Submitted:
02 June 2026
Posted:
18 June 2026
You are already at the latest version
Abstract
Keywords:
1. Introduction
- to present the design and implementation of MoonPhase as a portable cybersecurity artefact explicitly conceived for engineering education contexts;
- to articulate a conceptual instructional framework that links the device’s offensive, defensive and educational modes to learning outcomes, classroom activities and ethical reflection;
- to propose an evaluation framework for future classroom studies, including research questions, instruments and implementation scenarios for investigating the educational value of MoonPhase.
2. Related Work
2.1. Systematic Review on Portable Cybersecurity Devices
2.2. Educational Approaches in Cybersecurity
2.3. State of the Art in Portable Cybersecurity Devices
3. MoonPhase Device
3.1. Overview

3.2. Hardware Architecture

- a 1.3” OLED display based on the SH1106 controller, connected via I2C, used to present menus, system states, scan results and other real-time information;
3.3. Software Architecture
- a user interface module, which manages screen rendering and navigation;
- RF and IR modules, which encapsulate signal capture, replay, scanning and interference routines;
- a network tools module, which wraps calls to Nmap and related utilities.
3.4. Functional Modes
- creation of a fake Wi-Fi access point with captive portal for phishing demonstrations, implemented using hostapd, dnsmasq and a lightweight web server;
- capture and replay of OOK signals in the 433 MHz band, targeting simple IoT devices;
- network scanning using Nmap to identify hosts and services in local networks;
4. Instructional Design and Curricular Integration
4.1. Design Principles
- identifying and explaining common vulnerabilities in wireless networks and IoT devices;
- interpreting results from network scanning and RF activity monitoring under conditions of incomplete information;
- analysing the ethical and legal implications of attacks such as phishing and replay, and articulating responsible courses of action in ambiguous situations.
4.2. Integration into Engineering Curricula
4.2.1. Example Multi-Week Sequence
4.3. Workshops and Outreach Activities
4.4. Risk Management and Ethical Guidelines
5. Evaluation Framework and Discussion
5.1. Planned Evaluation Approach
- Pre- and post-tests, to measure changes in cybersecurity literacy and conceptual understanding of topics such as wireless vulnerabilities, replay attacks and phishing;
- Questionnaires, to capture student motivation, perceived usefulness, perceived authenticity of the learning activities and sense of professional responsibility when operating offensive tools;
- Rubrics for lab work, to assess the quality of lab reports, practical tasks carried out using MoonPhase and the depth of students’ reflections on ethical and socio-technical aspects;
- Optional focus groups or interviews, to collect qualitative feedback on how students experience uncertainty, complexity and ethical dilemmas in MoonPhase-based activities.
5.2. Study Designs and Research Questions
- RQ1: To what extent does the use of MoonPhase improve students’ understanding of wireless security concepts and attack/defence mechanisms?
- RQ2: How does MoonPhase influence students’ engagement and perceived authenticity of cybersecurity learning activities, compared with more traditional labs?
- RQ3: How do students perceive their ethical responsibilities and professional role when using offensive capabilities in a controlled educational setting?
5.3. Expected Benefits and Challenges
- internal validity issues such as novelty effects and instructor enthusiasm;
- external validity limitations due to single-institution studies or specific curricular settings;
- construct validity concerns related to how well tests and questionnaires capture constructs such as cybersecurity literacy or ethical awareness.
6. Conclusions and Future Work
Author Contributions
Funding
Informed Consent Statement
Acknowledgments
Conflicts of Interest
References
- Aly, A., Mansour, E., & Youssef, A. (2025). OCR-APT: Reconstructing APT Stories from Audit Logs using Subgraph Anomaly Detection and LLMs. In Proceedings of the 2025 acm sigsac conference on computer and communications security (p. 261–275). New York, NY, USA: Association for Computing Machinery. [CrossRef]
- Dougherty, D. (2025). Hacking the planet from your pocket. https://makethings.make.co/p/hacking-the-planet-from-your-pocket. (Accessed: 2026-05-21).
- Eman Hammad, J. N., & Romero, J. (2022, August). Towards Goal-Oriented Experiential Learning for Cybersecurity Programs. In 2022 asee annual conference & exposition. Minneapolis, MN: ASEE Conferences. (https://peer.asee.org/41687).
- European Union Agency for Cybersecurity. (2025). Enisa threat landscape 2025 (Tech. Rep.). ENISA. Available online: https://www.enisa.europa.eu/publications/enisa-threat-landscape-2025 (accessed on 2026-05-21).
- Europol. (2024). Internet organised crime threat assessment (iocta) 2023 (Tech. Rep.). European Union Agency for Law Enforcement Cooperation. Available online: https://www.europol.europa.eu/publication-events/main-reports/internet-organised-crime-threat-assessment-iocta-2023 (accessed on 2026-05-21).
- Evilsocket. (2023). Pwnagotchi: Deep reinforcement learning wi-fi hacking. https://pwnagotchi.ai/. (Accessed: 2026-05-21).
- Flipper Devices Inc. (2023). Flipper zero documentation. https://docs.flipperzero.one/. (Accessed: 2026-05-21).
- Happe, A., & Cito, J. (2023). Understanding Hackers’ Work: An Empirical Study of Offensive Security Practitioners. In Proceedings of the 31st acm joint european software engineering conference and symposium on the foundations of software engineering (p. 1669–1680). New York, NY, USA: Association for Computing Machinery. [CrossRef]
- LilyGO. (2023). T-embed esp32 board and open-source repository. https://github.com/Xinyuan-LilyGO. (Accessed: 2026-05-21).
- Luh, R., Eresheim, S., Tavolato, P., Petelin, T., Gmeiner, S., Holzinger, A., & Schrittwieser, S. (2025). Gamifying information security: Adversarial risk exploration for IT/OT infrastructures. Computers & Security, 151, 104287. [CrossRef]
- Moher, D., Liberati, A., Tetzlaff, J., & Altman, D. G. (2009). Preferred Reporting Items for Systematic Reviews and Meta-Analyses: The PRISMA Statement. PLOS Medicine, 6(7), e1000097. [CrossRef]
- Narain, S., Rayavaram, P., Morales-Gonzalez, C., Harper, M., Abbasalizadeh, M., Vellamchety, K., & Fu, X. (2025). Practical Cybersecurity Education: A Course Model Using Experiential Learning Theory., 819–825. [CrossRef]
- Nguyen, T., Chen, Z., Hasegawa, K., Fukushima, K., & Beuran, R. (2024). PenGym: Pentesting Training Framework for Reinforcement Learning Agents. In Proceedings of the 10th international conference on information systems security and privacy - icissp (p. 498-509). SciTePress. [CrossRef]
- Pantelakis, V., Bountakas, P., Farao, A., & Xenakis, C. (2023). Adversarial Machine Learning Attacks on Multiclass Classification of IoT Network Traffic. In Proceedings of the 18th international conference on availability, reliability and security. New York, NY, USA: Association for Computing Machinery. [CrossRef]
- Pawlicka, A., Tomaszewska, R., Krause, E., Jaroszewska-Choraś, D., Pawlicki, M., & Choraś, M. (2023). Has the Pandemic Made Us More Digitally Literate? Journal of Ambient Intelligence and Humanized Computing, 14(11), 14721–14731. [CrossRef]
- Peruma, A., Malachowsky, S., & Krutz, D. (2018). Providing an Experiential Cybersecurity Learning Experience through Mobile Security Labs. In 2018 ieee/acm 1st international workshop on security awareness from design to deployment (sead) (p. 51-54). [CrossRef]
- Phuong, C., Saied, N., & Yang, L. (2023, 10). A Hands-on Education Framework for Cybersecurity., 1-5. [CrossRef]
- Rege, A. (2015). Multidisciplinary Experiential Learning for Holistic Cybersecurity Education, Research and Evaluation. In Proceedings of the 2015 usenix summit on gaming, games, and gamification in security education (3gse). Available online: https://www.usenix.org/conference/3gse15/summit-program/presentation/rege (accessed on 2026-05-21).
- Silva, R. L. d. (2026a). Desenvolvimento de dispositivo portátil multifuncional para cibersegurança: Perspetiva ofensiva, defensiva e educativa — projeto i. (Project I report, Escola Superior de Tecnologia, Instituto Politécnico de Castelo Branco).
- Silva, R. L. d. (2026b). Desenvolvimento de dispositivo portátil multifuncional para cibersegurança: Perspetiva ofensiva, defensiva e educativa — projeto ii. (Project II report, Escola Superior de Tecnologia, Instituto Politécnico de Castelo Branco).
- Skandylas, C., & Asplund, M. (2025). Automated penetration testing: Formalization and realization. Computers & Security, 155, 104454. [CrossRef]
- Venturi, A., Andreolini, M., Marchetti, M., & Colajanni, M. (2024). Assessing generalizability of Deep Reinforcement Learning algorithms for Automated Vulnerability Assessment and Penetration Testing. Array, 24, 100365. [CrossRef]
- Yaacoub, E., Al-Asaad, H., Salloum, G., & Sharafeddine, S. (2023). Lightweight Security Mechanisms for Federated Learning in IoT Systems. IEEE Internet of Things Journal, 10(18), 16245–16258. [CrossRef]

| Study | Technology context | Orientation | Main contribution |
|---|---|---|---|
| Skandylas Asplund (2025) | Automated pentesting platforms | Offensive | Proposes ADAPT, a formalised architecture that automates planning and execution of penetration tests using tools such as Metasploit and sqlmap in realistic network environments. |
| Venturi et al. (2024) | Raspberry Pi; VAPT testbed | Offensive | Evaluates the ability of DRL agents (e.g., A2C, PPO, DQN) deployed on low-cost hardware to generalise VAPT strategies to previously unseen hosts and vulnerability configurations. |
| Phuong et al. (2023) | Portable devices in IT/OT workshops | Educational | Reports on hands-on workshops using a real cyber-physical production system to improve participants’ understanding of industrial cybersecurity risks and mitigation practices. |
| Nguyen et al. (2024) | Realistic RL pentesting environment | Offensive | Introduces PenGym, an environment that combines real hosts and tools (Nmap, Metasploit, CyRIS) to train RL-based pentesting agents and reduce the gap between simulation and practice. |
| Yaacoub et al. (2023) | IoT; ESP32; federated learning | Defensive | Surveys security threats and countermeasures for federated learning in IoT deployments, highlighting lightweight mechanisms suitable for constrained devices such as ESP32 nodes. |
| Pantelakis et al. (2023) | Real-time AI-based detection | Defensive | Presents adversarial training and online detection mechanisms that strengthen machine-learning models against sophisticated attacks in dynamic environments. |
| Luh et al. (2025) | Gamified IT/OT environments | Educational | Describes a serious-game framework for exploring information security risks in cyber-physical infrastructures, supporting adversarial risk exploration in a controlled setting. |
| Happe Cito (2023) | Real-world offensive practice | Offensive | Provides an empirical analysis of offensive security professionals’ practices, tools and cognitive strategies, highlighting adaptability and strategic reasoning in real pentesting work. |
| Aly et al. (2025) | Audit logs; GNNs; LLM-based analysis | Defensive | Combines graph-based anomaly detection with large language models to reconstruct human-readable narratives of advanced persistent threats from system audit logs. |
| Stage | Duration | Activity |
|---|---|---|
| 1 | 10 min | Theoretical recap and learning outcomes |
| 2 | 20 min | Demonstration of Wi-Fi scan and fake AP |
| 3 | 25 min | Guided Nmap and signal capture exercise |
| 4 | 20 min | Group reflection on risks and mitigation |
| 5 | 15 min | Short quiz and feedback collection |
| Week | Focus | Main MoonPhase activities |
|---|---|---|
| 1 | Concepts & demo | Instructor-led demos of scans, fake AP and OOK replay |
| 2 | Guided practice | Students follow structured lab scripts in small groups |
| 3 | Semi-open tasks | Groups design and execute constrained attack/defence scenarios |
| 4 | Reflection & ethics | Reporting, peer discussion and ethical case analysis |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2026 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).