A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


Hacker/Infosec Con Types & Getting More Out Of Hacker/Infosec Conferences

Hacker/Infosec Con Types & Getting More Out Of Hacker/Infosec Conferences

        I was inspired to work on this post again by InfoJanitor on Twitter. When I asked for blog post ideas, he suggested "Through the Lens: Five Cons in Five Months", and I was like “five in five months? Wish I had such a lax schedule”. In 2018 I attended 22 cons and recorded 19 of them. Arguably, I’ve been to more infosec/hacker conferences than most people, some as a speaker, way more as a videographer. The only people I know who have more con badges than I might be Jack Daniel or Jayson Street. I use this to imply that I have some authority as to my expertise when it comes to infosec/hacker cons. In my view, there are maybe five types of hacker/infosec conference:

Enthusiast Party Hacker Cons

Enthusiast/Professional Infosec/Hacker Cons

Commercial Infosec/Hacker Cons

Vendor Cons

Awareness/We Care Conferences

        Now, to explain my views on this, let’s look at my early “con history”. One of my first cons was an “Awareness/We Care Conference” in the form of the conference at a university I was once affiliated with. I spoke at the conference circa 2005 about password cracking and such. My first real hacker con was PhreakNIC in 2005, where I got a taste for con life. Many of us attending were younger, did not have a ton of money, and slept five to a room to save on costs. Hell, it was not like you spent a lot of time in the room anyway, unless you were working on some crypto or hardware challenge. The next year, I gave a talk at Notacon in Cleveland where the research almost got me fired, and then PhreakNIC on “Creating a Windows Live CD for System Recovery and Pen-Testing”. For a couple of years, IU's CACR, PhreakNIC & Notacon were about the only cons I went to, that was till I got involved with my local ISSA. They had been running the Louisville Infosec for a few years, and in, I believe, 2008 I asked if I could record the main track. I got contacts & content for my site, they got promotion. Later I started giving Skydog crap about how long it was taking to get the videos from Phreaknic up, so they gave me the DVDs so I could rip them and post them myself. I had a university job at the time, which meant I had less money but more time and bandwidth than most people. This led to me coming to Outerz0ne and ripping DVDs as they were recorded. For a later Outerz0ne I figured out how to do picture in picture with AVISynth, and people began asking me to help record their conferences. After the success of the Louisville ISSA Metasploit class, Martin, Dave, Erin, Alex plus a few others and I put together Derbycon, where of course I was tasked with recording. Since I was the person most likely to use it, I was left with the video gear to record other multi track cons. After that, I’ve done a bunch of cons. I’m recording more than 20 per year at this point. Let me define my subtypes listed above. Bare in mind, few conferences fall solely into just one of these categories, and the ones I really like have a lot of crossover.

Enthusiast Party Hacker Cons

        I get the impression this is what DEFCON used to be, and still is to some degree, but my first DEFCON was 2009 so my perspective is limited. This is definitely what I would call PhreakNIC, and Skydogcon, maybe NolaCon to some extent. A bunch of people who love infosec/bypassing limitations/etc, but also love damaging their liver a bit too much perhaps. Many conferences have aspects of this.

        One interesting thing about enthusiast party hacker cons is that they sometimes draw people that or not so much into hacking as the scene itself. They may have a mild interest, but they are mostly there to party, or just to be seen. You will wind up seeing more of these people at DEFCON for example than at other cons because Vegas is a fun place to go for many, even if hacking is not your interest. I don’t mean this to be insulting to DEFCON, it’s just sort of the nature of being in Vegas. I’m sort of surprised that NolaCon has not encountered more of this, as New Orleans is a great town to have fun in. Then again, NolaCon being newer likely limits this as people may not know about it (great conference, good content, & never had a bad meal in New Orleans).

Enthusiast/Professional Infosec/Hacker Cons

        This is where cons like Derbycon, Shmoocon, NolaCon and many BSides come in. The folks that show up are still enthusiasts, but they also seem to have jobs in the field or are looking to get into the field. There is a lot of partying, but also the people are legitimately there to learn stuff for work. I would say Defcon almost falls into this category, but Dark Tangent seems to have resisted the urge to have traditional sponsors (vendors who sell hacker merchandise I put in a different category than just a for-money sponsor). At the larger ones you can make good connections to both find work or to hire someone. Cleared Jobs even distributes wrist bands to some conferences to identify if you are looking to hire or get hired, which may help while mixing with others. Smaller events like many of the BSides seem better for acquiring talent then drumming up business for a consulting company as most of the attendees seem to be enthusiasts/practitioners and not managers. The same can be said for conferences that happen on weekend (more enthusiasts) and during weekdays (more managers).

Commercial Infosec/Hacker Cons

        This would be things like BlackHat and Hacker Halted. The promise is something like: We will show you what the underground is doing, but we will provide you better food and it will be during a weekday so you can take off work. Some conferences deliver on this promise better than others. Truthfully, some cons ride between this and “Enthusiast/Professional Infosec/Hacker Cons”, for example ShowMeCon is done during weekdays often which appeals to the infosec professionals that want to get out of the office, but it is ran by a bunch of enthusiast/practitioners who really dig hacking and general geek culture. The upside is food is provided, the downside is that can greatly increase cost of ticket.

Vendor Cons

        Theses are all about selling stuff. People are there to hawk tools, appliances and services plain and simple. Most ISSA events are this to some degree, as is RSA so I understand (never been there, so may be talking out my buttox). I’ve heard RSA referred to as being a conference about the business of infosec as opposed to being about infosec itself. I’ve been told some BSides may fall into this area, but that is highly dependent on who is running it. While the talks may aim towards vendor pitches, they can be good for making contacts to get hired on drum up business.

Awareness/We Care Conferences

        These are normally small affairs, for limited audiences. I already gave the aforementioned example of the “Indiana University Center for Applied Cybersecurity Research” conference. Mostly, these are conferences held internally in organizations for people that may not be directly involved with security. The core idea seems to be to “raise awareness”/”show we take security seriously”, so many times the talks seem wide in subject but not very deep technically. Maybe they help, maybe not?

        So, what do I think of various cons besides the bit of info I gave in the descriptions above?


        Why not cover DEFCON, it is the 800 pound gorilla of hacker conferences. Apparently it reached close to 25,000 attendees in 2017, and nothing else in the States matches it. I’ve only been going since 2009, but I’d mostly put it in the “Enthusiast Party Hacker Cons”. Having seen videos and hearing stories of the shenanigans from years past it seems to have mellowed a lot, which is to be expected as 90’s kids grow up, get mortgages and have kids. DEFCON has moved several time around the big conference spaces in Vegas and keeps growing to the fill whatever space it is held in. You can pretty much expect to stand in line for big name talks. It’s easy to miss people you know are there in all the crowds. I kind of like Vegas, but after about a week I’m ready to go home.


        I’ve only been to Blackhat DC as a speaker and Blackhat USA in Vegas as a training helper. Large price tags for attendance keep many enthusiast away, and truth be told many of the talks seem to be present at the more affordable BSides events around the country. Trainings are a major draw for going in my opinion, getting some hands on knowledge and CPEs. If work will pay for it, I’d recommend it. If you are just someone getting into the industry, you might be better off visiting cons within driving distance.


        Obviously the best conference because of the stunning good looks of the videographer, Derbycon sprung up after the Louisville ISSA Metasploit Class for Hackers For Charity was such a success. No one was watching the signup form for the class, and all of a sudden we had way more people signed up than expected, forcing us to change venues. Dave, Martin and I thought “we got so many people here for just a one day class, why not put on a conference”? We went with the name Derbycon because Louisville is only known for about three things, horse racing, baseball bats and fried chicken. Since a derby is also a type of hat, and the black/grey/white hat hacker meme exists, Derbycon seemed like the name to go with. We aim to have good technical content but stay affordable. Louisville also has the advantage of being within a 5 hour drive of many large cities in the midwest and south. Things generally don’t get as wild as at some large conferences, but you will see people calmly sipping bourbon and showing off projects in the lobby while commensurating with friends. Sadly, Derbycon 9 is planned to be the last because of peoples drama (yes, it was drama, if you don’t understand that maybe you should not believe everything you read on twitter. Twitter is like the “telephone game”, where people spread misheard misinformation and has taught me many infosec people are terrible at attribution). Plans are in the works for another midwest/southern border replacement conference.


        One of my favorites, and the “Own the Con” talks Bruce and Heidi do each year were useful when we were planning Derbycon. I was a every Shmoocon from 2010 to 2016. While there is much partying, I’d say this con is firmly in the “Enthusiast/Professional Infosec/Hacker Con” arena. Have some fun, see some friends, learn some stuff and talk to some recruiters. Getting chosen to speak is a pretty big honor, and not easy. Since they limit attendance to a little under 2000 people, and the con is so popular, to get a ticket you might have to play the F5 olympics. I think one of the reasons it is so popular is that it is held in Washington DC, so lots of infosec folks from the federal government come out. People complain every year about how hard it is to get a ticket, but people also don’t want the con to grow larger and you can’t have it both ways. Apparently the logistics of getting a bigger hotel in DC is difficult.

BSides Events

        Everyone of these varies depending on location and who is running the event. They can fall into any of the loose categories I gave above. Because they are affordable, usually costing no more than $20 or even free, they are a good choice for a first conference for people trying to get into the field. Definitely submit to the CFPs to get your name out there and get some experience speaking. Personal favorites of mine happen in Nashville, Cleveland, Detroit, Columbus, Philadelphia, Baltimore and Tampa but there are many that have popped up around the world.

What To Do At Con?

        Talks: Yes, that is one of the major announced features. People come to see, listen to and meet certain well known speakers. You can get a lot of good information this way, but anymore so many talks are recorded, people spend time on “hallway/lobby con” instead. Always good to ask ahead if there are any talks that will not be recorded so you can attend those. Also look for talks where you would want to be in the audience to ask questions.

        Contests: Some cons have contests like capture the flags, lock pick competitions and crypto challenges. Probably not the best for meeting people if you’re face is down in a screen all con, but good for bragging rights and demonstrating skills.

        Hallway/Lobby Con: People call it different things. With most talks being recorded, you can watch them later, but hallway con is harder to substitute. Nothing like getting to talk to people in small groups to make connections and learn things, learn who specializes in what, and track down potential job leads. Making that personal connection. I’ve heard some people complain about cliques but I’ve found people to be friendly if you are friendly. If you, like many in tech, are introverted you may want to contact a few people on social media that you know will be there to help get you introduced to others.

        Speak: Speaking at conferences is a great way to get your name out there. I know a lot of people have a fear of public speaking, but having a bunch of presentations under your belt can be good for a resume/CV. Also, if you are not good at striking up conversations, people will come up to you to ask questions after your talk.

        Volunteer: Consider volunteering at conferences. It’s a great way to meet people and let people know you are reliable while getting a free ticket at the same time. Conference organizers who also have management positions or companies of their own and notice reliable volunteers and have been known to hire them. Older established conferences may have their volunteer spots filled up by old timers, so get to know some old timers and worm your way into volunteering.

        Finally, remember Trevor Hearn’s saying: at least three hours of sleep, two meals, and one shower per day.

Thanks to @InfoJanitor, @vajkat, @jack_daniel, @thesl3ep and @InfoSecSherpa for some input on things to add.

Printable version of this article

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast