π‘οΈ Code Kids
Cyber Camp
Teacher Presentation Pack
A 4-session hands-on cyber security course for ages 10β12
Think like a hacker. Defend like a hero.
CODE KIDS
Read me first
π How to use these slides
π― What this deck is
42 slides covering all 6 sessions. One narrative arc per session: Mission β Concepts β Activities β Flow β Ethics.
Designed to be projected during teaching, with the camp open in another tab.
β¨οΈ Controls
- β β Next / previous slide
- F Toggle fullscreen
- O or Esc Overview grid
- Cmd+P Print to PDF
π Live demo integration
Whenever you see an activity name, you can open it live by hitting Cmd+Tab back to the camp and clicking through.
β οΈ Important
Start the camp before presenting: double-click START_HERE.command (Mac) or .bat (Windows). The launcher window must stay open.
CODE KIDS
Course at a glance
The 6 sessions
Session 1 Β· Cyber Foundations π‘οΈ
~90 min core Β· Beginner
What cyber security really is. The CIA triad, hacker hats, and DevTools β reading any website's secrets.
Session 2 Β· Web Detective π
~110 min core Β· Beginner
Hunt 15 hidden flags in the Candy Shop. Read URLs like a hacker. Build a Python page-scanner.
Session 3 Β· Passwords & People π
~105 min core Β· Beginner
Most attacks trick people, not code. Passwords, hashing, phishing, social engineering.
Session 4 Β· Secret Codes π
~125 min core Β· BeginnerβIntermediate
Ancient ciphers to modern crypto. Enigma, hashing, RSA public/private keys, HTTPS, WiFi & TLS.
Session 5 Β· Attack & Defend βοΈ
~110 min core Β· Intermediate
XSS, DDoS, Broken Access Control β the classic web attacks, and how to stop each one.
Session 6 Β· AI Frontier & Finale π€π
~170 min Β· Bring everything
Spot deepfakes & AI phishing. Then the team Capture the Flag finale + certificates.
Each session has a core spine (the times above) plus optional extension activities β do those if you have time, or send them home.
CODE KIDS
The foundation of everything
βοΈ The Detective's Code
We teach skills that could be misused. Every session ends with an ethics moment. Make them feel like inducted detectives, not bad actors.
The four rules we keep returning to
- Only test on sites you own or sites that invite testing (the Candy Shop, practice CTFs, bug-bounty programmes).
- Doing this on a real site without permission is illegal β and easy to trace.
- If you find a bug accidentally, report it. Don't exploit it.
- Use these powers to defend, not to harm.
Tip for teachers: the kids will see this as the most exciting bit. Channel that. Mention bug bounty programmes β companies that pay them legally to find what they just learned.
Session 1
Cyber Foundations π‘οΈ
What cyber security really is β and how to see the invisible.
SESSION 1 Β· CYBER FOUNDATIONS
The mission
What students will learn
Before any hacking, students learn what cyber security actually is β and pick up the browser superpower every detective needs: Inspect Element.
- What cyber security means, and why every connected device is a target
- The CIA triad β Confidentiality, Integrity, Availability
- White-hat, grey-hat and black-hat hackers β and which one they're becoming
- How to open Developer Tools in any browser and read a page's blueprints
- The Detective's Code oath β the ethics that run through the whole camp
SESSION 1 Β· CYBER FOUNDATIONS
Key concepts to teach
The core ideas
What is cyber security
The CIA triad
White / grey / black hats
Connected devices & IoT
DevTools / Inspect Element
Hidden HTML comments
The Detective's Code
π The mind-blow moment
When kids realise everything in a website is visible to them β including things developers thought were secret.
π€ Killer demo
Open bbc.co.uk live. Right-click a headline β Inspect β change it. Screenshot. "This is how every fake-news screenshot online is made."
SESSION 1 Β· CYBER FOUNDATIONS
Activities (open the camp to launch)
What you'll run
π What is cyber security? β 4 hands-on missions: connected world, CIA triad, hats, the oath
15β20 min
π¬ DevTools Academy β 5-mission warm-up + bonus hack-3-real-websites gallery
50β60 min
π Tour the Candy Shop β guided walk through the 5 pages, find your first flag
15 min
π Session 1 Quiz β solo, Gorilla Games mechanic
10β15 min
SESSION 1 Β· CYBER FOUNDATIONS
Suggested running order
The flow
- What is cyber security? β set the scene with the animated lesson. Land the CIA triad and the hats.
- Open with the killer demo β edit the BBC homepage live in front of the class.
- DevTools Academy β kids do the 5 missions on their own laptops. Pair fast finishers with slower ones.
- Candy Shop tour β walk the shop together, find the first flag, preview what's coming.
- Quiz β close the loop, then the Detective's Code oath.
SESSION 1 Β· CYBER FOUNDATIONS
Ethics moment
βοΈ The Detective's Code β Session 1
Inspect Element is genuinely powerful. With it, you can see the secret parts of any website.
With great power comes responsibility β only use this on:
- Practice sites like the Candy Shop
- Sites you own
- Sites that explicitly invite testing (bug-bounty programmes)
π¬ Real-world tie-in: mention HackerOne and Bugcrowd β kids can earn real money legally doing exactly what they just learned, on companies that want them to find bugs.
Session 2
Web Detective π
Peek behind the curtain β hunt the hidden secrets in a real website.
SESSION 2 Β· WEB DETECTIVE
The mission
What students will learn
Armed with DevTools from Session 1, students go hunting. The Candy Shop is a deliberately broken online shop stuffed with 15 hidden flags β and they'll learn to read a website like a detective reads a crime scene.
- How hidden comments, attributes and form inputs leak secrets
- How to read a URL and spot dangerous query parameters
- What Broken Access Control is (visiting an admin URL without logging in)
- Where websites stash data β cookies and LocalStorage
- How to automate the whole hunt with a short Python script
SESSION 2 Β· WEB DETECTIVE
Key concepts to teach
The big ideas
HTML structure
Hidden HTML comments
Hidden form inputs
URL query parameters
Cookies & LocalStorage
Broken Access Control
CTF flags / FLAG{...}
Python + regex scanning
π The mind-blow moment
Changing ?role=user to ?role=admin in the URL β and the admin page justβ¦ opens. "Wait, that's it?"
π€ Killer demo
Find the first Candy Shop flag together in the page source, then race the class to flag #10.
SESSION 2 Β· WEB DETECTIVE
Activities (open the camp to launch)
What you'll run
π Candy Shop + Hunt Guide β find 15 hidden flags with progressive hints
45β60 min
π URL Lab β anatomy of a URL + the Broken Access Control mission
25β35 min
π Python HTML Detective β Colab notebook, regex-scan any page (optional / take-home)
45β60 min
π Session 2 Quiz
10β15 min
SESSION 2 Β· WEB DETECTIVE
Suggested running order
The flow
- Candy Shop Hunt β open the Hunt Guide alongside the Candy Shop. Make it competitive (first to 10 flags!).
- URL Lab β quick teaching on URL anatomy, then the Broken Access Control mission together.
- Python HTML Detective β for kids ready to code. Show how it automates the manual hunting. (Optional β great take-home.)
- Quiz β close the loop. Then the ethics moment.
SESSION 2 Β· WEB DETECTIVE
Ethics moment
βοΈ The Detective's Code β Session 2
You can now read the hidden parts of a website and even walk into pages you weren't meant to see.
Finding a door unlocked doesn't make it yours to walk through β on a real site, that's still breaking in.
If you ever find a real bug by accident, report it. Don't exploit it.
π¬ Discussion prompt: "You notice your school's grade portal lets you see other students' pages by changing the URL. What do you do?" Walk them to the right answer: stop, screenshot, tell a trusted adult.
Session 3
Passwords & People π
Most attacks don't break code β they trick people. Learn how.
SESSION 3 Β· PASSWORDS & PEOPLE
The mission
What students will learn
Most cyber attacks succeed not because someone wrote brilliant code β but because they tricked a real person. That's social engineering, and it works because humans are predictable.
- What makes a password strong (or terrible)
- How a brute-force attack actually works
- The basics of cryptographic hashing β and why websites store hashes, not passwords
- How to spot phishing emails in 5 seconds or less
- What OSINT is and how scammers use social media against you
SESSION 3 Β· PASSWORDS & PEOPLE
Key concepts to teach
The big ideas
Password entropy
Brute force
Hashing (SHA-256, MD5)
Salt & pepper
Phishing red flags
OSINT
Social engineering
π The mind-blow moment
Showing how their dog's name + their birth year is not a secure password. Then cracking exactly that pattern live.
π€ Killer demo
Brute Force Demo on stage: crack a 3-char password instantly, a 5-char one in seconds, an 8-char one in⦠"this would take 4 years". Each extra char is ~95à harder.
SESSION 3 Β· PASSWORDS & PEOPLE
Activities (open the camp to launch)
What you'll run
β‘ Brute Force Demo β visual cracker showing time vs length
10β15 min
π Python Password Projects β 4 Colab tasks: login, masking, hashing, strength checker
60β90 min
π¦Ή Phishing Defender β voxel-style game, 50 emails, 5 difficulty tiers
30β45 min
π§ Phishing Inbox Challenge β 10 realistic emails, mark safe/phishing
15β20 min
π Social Engineering Challenge β pair work, crack profile passwords from social media
20β30 min
π Session 3 Quiz
10β15 min
SESSION 3 Β· PASSWORDS & PEOPLE
Suggested running order
The flow
- Brute Force Demo as the opener β instant attention grab.
- Python Password Projects β slow them down. Pair coders with non-coders. Use Colab so nothing to install. (The 4th project, the strength game, is a highlight.)
- Phishing Defender β game break that's still teaching. Run it as a high-score challenge.
- Phishing Inbox Challenge β debrief the red flags as a class after.
- Social Engineering Challenge β pairs. This is the moment kids realise they overshare too.
- Quiz β ethics moment.
SESSION 3 Β· PASSWORDS & PEOPLE
Ethics moment
βοΈ The Detective's Code β Session 3
You now know exactly how attackers craft phishing emails and crack passwords.
You could try this on someone β but you mustn't.
This is the same skill as picking a lock: it can protect or harm.
Always choose to protect.
π¬ Discussion prompt: "If you saw a phishing email being sent in your family WhatsApp, what would you do?" Get them to articulate the right action before they ever face it for real.
Session 4
Secret Codes π
From Caesar's cipher to the padlock in your browser β how secrets stay secret.
SESSION 4 Β· SECRET CODES
The mission
What students will learn
Cryptography is the maths that keeps every message, password and payment safe. Students travel from 2,000-year-old ciphers, through Alan Turing and Enigma, all the way to the public-key crypto behind the padlock in their browser.
- Classic ciphers β Caesar, Atbash and VigenΓ¨re β and how to crack them
- Alan Turing, Enigma and the Bombe β the birth of modern computing
- Hashing, salt and digital signatures (the modern toolkit)
- The magic of public / private keys β sending secrets with no shared password
- Where crypto actually lives: HTTPS, WiFi security and the TLS handshake
SESSION 4 Β· SECRET CODES
Key concepts to teach
The big ideas
Caesar / Atbash / Vigenère
Enigma & the Bombe
SHA-256 & salt
Hash collisions (MD5)
Public / private keys (RSA)
Digital signatures
HTTPS & the TLS handshake
WiFi (WEPβWPA3, Evil Twin)
End-to-end encryption
π The mind-blow moment
Public-key crypto: you hand out the padlock to the whole world but keep the key β so a total stranger can send you a secret, with no shared password ever.
π€ Killer demo
In Secret Agent HQ, two students each generate a real keypair, swap public keys, and send an encrypted message across the room that only the recipient can open.
SESSION 4 Β· SECRET CODES
Activities (open the camp to launch)
What you'll run
π Real-World Cryptography β where crypto hides: HTTPS, bank chips, WhatsApp, keys (animated)
25 min
π Crypto Lab β Caesar / Atbash / VigenΓ¨re + 6 puzzles to crack
40β50 min
π΅οΈ Secret Agent HQ β make a REAL keypair, send & open encrypted messages (workshop)
35β45 min
βοΈ Enigma Lab β Turing's story + a working 3-rotor machine you type into (optional)
40 min
π Crypto Hands-On Lab β rainbow tables, salt, MD5 collisions, RSA signatures (optional)
40 min
π‘ WiFi Security Lab Β· π€ TLS Handshake Lab β secure comms (optional)
25β35 min each
π Session 4 Quiz
10β15 min
SESSION 4 Β· SECRET CODES
Suggested running order
The flow
- Real-World Cryptography β frame it: crypto is everywhere. Play the animated public/private-key demo.
- Crypto Lab β hands-on ciphers. Race to crack the 6 intercepted messages.
- Secret Agent HQ β the headline workshop. Pair students up to send real encrypted messages.
- Optional extensions β Enigma Lab (great story), Crypto Hands-On, WiFi & TLS labs if you have time or as take-home.
- Quiz β ethics moment.
SESSION 4 Β· SECRET CODES
Ethics moment
βοΈ The Detective's Code β Session 4
Cryptography is the one topic that is almost entirely defensive β it's what keeps everyone's messages, money and passwords safe.
But codebreaking is powerful too. Turing proved even an "unbreakable" code can fall to a clever enough attacker.
Use these skills to protect secrets β never to snoop on people who trust their privacy to crypto.
π¬ Real-world tie-in: the Bletchley Park codebreakers kept their work secret for 30 years. Their machines became the first computers β the same idea powering every device in the room.
Session 5
Attack & Defend βοΈ
XSS. DDoS. Broken Access Control. The classics β and how to stop them.
SESSION 5 Β· ATTACK & DEFEND
The mission
What students will learn
This is when things get technical. Students use the Candy Shop to launch real attacks: injecting code with XSS, crashing the server with DDoS, sneaking into the admin area without logging in.
Then for every attack β they think about the defence.
- What Cross-Site Scripting (XSS) is, and how to perform a basic injection
- The difference between reflected and stored XSS
- How a DDoS attack overwhelms a server (and what a botnet is)
- What Broken Access Control looks like in real apps
- For every attack β the defence (input sanitisation, rate limiting, server-side checks)
SESSION 5 Β· ATTACK & DEFEND
Key concepts to teach
Attack & defence pairs
π XSS (Cross-Site Scripting)
Attack: Inject JS into a site that other users see.
Defence: Escape < and >. Treat all user input as text.
π₯ DDoS (Denial of Service)
Attack: Overwhelm a server with traffic.
Defence: Rate limiting, CDN, captchas at scale.
πͺ Broken Access Control
Attack: Visit a URL you shouldn't have access to.
Defence: Always check on the server. Never trust the client.
π Mind-blow moment
The instant the first XSS alert() pops up in their browser from a comment they typed. "I just made the website do this."
SESSION 5 Β· ATTACK & DEFEND
Activities (open the camp to launch)
What you'll run
π XSS Lab β reflected + stored, click-to-copy payloads, embedded Candy Shop
30β40 min
βοΈ DDoS Battle Arena β pick Hacker or Defender, fight an AI on a world map
15β25 min
βοΈπ‘οΈ Defensive Thinking β pairs worksheet: attack vs defend each concept
25β35 min
π₯ DDoS Lab Β· πͺ€ Malware Popup Trap Β· π‘οΈ Scratch DDoS Defender (optional)
15β60 min each
π Session 5 Quiz
10β15 min
SESSION 5 Β· ATTACK & DEFEND
Suggested running order
The flow
- XSS Lab first. The alert-pop moment is the energy spike β ride it.
- DDoS Battle Arena β let them fight the AI as both hacker and defender. See the asymmetric economics live.
- Defensive Thinking worksheet β in pairs. This is the most important activity β it's where defence gets cemented.
- Optional extensions β DDoS Lab simulator, Malware Popup Trap, or the Scratch DDoS Defender build (great take-home).
- Quiz β ethics moment (one of the most important of the camp).
SESSION 5 Β· ATTACK & DEFEND
Ethics moment β make this one count
βοΈ The Detective's Code β Session 5
You've learned skills that could be used to harm real websites.
Doing this on a real website without permission is illegal and can get you in serious trouble.
Companies run bug bounty programmes so you can use these skills legally β and even get paid for them.
π¬ Real-world tie-in: tell them about the teenager who hacked Uber and got paid $10,000 by Uber's bug bounty programme. Then about a different teenager who hacked TalkTalk for fun and went to prison. Same skill. Different choice.
Session 6 Β· Grand Finale
AI Frontier & Finale π€π
How AI is changing cyber security. Then the team Capture the Flag.
SESSION 6 Β· AI FRONTIER & FINALE
The mission
What students will learn
AI changes everything in cyber security. Scams more convincing. Deepfakes more realistic. Password cracking faster. But AI also helps defenders spot attacks they'd otherwise miss.
This morning: spot AI-powered attacks. This afternoon: the team CTF.
- How AI helps defenders β pattern detection, email filtering, threat prediction
- How AI helps attackers β deepfakes, AI phishing, voice cloning
- How to spot a deepfake β the 6 tell-tale signs
- What Content Credentials (C2PA) and SynthID are β the future of image trust
- How to apply everything from this course in a competitive team CTF
SESSION 6 Β· AI FRONTIER & FINALE
Key concepts to teach
The AI & cyber intersection
Generative AI (faces, voices, scenes)
Deepfake red flags
AI phishing
C2PA / Content Credentials
SynthID
Glaze
Personal deepfakes & consent
CTF strategy
π Mind-blow moment
Personal Deepfakes "What Would You Do?" β when the scenarios get personal, the room goes quiet. They get it.
π€ Killer demo
Open any AI-generated face website mid-lesson and walk through the 6 tells together. Hands, ears, glasses, jewellery, teeth, background text.
SESSION 6 Β· AI FRONTIER & FINALE
Activities (open the camp to launch)
What you'll run
π΅οΈ Deepfake Detective β 8 rounds of face-fake spotting
15β20 min
π‘οΈ What Would You Do? β decision-tree personal-deepfake scenarios
25β30 min
ποΈ Detective: Places Β· π Where's the Fake? Β· π€ AI vs Human Phishing Β· π Content Credentials (optional)
15β40 min each
π΄ The Grand Capture the Flag β teams of 3β4, find all 16 flags
60β90 min
π Cyber Defender Certificate β print & award
5 min
SESSION 6 Β· AI FRONTIER & FINALE
Running the Capture the Flag
π΄ The Grand CTF β rules
π Setup
- Teams of 3β4 students
- Each team picks a name + cyber-themed mascot emoji
- One Candy Shop tab per team
- Teacher tracks scores on whiteboard
π― Scoring
- 16 flags hidden across the Candy Shop
- Each flag = 10 points
- Asking for a hint = -3 points
- First team to find all 16 gets +20 bonus
β±οΈ Time
- 60β90 minutes
- Halfway: 5-min "all teams pause, share one tip"
- Last 10 min: prompt the teams with biggest gaps
π Prizes
- Winning team: gold star on certificate
- Everyone: Cyber Security Explorer certificate
- Optional: small chocolate prize π«
SESSION 6 Β· AI FRONTIER & FINALE
Ethics moment β the most important one
βοΈ The Detective's Code β Session 6
You can now spot deepfakes and AI-written phishing.
But never make fake images of real people.
It can genuinely hurt them β and it's against the law in many places, including the UK.
Use these skills to check, never to create.
π¬ UK context: the Online Safety Act (2023) made it illegal to share AI-generated intimate images without consent. Kids should know this. If they're ever sent or asked to make one β the answer is no, and there are real adults to tell.
CODE KIDS
Closing the camp
π
The wrap-up
1. Awards ceremony
Hand out the Cyber Security Explorer certificate to every student. Use certificate.html β print to A4 landscape. Add the student's name in advance or fill in on the day.
2. The four take-aways
Ask each student to name one thing they'll do differently after camp. Aim for: stronger password, check email senders, inspect-element a website at home, talk to family about deepfakes.
3. The take-home challenges
Promote the 3 Minecraft worlds: Cryptic Ciphers, Malware Mayhem, Daring Defense. Tell them: bring back a screenshot of completion for a camp badge.
4. Where next
Show the Resources tab on the camp home. Real programmes they can join now: TryHackMe, PicoCTF, HackerOne, Cyber Discovery (UK).
Thank you π
You just taught the next generation of defenders.
Found a bug, an idea, or a great moment from camp?
Tell the Code Kids team β we'll fold it into the next version.