Cloud Security Office Hours runs a free, vendor-neutral session every Friday morning, and most of what happens there comes from members who decided to share something they figured out. This page is for anyone thinking about giving a talk: what we are looking for, who can present, how long a session runs, how to pitch, and what you get out of it.
You do not need to be a famous engineer or a polished speaker. If you have solved a real problem, run a good investigation, or learned something the hard way, that is a talk. First-timers are genuinely welcome.
On this page
What we are looking for
The bar is simple: does this help a working cloud security practitioner do their job better? That covers a lot of ground. Recent sessions have run from AI and LLM threat models to supply-chain attacks, IAM design patterns, breach post-mortems, and conference recaps. There is no fixed curriculum and no formal call for papers. If it is useful and honest, it fits.
Two things matter more than the topic:
- Vendor-neutral. Talk about what works and what does not, name trade-offs, and disclose your employer when it is relevant. Comparing tools or categories on the merits is welcome. What is not welcome is a sales motion wearing a talk's clothing.
- Technical or career-practical. Either go deep on how something actually works - the config, the attack path, the detection logic - or give people something they can apply to their career. Both land well. Vague thought-leadership does not.
The one hard rule: no product pitches, and no demos disguised as talks. This is the no-sales-pitch rule from our Code of Conduct, and it is what keeps the room trusting the content. If your talk only makes sense as an ad for a specific product, it is not a fit. If it teaches a concept and your product happens to be one example among several, that is usually fine - lead with the concept, disclose the affiliation, and do not close.
Who can present
Members, regular attendees, and practitioners from the broader community are all welcome to pitch. You do not need a title, a certification, or a track record of public speaking. Some of the strongest sessions have come from people giving their first-ever talk on a topic they happen to live in every day.
Good candidates include engineers who just finished a messy migration or incident response, detection folks who built something worth stealing, people who broke into the field and want to share the path, and anyone who read the docs so the rest of us do not have to. If you are early in your career and unsure whether your experience counts, it almost certainly does - and our mentorship program can help you shape it.
Formats and length
The Friday session is roughly an hour, and the format is flexible. Common shapes:
- Full talk (about 30 to 40 minutes plus Q&A). A deep dive on one topic. Slides optional. This is the default and leaves good room for discussion.
- Short talk or lightning (10 to 15 minutes). One idea, one lesson, one tool. Great for first-timers and for weeks where we pair two speakers.
- Walkthrough or teardown. Screen-share a config, a Terraform module, a breach timeline, or a detection rule and narrate what is happening. Live but low-stakes.
- Guided discussion. You bring a sharp question and a bit of framing, then facilitate. Works well for topics like threat modeling or hiring where the room's collective experience is the value.
You do not have to fill the whole hour. Leaving time for questions is a feature, not a gap. Tell us in your pitch which shape you have in mind and we will make it work.
The pitch process
There is no formal CFP, no submission portal, and no committee to impress. Email admin@csoh.org with a one-paragraph pitch that answers three things:
- Topic. One or two sentences on what you want to cover.
- Who benefits. Who in the audience walks away better off - engineers, detection folks, people breaking into the field, leaders.
- How long. Full talk, short talk, or discussion, and roughly how many minutes.
That is the whole application. We will reply, sort out a Friday that works, and answer any questions about the format. If you want a second set of eyes on your outline or a dry run before the day, say so and we will set it up. If you are still weighing whether your idea fits, skim the past presentations for the range, or check the FAQ.
What speakers get
This is a volunteer community, so nobody is getting paid, and there is no sponsor money changing hands for a slot. What you do get is durable and genuinely useful:
- An archived talk with its own page. Your session is written up and preserved alongside the other presentations, so it keeps working for people long after Friday.
- A recap that names you. Each session gets a recap in the meeting archive that credits the speaker and captures the key points, so your contribution is on the record and searchable.
- Real reach. The audience is 2,000+ cloud security practitioners - not a marketing list, but people who actually do this work. That is a rare room to teach in front of, and a strong thing to point to when you are building a portfolio or making a career move.
Logistics on the day
Sessions run on Zoom. A few practical notes so nothing surprises you:
- Screen-share. You drive your own screen for slides, a terminal, or a live walkthrough. Test your share and audio a few minutes before we start.
- Q&A. Questions come by voice and in chat. You can take them as you go or hold them to the end - tell us your preference and a host will help wrangle the queue.
- Hosted, not solo. An organizer runs the room, handles intros, and keeps an eye on time, so you can focus on the content.
- No recording of the discussion. The talk portion may be archived, but the open discussion and Q&A are not recorded. That norm is what lets people speak candidly about real incidents and real tooling, and we hold to it. If any part of your material is sensitive, tell us in advance.
If you want to see the vibe before you commit, just attend a couple of Friday sessions first. It is the fastest way to calibrate tone and length.
Tips for a good session
- Pick one thing. A single idea told well beats a survey of ten. Decide the one sentence you want people to remember and build toward it.
- Show the real thing. Actual config, actual logs, an actual attack path. Practitioners can smell a slide that has never touched production. A short live detection or IAM walkthrough beats a wall of bullet points.
- Tell the story of the problem. Start with what broke or what you were trying to do, not the solution. The stakes make people lean in.
- Leave room to argue. The best value is often in the Q&A, where the room's collective scar tissue comes out. Do not over-pack the slides.
- Be honest about limits. "Here is where this falls apart" earns more trust than any pitch. Same goes for disclosing your employer - say it once, plainly, and move on.
- Do not sell. Worth repeating: teach the concept, and if a tool comes up, treat it as one option among several. That single choice is what makes the room want you back.
Where next
Ready to pitch? Email admin@csoh.org with your one-paragraph idea. First, get the lay of the land: see what a Friday session looks like, browse the past presentations and the meeting recaps, read the Code of Conduct and its no-sales-pitch rule, and get to know the wider community.
Quick answers
Do I need to be an experienced speaker?
No. First-timers are welcome, and some of the best sessions came from people giving their first public talk. The audience is peers, not critics, and the format is low-pressure. If you want feedback on your outline before the day, just ask when you pitch.
How do I pitch a talk?
Email admin@csoh.org with a one-paragraph pitch: your topic, who benefits from it, and roughly how long you want. There is no formal CFP and no slide-template requirement. If it helps practitioners and stays vendor-neutral, it is a strong candidate.
Can I present about my company's product?
No. Product pitches, demos disguised as talks, and veiled marketing are not allowed under the Code of Conduct's no-sales-pitch rule. You can discuss a technology or category honestly, including trade-offs, as long as it is not a sales motion and you disclose your employer when it is relevant.