First of all I'm surprised about the mix of attendees. I expected more people to be more experienced but I've met several people who actually were fairly new to working with security.
Since I've worked on defending against attacks on web services for some time I had signed up for a training on attacking web applications and services. I expected to learn about a bunch of nifty tools. However there was not many tools introduced. A few that I hadn't used before like the BurpSuite (I realized I've been stuck in windows land for too long). I did however not really learn any new ways of attacking web applications.
However I was extremely pleased with the training because there were plenty of practical exercises and the biggest takeaway is that in order to understand how web attacks are done you need to do them because it is all about trying different hypothesis and exploit the information you get. At least for me I need a few exercises to get the brain thinking the right way and then it is all fun from there on...
Next week I'll give you a summary of the briefings I attended.