How to Score Tickets to Your Favorite Security Conference (Now That Derbycon is Dead)

NOTE: For the last several years, I’ve been a master at scoring hard-to-get conference tickets, specifically for Derbycon.  I originally wrote this two years ago, but my Eversec teammates begged me not to post it.  I thought their fears of being outcompeted for Derbycon tickets were unfounded, but I honored their request.  Since Derbycon is over now, I’m going to reveal the secret to all of you!  These tips are easily applicable to any conference with limited and hard-to-get tickets, like Shmoo.

  • Follow the con’s Twitter account and turn on notifications for it: besides their website, Twitter is the main way most con organizers put out news.  Following them, and especially turning on notifications for when they tweet, is one of the easiest ways to keep abreast of what’s going on, official sales times, etc.  Organizers will announce sales times and sometimes even extra sales or ticketing system tests, so you could always get lucky that way.
  • Submit something to the Call for Trainers, Call for Workshops, and/or Call for SpeakersI know this isn’t going to be the best option for everyone, but if you have some cool skill you think you could teach or some neat topic you can present on, submit it!  If you get accepted, you automatically get a ticket and many cons will even give you an extra ticket for a partner/spouse/friend or even an honorarium.  I’ve even gotten a ticket for Derbycon before just for being on their talk waitlist, in case someone didn’t show and they had to fill a slot.

  • Buy the trainingseveral big security cons offer training events in the days leading up to the general conference.  If you have the means, or have an employer who’ll bankroll it, I highly recommend you take advantage.  You can often get super high-quality training (and a con ticket) from famous infosec people for a great price vs. doing it via SANS or an onsite stand-alone event.  Training tickets usually don’t sell out as fast either, so there’s less of a race against the clock to score them.
  • Be prepared for when the sale starts: Don’t screw around with time.  This is a con that sells out fast, so don’t just casually browse to Eventbrite or the ticket site five minutes late and think you’ll get one.  I’d recommend sitting down at your computer 10-15 minutes ahead of time, having a browser window open to the ticket selling page, have a site like open in another window, and once you’re within a few seconds of the sale time, keep hitting refresh, and hope you get lucky!
  • Become a sponsor: I know this isn’t for everyone, but one option is to talk your company into becoming an official sponsor, which will usually land you some tickets.
  • Cruise the con’s subreddit, Facebook pages, or other social media presences: another place you might find people hawking extra tickets.
  • Look out for infosec vendors, podcasts, news sites, and others that are giving away tickets: a lot of place will have little contests and other stuff offering them in the lead-up to the conference.  If you’re a student or a military veteran, there always seems to be people offering tickets specifically for those groups.
  • Obsessively search Twitter for the term “[insert con name] tickets” every five minutes:  I’m dead serious.  This is my golden advice.  When it’s five minutes after the sale time and every ticket is gone…fear not.  For Derbycon 6, I was able to score four tickets for my coworkers using this method.  One of those tickets was gotten while standing at the early check-in booth the afternoon before the conference started.  If you live far away from the conference, it’s a bit risky, but start around or month or so from the con and you’ll start to see them popping up on Twitter.  Somebody had tickets but then they have some family obligation, they started a new job, their dog died, whatever…there are **ALWAYS** people out there giving away or selling their ticket.  So just type the name of the conference and “tickets” (or get fancy with Boolean searches and also search for “ticket”, “tix”, etc.) into the Twitter search bar, click on the “Latest” tab (this is key!), and refresh that sucker every few minutes until you get a bite.  What you’re hoping to get here is maybe some guy who only has ten followers and is trying to sell their tickets, that way you’re probably the first person to see it and you can leap on it first.

Hopefully these tips will help you land those coveted tix and you’ll get to meet follow hackers in a fun new city.  Here’s some other general advice that was very applicable to Derbycon, but probably would work for Shmoo or another con…

  • Go ahead and book travel: A hotel block will often be opened for reservations soon after ticket sales…just go ahead and reserve one.  Most every hotel will let you cancel your reservation up to a day ahead with no penalty anyway.  But honestly, even this year, I knew people who were begging to give away their spare tickets to the very last Derbycon, which I was legitimately worried would be hard to get tickets for because it was the last one ever.  Just go ahead and book your travel…trust me, with my tips, you’ll get a ticket.  Worst case scenario is “LobbyCon” (more on that below) and a small vacation, which isn’t bad either.
  • If you do get them during the online sale, consider buying multiple: most of the hard-to-get-into cons will limit the ticket sales, eg Derbycon only let you buy four, Shmoocon will let you buy two, etc.  Consider buying multiple tickets to share with friends, sell on to other deserving folks in the infosec community who weren’t so lucky, or even hold your own contest to give them to a lucky winner, student, veteran, woman, POC, non-binary folks, or whatever group you want to help represent at the con.
  • That said, DO NOT GOUGE TICKET PRICES: tickets are usually unique QR codes that the organizers track and most cons have policies to perma-ban anyone who tries to charge more than original value for tickets.  Don’t be an asshole.
  • Go somewhere besides the immediate vicinity of the con: Anywhere within a few blocks of the con will be crowded with your fellow smelly hackers anyway, so walk, take a scooter, or an Uber/Lyft/taxi a little further afield and explore the city for dinner or evening relaxation.
  • If all else fails, LobbyCon it: I know that may sound weird, but you could probably just come and hang out in the lobby, hotel bar, and hallways, talk to like-minded hackers, and have a total blast that way.

I hope these tips help all of you out.  Good luck!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s