma/client'

const prisma = new PrismaClient()

const untrustedInput = 'lomo@prisma.io\' OR \'1\'=\'1'
const sql = `
  SELECT * FROM "User" WHERE email = '${untrustedInput}';
`

const templateString: any = [sql];
templateString.raw = sql;

const users = await prisma.$queryRaw(templateString)
console.log(users)

Head-scratcher or not, this works and in the example above leads to an SQL injection vulnerability, despite using the “safe” method.

Note: You can try the examples in this section in the Prisma Playground although be aware that:

• Prisma Playground sometimes errors out so you might need a few attempts before it works…
  • Alternatively, you can try this offline version I created.
• Prisma Playground runs JavaScript so you may need to take that into account. For example, in the version above you will need to remove the : any from const templateString: any = [sql]; in order for the code to run.

So, why does this work?

The short reason is that we are talking about JavaScript where pretty much anything goes 😂. (Well actually, this was Typescript, but it turns out you can persuade it to act like JavaScript without too much trouble 🤦‍♂️.)

The long reason for why this works is that the $queryRaw function accepts two possible object types, the TemplateStringsArray type (which Typescript uses as the object type for Tagged Templates that I described in the previous post) or an Sql object which itself is based on Tagged Templates.

A Tagged Template has a property called raw and through the use of the any keyword, the developer has created an object that looked similar enough to a Tagged Template object to be accepted by the $queryRaw function in both JavaScript and Typescript.

A simpler bypass

In fact, it turns out that you don’t even need to go to this much effort. Prisma supplies a helper method called raw which pretty much does this for you but for the Sql type so now making this function unsafe is as simple as the following code.

import { Prisma, PrismaClient } from '@prisma/client'

const prisma = new PrismaClient();

const untrustedInput = 'lomo@prisma.io\' OR \'1\'=\'1'

const users = await prisma.$queryRaw`
 SELECT * FROM "User" WHERE email = '${Prisma.raw(untrustedInput)}';
`
console.log(users)

I did another LinkedIn poll to see if people would pick up on this but there were still people who thought that this was not vulnerable.

LinkedIn Post link

If you dig deep enough, you can see warnings about this particular function and it is also a lot easier to discover if it is being used than the previous method. But more on that later.

So now what?

The best option for being safe

Having seen all this, I decided that I need to find a way of making the unsafe usage of the safe function safe again.

The best way of doing this would be to build a safe Sql object which includes parameter markers and parameters and then pass that to the $queryRaw function.

Unfortunately, this is still not a usable solution if you want to dynamically build the query bit by bit as you need to have all the text strings surrounding the parameters in separate variables which is pretty fiddly.

// Example is safe if the text query below is completely trusted content
const query1 = `SELECT id, name FROM "User" WHERE name = ` // The first parameter would be inserted after this string
const query2 = ` OR name = ` // The second parameter would be inserted after this string

const inputString1 = "Fred"
const inputString2 = `'Sarah' UNION SELECT id, title FROM "Post"`

const query = Prisma.sql([query1, query2, ""], inputString1, inputString2)
const result = await prisma.$queryRaw(query);
console.log(result);

Playing the Uno reverse code

In the end, I was inspired by the original bypass code to generate my own Sql object but this time create it safely with parameters. You technically shouldn’t be able to generate the Sql object in this way because the values property is readonly and it won’t support multiple databases but since this is Javascript we can get away with it 🙃.

This code allows the dynamic generation of a query, using parameterization, which could then be used with $queryRaw or $executeRaw.

// Version for Typescript
const query: any

// Version for Javascript
const query

// Safe if the text query below is completely trusted content
query = Prisma.sql`SELECT id, name FROM "User" WHERE name = $1`

// inputString can be untrusted input
const inputString = `'Sarah' UNION SELECT id, title FROM "Post"`
query.values = [inputString]

const result = await prisma.$queryRaw(query)
console.log(result)

But is it safe?

So where does this leave us? This updated code is safe at the moment but it could still be made unsafe.

This type of dynamic query building will always need to be done with caution, with careful attention being paid to how the queries are being built. If the dynamic queries are being built programmatically, hopefully you can be more confident that this treatment is being correctly applied. If developers are still manually building these dynamic queries one by one, you may have more reason for concern

In the meantime, I submitted some quite extensive updates to the Prisma documentation to hopefully make these considerations clearer. You can see the updated documentation at this link.

(Thanks to the team at Prisma for being open to my suggestions 😀)

In conclusion

Well at a meta-level, this is another great illustration of the day to day challenges in software security. Sometimes you can’t even rely on the documentation…

I think the key conclusions here are:

• Raw queries will always be dangerous and require extra attention because they are so easy to get wrong.
• This is one of the reasons why SQL injection is still so prevalent and we certainly haven’t eradicated it yet.
• Being able to detect these sort of edge cases or changes in the way things are done is super important. In a future post, we’ll try and demonstrate how…