How our training was accepted at BlackHat training EU, ASIA and US and DEF CON
In the past two years our training Hackable.sol: DeFi and Smart contract hacking got accepted at DEF CON Trainings and Black Hat trainings. It allowed me to meet amazing people from all around the world, organizers behind the most popular cybersecurity conferences while having the opportunity to travel and challenge myself to the next level.
Presenting at one of these conferences or hosting a training is one of the best feeling a cybersecurity practitioner can get. Besides being “on stage”, you are continuously creating connections, getting new ideas, helping people that are starting their careers. I definitely recommend it to anyone.
With this blog post I want to share my experience in getting a training accepted, as many people asked me about it and I believe it’s also important to demystify some of the misconceptions.
So how do you get your training to the BlackHat or DEF CON stage?
I started learning about smart contract development during the Covid-19 lockdown. Before that my smart contract knowledge stopped at using them via fancy UIs or buying tokens. So I decided to spend my lockdown nights (as the coolest thing you could do in that period was walking alone) learning Solidity and its ecosystem, learning forge and start solving some of the public CTF like:
- Ethernaut by OpenZeppelin: https://ethernaut.openzeppelin.com/
- Overthewire: https://overthewire.org/wargames/
- DefiHackLabs: https://github.com/SunWeb3Sec/DeFiHackLabs
- QuillAudits CTF: https://www.quillaudits.com/academy
reading bug bounty reports from multiple platforms:
- Hacken.io: https://audits.hacken.io/
- Immunefy Learn: https://immunefi.com/learn/
- HackenProof: https://hackenproof.com
while continuously creating my own labs to replicate PoCs of other researchers and taking extensive notes.
Eventually I ended up with tons of papers, markdown files and more than 50 pseudo labs that could be executed in Remix without a structure nor any logical sense. So I decided to restart from the beginning to try and make sense to all that content, creating macro topics, sub topics, linking them to real life scenarios. It took me 6 months to have something acceptable.
I started creating slides for each macro topic to support the story ( attached a few examples). The idea of the slides is to really visualize what in many blog posts or videos is only explained with code. Code is great but for a beginner to the topic, graphics are key to quickly understand the problem.
I found this in my GitHub repo. This is the first image (a photo of a paper) that I added to my content (note the halo on the UserWallet Owner).
That eventually became something like this
After that more pictures followed the same path. The reentrancy attack is the one I like the most as it explains the flow of the transactions and shows the malicious loop.
And yes, I have screenshot of code in the slides, as on a big screen I love to walk through it with the attendees. It also drives engagement.
So it was time to try it with other people. I practiced the story, checked the material and organized live webinar together with Stefan to promote the course . We managed to get 234 attendees (May 2022).
The webinar was then followed by an online session with 5 people that subscribed to the BETA version of the training. This was a super discounted version of the initial course.
Results? Not too bad counting that 20% of the labs did not work at first, but we managed to fix them right away. Mistakes were spotted, and attendees gave us great insights to further improve the material, the labs and the story.
It was a success.
The webinar is still available on LinkedIn if you are curious. It was the first one, so keep that in mind 😀
https://www.linkedin.com/events/ssch-soliditysmartcontracthacki6898248850516361216/theater/
I still use it in my CFT submissions.
Improvements and priorities
After that the first priority was to improve the material to include the feedback, make the labs reliable and add new content.
This took another 6 months, to get the training to a more solid state, easier to follow, with a better flow and more details. The main goal was to lower the entry barrier and make content easy to follow by anyone with basic programming knowledge, not even Solidity knowledge. I invested most of the time in creating a good structure that made sense linking most of the topics to real life incidents. For example when talking about price oracle vulnerabilities, we analyze the Tellor bug
Once happy I decided to submit the trainings to various CFT (Call for Trainings) including DEF CON 31.
That’s when I received the email confirmation that the DEF CON training board accepted my training for the first time.
I had the chance to deliver a training session at DEF CON in Las Vegas in August 2023. Out of seven registered students, two never showed up—understandably so, as waking up at 7:00 a.m. in Sin City is no small feat.
Despite having plenty of training experience under my belt, I hardly slept the night before. I had already reviewed every lab (testing them 10–20 times a day) and revised slides (updating, adding, deleting, and polishing them more than 50 times). The nine-hour jet lag certainly didn’t help, but that wasn’t the main reason. The thrill and terror of teaching at DEF CON for the first time kept my heart racing until just a few hours before my alarm rang on training day.
Since then, I’ve delivered the course multiple times, each iteration more refined than the last. Here are a few lessons I’ve learned along the way:
Start documenting your content
Don’t wait for perfection. Put your ideas down in any form—notes, outlines, rough slides—and let them evolve naturally.Create labs and practical examples
Hands-on exercises not only help your students grasp the material but also force you to confirm that everything works as intended.Learn from the Community
There’s so much knowledge out there. Watch talks, read articles, join forums, and collaborate with peers. You’ll pick up valuable tips and perspectives.Find the Gap
Technical depth matters, but a good training session needs more than just facts. Build a clear narrative that allows learners to follow along step by step.Polish, Test, and Repeat
Continuously refine your materials. Ask friends or community members for feedback. Practice makes it perfect—both for your content and your delivery.Publish your work
Record a video of yourself presenting and share it. Write blogs or articles.Submit to Calls for Training
Stay alert for Call for Training (CFT) opportunities. Tailor your content to their requirements and send in your submission. This can also be to local chapters and events.
Embrace the process and let your passion for the subject shine through.
This year we will be present at BlackHat Asia and BlackHat USA in Las Vegas. Hurry up as spots fill up and price increase.
Big news is that the training will soon be available on demand on the SecDim platform, for everyone. Some of the labs are already open to PRO users, but if you want to give it a try, go ahead and click on the link below.
