πŸ›‘οΈ Code Kids
Cyber Camp

Teacher Presentation Pack

A 4-session hands-on cyber security course for ages 10–12

Think like a hacker. Defend like a hero.

CODE KIDS
Read me first

πŸ“– How to use these slides

🎯 What this deck is

42 slides covering all 6 sessions. One narrative arc per session: Mission β†’ Concepts β†’ Activities β†’ Flow β†’ Ethics.

Designed to be projected during teaching, with the camp open in another tab.

⌨️ Controls

  • ← β†’ Next / previous slide
  • F Toggle fullscreen
  • O or Esc Overview grid
  • Cmd+P Print to PDF

πŸ”— Live demo integration

Whenever you see an activity name, you can open it live by hitting Cmd+Tab back to the camp and clicking through.

⚠️ Important

Start the camp before presenting: double-click START_HERE.command (Mac) or .bat (Windows). The launcher window must stay open.

CODE KIDS
Course at a glance

The 6 sessions

Session 1 Β· Cyber Foundations πŸ›‘οΈ

~90 min core Β· Beginner

What cyber security really is. The CIA triad, hacker hats, and DevTools β€” reading any website's secrets.

Session 2 Β· Web Detective πŸ”

~110 min core Β· Beginner

Hunt 15 hidden flags in the Candy Shop. Read URLs like a hacker. Build a Python page-scanner.

Session 3 · Passwords & People 🎭

~105 min core Β· Beginner

Most attacks trick people, not code. Passwords, hashing, phishing, social engineering.

Session 4 Β· Secret Codes πŸ”

~125 min core Β· Beginner–Intermediate

Ancient ciphers to modern crypto. Enigma, hashing, RSA public/private keys, HTTPS, WiFi & TLS.

Session 5 Β· Attack & Defend βš”οΈ

~110 min core Β· Intermediate

XSS, DDoS, Broken Access Control β€” the classic web attacks, and how to stop each one.

Session 6 Β· AI Frontier & Finale πŸ€–πŸ†

~170 min Β· Bring everything

Spot deepfakes & AI phishing. Then the team Capture the Flag finale + certificates.

Each session has a core spine (the times above) plus optional extension activities β€” do those if you have time, or send them home.

CODE KIDS
The foundation of everything

βš–οΈ The Detective's Code

We teach skills that could be misused. Every session ends with an ethics moment. Make them feel like inducted detectives, not bad actors.

The four rules we keep returning to
  • Only test on sites you own or sites that invite testing (the Candy Shop, practice CTFs, bug-bounty programmes).
  • Doing this on a real site without permission is illegal β€” and easy to trace.
  • If you find a bug accidentally, report it. Don't exploit it.
  • Use these powers to defend, not to harm.

Tip for teachers: the kids will see this as the most exciting bit. Channel that. Mention bug bounty programmes β€” companies that pay them legally to find what they just learned.

Session 1

Cyber Foundations πŸ›‘οΈ

What cyber security really is β€” and how to see the invisible.

SESSION 1 Β· CYBER FOUNDATIONS
The mission

What students will learn

Before any hacking, students learn what cyber security actually is β€” and pick up the browser superpower every detective needs: Inspect Element.

SESSION 1 Β· CYBER FOUNDATIONS
Key concepts to teach

The core ideas

What is cyber security The CIA triad White / grey / black hats Connected devices & IoT DevTools / Inspect Element Hidden HTML comments The Detective's Code

πŸ”‘ The mind-blow moment

When kids realise everything in a website is visible to them β€” including things developers thought were secret.

🎀 Killer demo

Open bbc.co.uk live. Right-click a headline β†’ Inspect β†’ change it. Screenshot. "This is how every fake-news screenshot online is made."

SESSION 1 Β· CYBER FOUNDATIONS
Activities (open the camp to launch)

What you'll run

πŸ“˜ What is cyber security? β€” 4 hands-on missions: connected world, CIA triad, hats, the oath
15–20 min
πŸ”¬ DevTools Academy β€” 5-mission warm-up + bonus hack-3-real-websites gallery
50–60 min
🍭 Tour the Candy Shop β€” guided walk through the 5 pages, find your first flag
15 min
πŸ“ Session 1 Quiz β€” solo, Gorilla Games mechanic
10–15 min
SESSION 1 Β· CYBER FOUNDATIONS
Suggested running order

The flow

  1. What is cyber security? β€” set the scene with the animated lesson. Land the CIA triad and the hats.
  2. Open with the killer demo β€” edit the BBC homepage live in front of the class.
  3. DevTools Academy β€” kids do the 5 missions on their own laptops. Pair fast finishers with slower ones.
  4. Candy Shop tour β€” walk the shop together, find the first flag, preview what's coming.
  5. Quiz β€” close the loop, then the Detective's Code oath.
SESSION 1 Β· CYBER FOUNDATIONS
Ethics moment

βš–οΈ The Detective's Code β€” Session 1

Inspect Element is genuinely powerful. With it, you can see the secret parts of any website.

With great power comes responsibility β€” only use this on:

  • Practice sites like the Candy Shop
  • Sites you own
  • Sites that explicitly invite testing (bug-bounty programmes)

πŸ’¬ Real-world tie-in: mention HackerOne and Bugcrowd β€” kids can earn real money legally doing exactly what they just learned, on companies that want them to find bugs.

Session 2

Web Detective πŸ”

Peek behind the curtain β€” hunt the hidden secrets in a real website.

SESSION 2 Β· WEB DETECTIVE
The mission

What students will learn

Armed with DevTools from Session 1, students go hunting. The Candy Shop is a deliberately broken online shop stuffed with 15 hidden flags β€” and they'll learn to read a website like a detective reads a crime scene.

SESSION 2 Β· WEB DETECTIVE
Key concepts to teach

The big ideas

HTML structure Hidden HTML comments Hidden form inputs URL query parameters Cookies & LocalStorage Broken Access Control CTF flags / FLAG{...} Python + regex scanning

πŸ”‘ The mind-blow moment

Changing ?role=user to ?role=admin in the URL β€” and the admin page just… opens. "Wait, that's it?"

🎀 Killer demo

Find the first Candy Shop flag together in the page source, then race the class to flag #10.

SESSION 2 Β· WEB DETECTIVE
Activities (open the camp to launch)

What you'll run

🍭 Candy Shop + Hunt Guide β€” find 15 hidden flags with progressive hints
45–60 min
πŸ”— URL Lab β€” anatomy of a URL + the Broken Access Control mission
25–35 min
🐍 Python HTML Detective β€” Colab notebook, regex-scan any page (optional / take-home)
45–60 min
πŸ“ Session 2 Quiz
10–15 min
SESSION 2 Β· WEB DETECTIVE
Suggested running order

The flow

  1. Candy Shop Hunt β€” open the Hunt Guide alongside the Candy Shop. Make it competitive (first to 10 flags!).
  2. URL Lab β€” quick teaching on URL anatomy, then the Broken Access Control mission together.
  3. Python HTML Detective β€” for kids ready to code. Show how it automates the manual hunting. (Optional β€” great take-home.)
  4. Quiz β€” close the loop. Then the ethics moment.
SESSION 2 Β· WEB DETECTIVE
Ethics moment

βš–οΈ The Detective's Code β€” Session 2

You can now read the hidden parts of a website and even walk into pages you weren't meant to see.

Finding a door unlocked doesn't make it yours to walk through β€” on a real site, that's still breaking in.

If you ever find a real bug by accident, report it. Don't exploit it.

πŸ’¬ Discussion prompt: "You notice your school's grade portal lets you see other students' pages by changing the URL. What do you do?" Walk them to the right answer: stop, screenshot, tell a trusted adult.

Session 3

Passwords & People 🎭

Most attacks don't break code β€” they trick people. Learn how.

SESSION 3 Β· PASSWORDS & PEOPLE
The mission

What students will learn

Most cyber attacks succeed not because someone wrote brilliant code β€” but because they tricked a real person. That's social engineering, and it works because humans are predictable.

SESSION 3 Β· PASSWORDS & PEOPLE
Key concepts to teach

The big ideas

Password entropy Brute force Hashing (SHA-256, MD5) Salt & pepper Phishing red flags OSINT Social engineering

πŸ”‘ The mind-blow moment

Showing how their dog's name + their birth year is not a secure password. Then cracking exactly that pattern live.

🎀 Killer demo

Brute Force Demo on stage: crack a 3-char password instantly, a 5-char one in seconds, an 8-char one in… "this would take 4 years". Each extra char is ~95Γ— harder.

SESSION 3 Β· PASSWORDS & PEOPLE
Activities (open the camp to launch)

What you'll run

⚑ Brute Force Demo β€” visual cracker showing time vs length
10–15 min
🐍 Python Password Projects β€” 4 Colab tasks: login, masking, hashing, strength checker
60–90 min
🦹 Phishing Defender β€” voxel-style game, 50 emails, 5 difficulty tiers
30–45 min
πŸ“§ Phishing Inbox Challenge β€” 10 realistic emails, mark safe/phishing
15–20 min
🎭 Social Engineering Challenge β€” pair work, crack profile passwords from social media
20–30 min
πŸ“ Session 3 Quiz
10–15 min
SESSION 3 Β· PASSWORDS & PEOPLE
Suggested running order

The flow

  1. Brute Force Demo as the opener β€” instant attention grab.
  2. Python Password Projects β€” slow them down. Pair coders with non-coders. Use Colab so nothing to install. (The 4th project, the strength game, is a highlight.)
  3. Phishing Defender β€” game break that's still teaching. Run it as a high-score challenge.
  4. Phishing Inbox Challenge β€” debrief the red flags as a class after.
  5. Social Engineering Challenge β€” pairs. This is the moment kids realise they overshare too.
  6. Quiz β†’ ethics moment.
SESSION 3 Β· PASSWORDS & PEOPLE
Ethics moment

βš–οΈ The Detective's Code β€” Session 3

You now know exactly how attackers craft phishing emails and crack passwords.

You could try this on someone β€” but you mustn't.

This is the same skill as picking a lock: it can protect or harm.

Always choose to protect.

πŸ’¬ Discussion prompt: "If you saw a phishing email being sent in your family WhatsApp, what would you do?" Get them to articulate the right action before they ever face it for real.

Session 4

Secret Codes πŸ”

From Caesar's cipher to the padlock in your browser β€” how secrets stay secret.

SESSION 4 Β· SECRET CODES
The mission

What students will learn

Cryptography is the maths that keeps every message, password and payment safe. Students travel from 2,000-year-old ciphers, through Alan Turing and Enigma, all the way to the public-key crypto behind the padlock in their browser.

SESSION 4 Β· SECRET CODES
Key concepts to teach

The big ideas

Caesar / Atbash / Vigenère Enigma & the Bombe SHA-256 & salt Hash collisions (MD5) Public / private keys (RSA) Digital signatures HTTPS & the TLS handshake WiFi (WEP→WPA3, Evil Twin) End-to-end encryption

πŸ”‘ The mind-blow moment

Public-key crypto: you hand out the padlock to the whole world but keep the key β€” so a total stranger can send you a secret, with no shared password ever.

🎀 Killer demo

In Secret Agent HQ, two students each generate a real keypair, swap public keys, and send an encrypted message across the room that only the recipient can open.

SESSION 4 Β· SECRET CODES
Activities (open the camp to launch)

What you'll run

🌐 Real-World Cryptography β€” where crypto hides: HTTPS, bank chips, WhatsApp, keys (animated)
25 min
πŸ” Crypto Lab β€” Caesar / Atbash / VigenΓ¨re + 6 puzzles to crack
40–50 min
πŸ•΅οΈ Secret Agent HQ β€” make a REAL keypair, send & open encrypted messages (workshop)
35–45 min
βš™οΈ Enigma Lab β€” Turing's story + a working 3-rotor machine you type into (optional)
40 min
🌈 Crypto Hands-On Lab β€” rainbow tables, salt, MD5 collisions, RSA signatures (optional)
40 min
πŸ“‘ WiFi Security Lab Β· 🀝 TLS Handshake Lab β€” secure comms (optional)
25–35 min each
πŸ“ Session 4 Quiz
10–15 min
SESSION 4 Β· SECRET CODES
Suggested running order

The flow

  1. Real-World Cryptography β€” frame it: crypto is everywhere. Play the animated public/private-key demo.
  2. Crypto Lab β€” hands-on ciphers. Race to crack the 6 intercepted messages.
  3. Secret Agent HQ β€” the headline workshop. Pair students up to send real encrypted messages.
  4. Optional extensions β€” Enigma Lab (great story), Crypto Hands-On, WiFi & TLS labs if you have time or as take-home.
  5. Quiz β†’ ethics moment.
SESSION 4 Β· SECRET CODES
Ethics moment

βš–οΈ The Detective's Code β€” Session 4

Cryptography is the one topic that is almost entirely defensive β€” it's what keeps everyone's messages, money and passwords safe.

But codebreaking is powerful too. Turing proved even an "unbreakable" code can fall to a clever enough attacker.

Use these skills to protect secrets β€” never to snoop on people who trust their privacy to crypto.

πŸ’¬ Real-world tie-in: the Bletchley Park codebreakers kept their work secret for 30 years. Their machines became the first computers β€” the same idea powering every device in the room.

Session 5

Attack & Defend βš”οΈ

XSS. DDoS. Broken Access Control. The classics β€” and how to stop them.

SESSION 5 Β· ATTACK & DEFEND
The mission

What students will learn

This is when things get technical. Students use the Candy Shop to launch real attacks: injecting code with XSS, crashing the server with DDoS, sneaking into the admin area without logging in.

Then for every attack β€” they think about the defence.

SESSION 5 Β· ATTACK & DEFEND
Key concepts to teach

Attack & defence pairs

πŸ’‰ XSS (Cross-Site Scripting)

Attack: Inject JS into a site that other users see.

Defence: Escape < and >. Treat all user input as text.

πŸ’₯ DDoS (Denial of Service)

Attack: Overwhelm a server with traffic.

Defence: Rate limiting, CDN, captchas at scale.

πŸšͺ Broken Access Control

Attack: Visit a URL you shouldn't have access to.

Defence: Always check on the server. Never trust the client.

πŸ”‘ Mind-blow moment

The instant the first XSS alert() pops up in their browser from a comment they typed. "I just made the website do this."

SESSION 5 Β· ATTACK & DEFEND
Activities (open the camp to launch)

What you'll run

πŸ’‰ XSS Lab β€” reflected + stored, click-to-copy payloads, embedded Candy Shop
30–40 min
βš”οΈ DDoS Battle Arena β€” pick Hacker or Defender, fight an AI on a world map
15–25 min
βš”οΈπŸ›‘οΈ Defensive Thinking β€” pairs worksheet: attack vs defend each concept
25–35 min
πŸ’₯ DDoS Lab Β· πŸͺ€ Malware Popup Trap Β· πŸ›‘οΈ Scratch DDoS Defender (optional)
15–60 min each
πŸ“ Session 5 Quiz
10–15 min
SESSION 5 Β· ATTACK & DEFEND
Suggested running order

The flow

  1. XSS Lab first. The alert-pop moment is the energy spike β€” ride it.
  2. DDoS Battle Arena β€” let them fight the AI as both hacker and defender. See the asymmetric economics live.
  3. Defensive Thinking worksheet β€” in pairs. This is the most important activity β€” it's where defence gets cemented.
  4. Optional extensions β€” DDoS Lab simulator, Malware Popup Trap, or the Scratch DDoS Defender build (great take-home).
  5. Quiz β†’ ethics moment (one of the most important of the camp).
SESSION 5 Β· ATTACK & DEFEND
Ethics moment β€” make this one count

βš–οΈ The Detective's Code β€” Session 5

You've learned skills that could be used to harm real websites.

Doing this on a real website without permission is illegal and can get you in serious trouble.

Companies run bug bounty programmes so you can use these skills legally β€” and even get paid for them.

πŸ’¬ Real-world tie-in: tell them about the teenager who hacked Uber and got paid $10,000 by Uber's bug bounty programme. Then about a different teenager who hacked TalkTalk for fun and went to prison. Same skill. Different choice.

Session 6 Β· Grand Finale

AI Frontier & Finale πŸ€–πŸ†

How AI is changing cyber security. Then the team Capture the Flag.

SESSION 6 Β· AI FRONTIER & FINALE
The mission

What students will learn

AI changes everything in cyber security. Scams more convincing. Deepfakes more realistic. Password cracking faster. But AI also helps defenders spot attacks they'd otherwise miss.

This morning: spot AI-powered attacks. This afternoon: the team CTF.

SESSION 6 Β· AI FRONTIER & FINALE
Key concepts to teach

The AI & cyber intersection

Generative AI (faces, voices, scenes) Deepfake red flags AI phishing C2PA / Content Credentials SynthID Glaze Personal deepfakes & consent CTF strategy

πŸ”‘ Mind-blow moment

Personal Deepfakes "What Would You Do?" β€” when the scenarios get personal, the room goes quiet. They get it.

🎀 Killer demo

Open any AI-generated face website mid-lesson and walk through the 6 tells together. Hands, ears, glasses, jewellery, teeth, background text.

SESSION 6 Β· AI FRONTIER & FINALE
Activities (open the camp to launch)

What you'll run

πŸ•΅οΈ Deepfake Detective β€” 8 rounds of face-fake spotting
15–20 min
πŸ›‘οΈ What Would You Do? β€” decision-tree personal-deepfake scenarios
25–30 min
πŸ™οΈ Detective: Places Β· πŸ” Where's the Fake? Β· πŸ€– AI vs Human Phishing Β· πŸ“œ Content Credentials (optional)
15–40 min each
🏴 The Grand Capture the Flag β€” teams of 3–4, find all 16 flags
60–90 min
πŸŽ“ Cyber Defender Certificate β€” print & award
5 min
SESSION 6 Β· AI FRONTIER & FINALE
Running the Capture the Flag

🏴 The Grand CTF β€” rules

πŸ“‹ Setup

  • Teams of 3–4 students
  • Each team picks a name + cyber-themed mascot emoji
  • One Candy Shop tab per team
  • Teacher tracks scores on whiteboard

🎯 Scoring

  • 16 flags hidden across the Candy Shop
  • Each flag = 10 points
  • Asking for a hint = -3 points
  • First team to find all 16 gets +20 bonus

⏱️ Time

  • 60–90 minutes
  • Halfway: 5-min "all teams pause, share one tip"
  • Last 10 min: prompt the teams with biggest gaps

πŸ† Prizes

  • Winning team: gold star on certificate
  • Everyone: Cyber Security Explorer certificate
  • Optional: small chocolate prize 🍫
SESSION 6 Β· AI FRONTIER & FINALE
Ethics moment β€” the most important one

βš–οΈ The Detective's Code β€” Session 6

You can now spot deepfakes and AI-written phishing.

But never make fake images of real people.

It can genuinely hurt them β€” and it's against the law in many places, including the UK.

Use these skills to check, never to create.

πŸ’¬ UK context: the Online Safety Act (2023) made it illegal to share AI-generated intimate images without consent. Kids should know this. If they're ever sent or asked to make one β€” the answer is no, and there are real adults to tell.

CODE KIDS
Closing the camp

πŸ… The wrap-up

1. Awards ceremony

Hand out the Cyber Security Explorer certificate to every student. Use certificate.html β€” print to A4 landscape. Add the student's name in advance or fill in on the day.

2. The four take-aways

Ask each student to name one thing they'll do differently after camp. Aim for: stronger password, check email senders, inspect-element a website at home, talk to family about deepfakes.

3. The take-home challenges

Promote the 3 Minecraft worlds: Cryptic Ciphers, Malware Mayhem, Daring Defense. Tell them: bring back a screenshot of completion for a camp badge.

4. Where next

Show the Resources tab on the camp home. Real programmes they can join now: TryHackMe, PicoCTF, HackerOne, Cyber Discovery (UK).

Thank you πŸ™

You just taught the next generation of defenders.

Found a bug, an idea, or a great moment from camp?

Tell the Code Kids team β€” we'll fold it into the next version.

1 / 42
← β†’ navigate Β· F fullscreen Β· O overview Β· Cmd+P print