Preprint
Article

This version is not peer-reviewed.

MoonPhase: A Conceptual and Instructional Framework for Portable Experiential Cybersecurity Learning in Engineering Education

Submitted:

02 June 2026

Posted:

18 June 2026

You are already at the latest version

Abstract
In an age of pervasive connectivity and rapidly evolving cyber threats, cybersecurity has become a transversal competency in engineering education rather than a niche specialism. This paper presents MoonPhase, a multifunctional portable device based on a Raspberry Pi platform, designed to support experiential cybersecurity learning in engineering education contexts by integrating offensive, defensive and educational modes into a single physical artefact. The work builds on a PRISMA-based systematic literature review and a state-of-the-art analysis of portable cybersecurity tools to derive design requirements that balance realism, safety and pedagogical alignment. MoonPhase combines sub-GHz replay capabilities, 2.4 GHz interference and monitoring, fake Wi-Fi access points, packet sniffing and network scanning in a compact, menu-driven platform that can be deployed in regular laboratories and outreach workshops. The paper describes the hardware and software architecture of the device and, more importantly, its instructional framing, outlining learning outcomes, example lab sessions and assessment strategies focused on cybersecurity literacy, systems thinking and ethical awareness. This study reports on the design and implementation of MoonPhase and presents a detailed conceptual and evaluation framework; empirical evidence from classroom deployments will be addressed in subsequent work. The device is positioned as a replicable open educational resource that brings students closer to realistic attack and defence scenarios in controlled settings.
Keywords: 
;  ;  ;  ;  

1. Introduction

Engineering education increasingly takes place in a world characterised by uncertainty, complexity and tightly coupled socio-technical systems. Cyber-physical infrastructures, ubiquitous wireless communication and pervasive Internet of Things (IoT) deployments expose societies to novel forms of risk, including large-scale cyberattacks, data breaches and disruptions of essential services European Union Agency for Cybersecurity (2025); Europol (2024). In this context, cybersecurity is no longer an optional specialisation but a transversal competency that cuts across engineering disciplines, requiring graduates to reason about vulnerability, resilience and ethics in complex environments.
Recent reports from European and international agencies highlight the growth of attacks on public Wi-Fi networks, the widespread use of social engineering, and the impact of low digital literacy on the success of security incidents European Union Agency for Cybersecurity (2025); Pawlicka et al. (2023). This situation puts pressure on higher education institutions and training providers not only to update curricular content, but also to design learning experiences that help students deal with uncertainty, contested information and evolving threat landscapes.
Portable devices for security auditing and experimentation, such as Flipper Zero, Pwnagotchi or LilyGO boards, have shown the potential of compact platforms to simulate attacks, detect vulnerabilities and support gamified learning activities Flipper Devices Inc. (2023); Evilsocket (2023); LilyGO (2023). However, many of these solutions are not primarily designed for educational settings and rarely offer explicit pedagogical framing, alignment with programme-level learning outcomes or integrated assessment strategies Phuong et al. (2023); Luh et al. (2025). As a result, instructors who wish to use such tools often need to design bespoke activities and deal with tensions between demonstration value, safety and ethical considerations.
In parallel, research on cybersecurity education, workshops and serious games has emphasised the importance of experiential and system-level learning activities that allow students to observe and interact with realistic attack and defence scenarios Rege (2015); Nguyen et al. (2024). Studies report that hands-on workshops in IT/OT environments and gamified simulations of cyber-physical systems can increase engagement, improve risk comprehension and support adversarial risk exploration in a controlled manner Phuong et al. (2023); Luh et al. (2025). From the perspective of engineering education, these findings suggest that effective cybersecurity teaching requires more than transferring technical knowledge: learners must engage with authentic, uncertain situations, reason about human and organisational factors, and reflect on their own responsibilities when operating powerful tools.
MoonPhase was conceived as a multifunctional portable cybersecurity device that responds to these challenges. It balances offensive, defensive and educational functionalities in a modular architecture based on a Raspberry Pi Zero 2 W and dedicated wireless communication modules, but it is also explicitly framed as an educational artefact for engineering programmes. The device design is grounded in a PRISMA-based systematic review of portable cybersecurity devices and educational approaches, which identified gaps in existing tools regarding explicit educational framing and integration into curricula Moher et al. (2009); Phuong et al. (2023); Luh et al. (2025). MoonPhase was developed across two project-based courses (Project I and Project II) in an undergraduate programme, following an iterative cycle from literature review and requirements elicitation to prototyping, integration and reflection Silva (2026 1); Silva (2026 2). This trajectory reflects how authentic design projects can cultivate students’ ability to navigate uncertainty and complexity in engineering practice.
Accordingly, the present manuscript is framed as a design and conceptual framework study for MoonPhase, laying the groundwork for future empirical investigations of its educational impact.
The contributions of this paper are threefold:
  • to present the design and implementation of MoonPhase as a portable cybersecurity artefact explicitly conceived for engineering education contexts;
  • to articulate a conceptual instructional framework that links the device’s offensive, defensive and educational modes to learning outcomes, classroom activities and ethical reflection;
  • to propose an evaluation framework for future classroom studies, including research questions, instruments and implementation scenarios for investigating the educational value of MoonPhase.
Rather than reporting empirical learning outcomes, this paper focuses on the design and implementation of MoonPhase and on the development of a pedagogically grounded conceptual framework for its use in engineering education. Systematic classroom deployments and the collection of quantitative and qualitative evidence on student learning, engagement and ethical awareness are explicitly reserved for future work.
The proposed design aligns with calls in the cybersecurity education literature for experiential, system-level learning activities that expose students to realistic scenarios while maintaining safety and ethical oversight Rege (2015); Narain et al. (2025). In this sense, MoonPhase is intended not only as a technical artefact, but as a contribution to the broader discussion on how engineering education can respond to uncertainty and complexity in digital societies.

3. MoonPhase Device

3.1. Overview

MoonPhase is a portable device designed for practical experimentation in cybersecurity, integrating multiple modules for the analysis, emission and manipulation of wireless signals in a compact and autonomous form factor Silva (2026 2). The prototype supports operations such as on–off keying (OOK) signal capture and replay, frequency scanning, packet sniffing, fake access point creation and experimental Bluetooth jamming, while offering an accessible menu-based interface that can be operated without external peripherals. In contrast to hobbyist-oriented tools such as Flipper Zero or Pwnagotchi Flipper Devices Inc. (2023); Evilsocket (2023), MoonPhase was designed from the outset as an educational artefact, with its functionality mapped to learning outcomes and teaching activities in engineering programmes.
The development followed an iterative prototyping methodology that allowed each hardware component and software module to be validated prior to final integration Silva (2026 2). Tests conducted in dedicated laboratory scenarios, using controlled networks and test devices, indicate that MoonPhase can operate reliably from a technical standpoint and that it is a plausible candidate for teaching and experimentation on wireless protocols and device behaviour under adverse conditions. This section summarises the hardware and software architecture of the device and its main modes of operation, emphasising design decisions that support educational use.
Figure 2. MoonPhase prototype, showing the Raspberry Pi Zero 2 W, OLED display, D-Pad and RF/IR modules in a portable form factor.
Figure 2. MoonPhase prototype, showing the Raspberry Pi Zero 2 W, OLED display, D-Pad and RF/IR modules in a portable form factor.
Preprints 216641 g002

3.2. Hardware Architecture

The hardware architecture of MoonPhase is organised into three main layers: interface and control, radio-frequency (RF) communication and infrared communication Silva (2026 2). A Raspberry Pi Zero 2 W acts as the central processing unit, coordinating interactions between the user interface, RF modules and support tools. The choice of a Raspberry Pi platform reflects the widespread use of similar single-board computers in cybersecurity experiments and portable training devices Phuong et al. (2023); Yaacoub et al. (2023).
Figure 3. High-level architecture of the MoonPhase device, highlighting the interface and control layer, RF communication layer and infrared communication layer.
Figure 3. High-level architecture of the MoonPhase device, highlighting the interface and control layer, RF communication layer and infrared communication layer.
Preprints 216641 g003
The interface and control layer includes:
  • a 1.3” OLED display based on the SH1106 controller, connected via I2C, used to present menus, system states, scan results and other real-time information;
  • a D-Pad consisting of a joystick with five directions (UP, DOWN, LEFT, RIGHT, CENTRE) plus SET and RESET buttons, wired to GPIO pins configured as inputs with internal pull-up resistors to ensure stable readings Silva (2026 2).
The RF communication layer integrates a CC1101 module and an nRF24L01+ PA/LNA module, both connected via SPI to the Raspberry Pi Zero 2 W Silva (2026 2). The CC1101 module is used to capture and reproduce low-complexity modulations such as OOK and amplitude shift keying (ASK) around 433 MHz, enabling replay attacks on simple IoT devices, while the nRF24L01+ PA/LNA module supports experiments in the 2.4 GHz band, including Bluetooth jamming and RF activity scanning. These frequency bands and modulation schemes are widely encountered in consumer devices and educational projects, which facilitates connections with existing course content and laboratory exercises Flipper Devices Inc. (2023); LilyGO (2023).
The infrared communication layer comprises a Keyestudio KS0027 IR emitter and KS0026 IR receiver tuned to 38 kHz Silva (2026 2). These modules allow MoonPhase to capture and replay IR commands from common remote controls, supporting the demonstration of replay attacks on consumer devices such as TVs and projectors. A JOY-IT four-port GPIO expander is used to reduce cabling complexity and to facilitate the distribution of GPIO pins among the various modules, which also simplifies assembly and maintenance of devices in a teaching laboratory.

3.3. Software Architecture

The software layer is based primarily on Python 3 scripts running on Raspberry Pi OS Lite, complemented by Bash scripts for system-level tasks and integration with external tools Silva (2026 2). Python was chosen for its readability, extensive hardware support libraries and ease of integration with security tools, while Bash is used to orchestrate services such as hostapd, dnsmasq and web servers in offensive modes. This hybrid approach is consistent with other experiential cybersecurity platforms that build on established open-source tools Nguyen et al. (2024); Narain et al. (2025).
The main Python application implements the menu system, handles D-Pad input and updates the OLED display in real time, relying on libraries such as luma.oled, spidev, RPi.GPIO, smbus, RF24 and CC1101-specific wrappers for SPI, GPIO and I2C communication with the RF modules and display Silva (2026 2). Network analysis and auditing capabilities rely on command-line tools such as Nmap, which are invoked from Python or Bash and whose results are parsed and displayed on the OLED. By encapsulating these tools behind a menu-driven interface, MoonPhase makes them accessible to students who may not yet be comfortable with command-line use, while still allowing instructors to expose the underlying commands when appropriate.
The codebase is organised into modular components, each handling a specific concern:
  • a user interface module, which manages screen rendering and navigation;
  • RF and IR modules, which encapsulate signal capture, replay, scanning and interference routines;
  • a network tools module, which wraps calls to Nmap and related utilities.
This modular structure facilitates maintenance and future extensions, and also provides a clear entry point for students interested in studying or adapting the implementation as part of project work.

3.4. Functional Modes

MoonPhase was conceptually organised into three modes of operation: Offensive, Defensive and Educational Silva (2026 1); Silva (2026 2). This triad reflects the balance sought in the original project between demonstrating offensive techniques, reinforcing defensive practices and promoting reflective, educational use.
In the Offensive mode, the device aggregates functionalities oriented towards demonstrating vulnerabilities, including:
  • creation of a fake Wi-Fi access point with captive portal for phishing demonstrations, implemented using hostapd, dnsmasq and a lightweight web server;
  • capture and replay of OOK signals in the 433 MHz band, targeting simple IoT devices;
  • experimental Bluetooth jamming using the nRF24L01+ PA/LNA module to generate interference in the 2.4 GHz spectrum Silva (2026 2).
The Defensive mode groups diagnostic and monitoring functionalities such as:
  • network scanning using Nmap to identify hosts and services in local networks;
  • basic logging of scan results and RF activity, intended for later analysis and discussion in class Silva (2026 2).
The Educational mode provides conceptual explanations related to the other modes, including descriptions of Wi-Fi handshakes, phishing, Bluetooth interference and replay attacks, presented as interactive textual content on the OLED Silva (2026 1). This mode is designed to support in-situ explanations during demonstrations and to reinforce theoretical concepts via the device itself, in line with experiential learning approaches where conceptual and practical components are tightly interwoven Rege (2015); Eman Hammad Romero (2022).
Together, these modes operationalise the design principles identified in the literature review and in related experiential cybersecurity platforms Phuong et al. (2023); Luh et al. (2025); Narain et al. (2025), while providing a concrete, portable artefact that can be deployed in engineering education contexts.

4. Instructional Design and Curricular Integration

4.1. Design Principles

This section presents the conceptual instructional framework developed to support the use of MoonPhase in engineering education. Drawing on findings from the systematic review and from prior work on workshops, mobile labs and serious games in cybersecurity, the framework specifies how the device can be positioned within experiential, system-level learning activities that combine technical investigation, ethical reflection and socio-technical reasoning Phuong et al. (2023); Luh et al. (2025); Rege (2015); Peruma et al. (2018). The purpose of this framework is not to claim demonstrated educational effectiveness at this stage, but to provide a structured basis for designing, implementing and later evaluating MoonPhase-based learning experiences Eman Hammad Romero (2022); Narain et al. (2025).
The three functional modes of MoonPhase were aligned with specific learning outcomes, such as:
  • identifying and explaining common vulnerabilities in wireless networks and IoT devices;
  • interpreting results from network scanning and RF activity monitoring under conditions of incomplete information;
  • analysing the ethical and legal implications of attacks such as phishing and replay, and articulating responsible courses of action in ambiguous situations.
The proposed use of MoonPhase in engineering courses follows a lab-based pedagogy where students alternate between short instructor-led demonstrations, guided hands-on exercises and structured reflection activities. Particular emphasis is placed on debriefing moments in which students connect technical observations with broader issues such as user behaviour, organisational policies and regulatory frameworks Rege (2015); Eman Hammad Romero (2022). This structure aims to bridge the gap between theoretical content and practical skills, while ensuring that offensive capabilities are always framed within ethical and legal boundaries.

4.2. Integration into Engineering Curricula

MoonPhase is intended to be integrated into modules such as Introduction to Cybersecurity, Computer Networks or IoT Systems in computer engineering and related programmes. Typical prerequisites include basic networking concepts, familiarity with Linux command-line tools and a general introduction to security principles. Instructors can use the device to complement existing laboratory infrastructures or, in resource-constrained contexts, as a lightweight alternative to more complex cyber ranges Narain et al. (2025).
Table 2 presents an example of a 90-minute lab session in an introductory cybersecurity course making use of MoonPhase.
During such a session, students observe a controlled fake AP phishing attack using MoonPhase, then perform their own network scans and simple signal captures in small groups, before engaging in a plenary discussion on countermeasures and ethical issues Silva (2026 2). The device’s menu system and self-contained interface allow the lab to run without additional peripherals, which simplifies logistics and supports portability between classrooms and labs. By situating MoonPhase-based activities within broader discussions about critical infrastructures, privacy and the societal impact of digital technologies, the device contributes to programme-level objectives related to ethics, sustainability and responsible innovation in engineering European Union Agency for Cybersecurity (2025); Europol (2024).
The stages in Table 2 are explicitly aligned with the learning outcomes introduced in Section 4. Stage 1 and 2 mainly address conceptual understanding of wireless security mechanisms and common attack vectors (LO1), while Stage 3 emphasises procedural skills in running scans, capturing signals and interpreting MoonPhase outputs under uncertainty (LO2). Stage 4 and 5 focus on ethical reasoning and professional responsibility, asking students to articulate mitigation strategies, discuss institutional policies and reflect on what constitutes acceptable use of offensive tools in engineering practice (LO3). This explicit mapping supports constructive alignment between activities, assessment and programme-level objectives.

4.2.1. Example Multi-Week Sequence

Beyond single-session use, MoonPhase can be embedded into a short multi-week sequence within an introductory cybersecurity module. Table 3 sketches a four-week progression that gradually moves from highly structured demonstrations to more open-ended, student-designed activities, in line with recommendations for goal-oriented experiential learning in cybersecurity Eman Hammad Romero (2022); Rege (2015).
In Week 1, MoonPhase is used mainly to visualise key concepts such as wireless handshakes, replay attacks and captive portals, with the instructor controlling the device. Week 2 introduces guided practice, where students execute predefined procedures and interpret MoonPhase outputs under supervision. In Week 3, students work in groups to design their own scenarios within clearly defined constraints, for example choosing a combination of fake AP, OOK replay and scanning tasks that illustrate a particular threat model. Week 4 is devoted to reporting, peer discussion and ethical case analysis, encouraging students to connect their technical experiments with broader questions about risk, responsibility and professional conduct.

4.3. Workshops and Outreach Activities

Beyond formal courses, MoonPhase can be used in short workshops and outreach events targeting heterogeneous audiences such as high school students, teachers or IT professionals. Prior work on IT/OT workshops and experiential cybersecurity platforms suggests that hands-on demonstrations with real systems increase understanding and engagement across diverse participant profiles Phuong et al. (2023); Narain et al. (2025). In these settings, the device can be operated by the instructor for live demonstrations of OOK replay, Bluetooth jamming or captive portal phishing, or deployed in small-group stations where participants follow simplified scripts under supervision Silva (2026 1); Silva (2026 2).
Example outreach scenarios include showing how simple IR or 433 MHz remotes can be cloned, or how insecure public Wi-Fi networks can be exploited using fake authentication pages, followed by discussions on how to recognise and avoid such threats in everyday life. These activities support not only technical skill development but also cybersecurity awareness and digital literacy, which are increasingly recognised as essential competencies for citizens in an age of uncertainty and complexity Pawlicka et al. (2023); European Union Agency for Cybersecurity (2025).

4.4. Risk Management and Ethical Guidelines

Because MoonPhase includes offensive capabilities such as fake access points, replay attacks and experimental RF interference, its use in education requires explicit risk management and ethical guidelines. Activities are intended to be conducted only in controlled environments, using dedicated laboratory networks and test devices, with clear institutional approval and communication of legal boundaries to participants Silva (2026 2). Instructors are advised to introduce a code of conduct, emphasise responsible disclosure and ensure that all demonstrations are framed as opportunities to understand and prevent real-world abuse rather than to encourage it, echoing recommendations from prior work on holistic cybersecurity education and cyber-physical workshops Rege (2015); Phuong et al. (2023).
These considerations are particularly important in engineering programmes, where students may later assume roles with direct responsibility for the design and operation of critical systems. By explicitly embedding ethical reflection and risk management into MoonPhase-based activities, the instructional design aims to foster a sense of professional responsibility alongside technical proficiency.
In addition to general ethical principles, the use of MoonPhase must comply with applicable legal and regulatory frameworks. Activities involving Bluetooth jamming, replay attacks or fake access points can interfere with radio spectrum use and network services, and are therefore restricted or prohibited in many jurisdictions unless conducted under explicit institutional authorisation and within clearly delimited test environments. Instructors are responsible for ensuring that all experiments respect national radio spectrum regulations, institutional acceptable-use policies and, where relevant, data protection and privacy legislation. Explicit documentation of permissions, boundaries (e.g., shielded labs, isolated test networks) and supervisory arrangements should be part of any MoonPhase deployment in order to model responsible professional practice for students.

5. Evaluation Framework and Discussion

5.1. Planned Evaluation Approach

At the current stage, MoonPhase has been implemented and tested from a technical standpoint Silva (2026 2), but a systematic educational evaluation has not yet been conducted. The framework is intended to guide the first classroom deployments of MoonPhase and to support the systematic study of knowledge gains, engagement, ethical awareness and perceptions of authenticity in engineering education settings Phuong et al. (2023); Eman Hammad Romero (2022); Narain et al. (2025).
The planned evaluation combines:
  • Pre- and post-tests, to measure changes in cybersecurity literacy and conceptual understanding of topics such as wireless vulnerabilities, replay attacks and phishing;
  • Questionnaires, to capture student motivation, perceived usefulness, perceived authenticity of the learning activities and sense of professional responsibility when operating offensive tools;
  • Rubrics for lab work, to assess the quality of lab reports, practical tasks carried out using MoonPhase and the depth of students’ reflections on ethical and socio-technical aspects;
  • Optional focus groups or interviews, to collect qualitative feedback on how students experience uncertainty, complexity and ethical dilemmas in MoonPhase-based activities.
In practice, pre- and post-tests will include multiple-choice and short-answer items targeting concepts such as identifying insecure Wi-Fi configurations, recognising replay-attack scenarios and distinguishing legitimate from phishing captive portals. Lab rubrics will assess, for example, the correctness and completeness of network scan reports, the quality of technical explanations in lab notebooks, and the depth of ethical reflection, using three or four performance levels (e.g., from “descriptive only” to “critical and integrative”). These concrete criteria are intended to make expectations transparent to students and to support consistent grading across cohorts.
This combination mirrors common practice in experiential cybersecurity education, where mixed-methods approaches are used to triangulate learning outcomes, engagement and attitudinal changes Rege (2015); Peruma et al. (2018); Eman Hammad Romero (2022). Instruments will be piloted in small cohorts and iteratively refined, with particular attention to validity, reliability and alignment with programme-level learning outcomes.

5.2. Study Designs and Research Questions

Initial deployments of MoonPhase are envisioned in single-group pre/post designs within existing engineering courses, allowing for exploratory analyses of learning gains and student perceptions Narain et al. (2025). Over time, more robust study designs may be implemented, including comparison groups using traditional labs or virtual-only environments, to better isolate the specific contribution of the physical device and its modes of operation.
Key research questions include:
  • RQ1: To what extent does the use of MoonPhase improve students’ understanding of wireless security concepts and attack/defence mechanisms?
  • RQ2: How does MoonPhase influence students’ engagement and perceived authenticity of cybersecurity learning activities, compared with more traditional labs?
  • RQ3: How do students perceive their ethical responsibilities and professional role when using offensive capabilities in a controlled educational setting?
These questions are aligned with prior work that emphasises not only knowledge acquisition but also engagement, self-efficacy and ethical awareness in cybersecurity programmes Rege (2015); Eman Hammad Romero (2022); Narain et al. (2025).

5.3. Expected Benefits and Challenges

Technical testing carried out during Project II indicates that MoonPhase can reliably execute the planned functionalities, including OOK capture and replay, frequency scanning, packet sniffing, fake AP creation and experimental Bluetooth jamming Silva (2026 2). The modular architecture facilitated fault isolation and improvements in RF stability, for example by adjusting power supply decoupling for the nRF24L01+ PA/LNA module. From an educational perspective, the combination of an intuitive physical interface, a diverse set of functionalities and an explicit Educational mode suggests that MoonPhase is a promising candidate for use in higher education and professional training, although this potential remains to be empirically examined Silva (2026 1); Silva (2026 2).
At the same time, the presence of offensive capabilities requires clear ethical guidelines, formal usage policies and careful supervision to ensure that all activities remain within legal and institutional boundaries Phuong et al. (2023); Rege (2015). There is also a risk that novelty effects associated with new hardware, or particular characteristics of the instructor and institutional context, may influence evaluation results Eman Hammad Romero (2022). Potential threats to validity therefore include:
  • internal validity issues such as novelty effects and instructor enthusiasm;
  • external validity limitations due to single-institution studies or specific curricular settings;
  • construct validity concerns related to how well tests and questionnaires capture constructs such as cybersecurity literacy or ethical awareness.
Mitigation strategies include gradual integration into multiple courses and cohorts, replication across institutions, transparent reporting of contextual factors and the triangulation of quantitative and qualitative data Narain et al. (2025); European Union Agency for Cybersecurity (2025); Europol (2024). By addressing these challenges, the evaluation of MoonPhase can contribute not only to improving the device and its associated teaching materials, but also to broader discussions about how to assess experiential cybersecurity learning in engineering education.

6. Conclusions and Future Work

This paper has presented MoonPhase, a multifunctional portable device for cybersecurity with a specific focus on applications in engineering education. Building on a PRISMA-based systematic review of portable cybersecurity devices and educational approaches, and on two project-based development cycles (Project I and Project II), MoonPhase was designed to combine offensive, defensive and educational functionalities in a single, replicable platform Moher et al. (2009); Silva (2026 1); Silva (2026 2). The device brings together capabilities for demonstrating vulnerabilities in wireless and IoT systems, supporting practical auditing activities and fostering ethical discussions anchored in realistic scenarios, while remaining accessible for deployment in standard laboratory settings Phuong et al. (2023); Luh et al. (2025).
The paper has described the hardware and software architecture of MoonPhase, its three functional modes and their alignment with learning outcomes that address cybersecurity literacy, systems thinking and ethical awareness. It has also outlined an instructional design and curricular integration strategy based on lab-based, experiential activities and outreach workshops, as well as a mixed-methods evaluation plan combining pre/post tests, questionnaires, rubrics and qualitative feedback Rege (2015); Eman Hammad Romero (2022); Narain et al. (2025). In doing so, MoonPhase is positioned not only as a technical artefact, but as a design and conceptual contribution to ongoing debates about how engineering education can respond to uncertainty and complexity in digital societies European Union Agency for Cybersecurity (2025); Europol (2024).
Future work will focus on three main directions. First, the physical design will be refined through the development of a dedicated enclosure and improved internal wiring to increase durability, safety and ease of use in educational settings Silva (2026 2). Second, a comprehensive educational package will be developed, including detailed lab manuals, interactive educational content and assessment rubrics integrated with the device’s Educational mode, drawing on best practices from experiential cybersecurity platforms and mobile security labs Peruma et al. (2018); Narain et al. (2025). Third, empirical studies will be conducted in engineering courses and workshops, and ideally across multiple institutions, to evaluate the impact of MoonPhase on cybersecurity literacy, student engagement and ethical awareness, and to explore how students experience uncertainty, complexity and professional responsibility when using the device Phuong et al. (2023); Eman Hammad Romero (2022).
By making both the technical design and instructional framework available, MoonPhase aims to serve as a basis for further projects and derivatives, encouraging the creation of new educational resources and applications around the physical model. In the longer term, such devices and associated learning designs may contribute to a broader ecosystem of portable, experiential tools that support engineering education in an age of uncertainty and complexity.

Author Contributions

Conceptualization, R.L.S., L.M.B. and A.C.M.O.; methodology, R.L.S. and L.M.B.; software, R.L.S.; validation, R.L.S. and L.M.B.; formal analysis, R.L.S. and A.C.M.O.; investigation, R.L.S.; resources, L.M.B.; data curation, R.L.S.; writing—original draft preparation, R.L.S.; writing—review and editing, L.M.B. and A.C.M.O.; visualization, R.L.S.; supervision, L.M.B. and A.C.M.O.; project administration, L.M.B.; funding acquisition, L.M.B. and A.C.M.O. All authors have read and agreed to the published version of the manuscript.

Funding

This research was funded by the UID/04516/2025 NOVA Laboratory for Computer Science and Informatics (NOVA LINCS) and by the UID/50008/2025 – Instituto de Telecomunicações (with DOI identifier <https://doi.org/10.54499/UID/50008/2025>) with the financial support of FCT – Fundação para a Ciência e a Tecnologia, I.P.

Acknowledgments

During the preparation of this manuscript/study, the author(s) used ChatGPT-5.5 for the purposes of image generation. The authors have reviewed and edited the output and take full responsibility for the content of this publication.

Conflicts of Interest

The authors declare no conflicts of interest.

References

  1. Aly, A., Mansour, E., & Youssef, A. (2025). OCR-APT: Reconstructing APT Stories from Audit Logs using Subgraph Anomaly Detection and LLMs. In Proceedings of the 2025 acm sigsac conference on computer and communications security (p. 261–275). New York, NY, USA: Association for Computing Machinery. [CrossRef]
  2. Dougherty, D. (2025). Hacking the planet from your pocket. https://makethings.make.co/p/hacking-the-planet-from-your-pocket. (Accessed: 2026-05-21).
  3. Eman Hammad, J. N., & Romero, J. (2022, August). Towards Goal-Oriented Experiential Learning for Cybersecurity Programs. In 2022 asee annual conference & exposition. Minneapolis, MN: ASEE Conferences. (https://peer.asee.org/41687).
  4. European Union Agency for Cybersecurity. (2025). Enisa threat landscape 2025 (Tech. Rep.). ENISA. Available online: https://www.enisa.europa.eu/publications/enisa-threat-landscape-2025 (accessed on 2026-05-21).
  5. Europol. (2024). Internet organised crime threat assessment (iocta) 2023 (Tech. Rep.). European Union Agency for Law Enforcement Cooperation. Available online: https://www.europol.europa.eu/publication-events/main-reports/internet-organised-crime-threat-assessment-iocta-2023 (accessed on 2026-05-21).
  6. Evilsocket. (2023). Pwnagotchi: Deep reinforcement learning wi-fi hacking. https://pwnagotchi.ai/. (Accessed: 2026-05-21).
  7. Flipper Devices Inc. (2023). Flipper zero documentation. https://docs.flipperzero.one/. (Accessed: 2026-05-21).
  8. Happe, A., & Cito, J. (2023). Understanding Hackers’ Work: An Empirical Study of Offensive Security Practitioners. In Proceedings of the 31st acm joint european software engineering conference and symposium on the foundations of software engineering (p. 1669–1680). New York, NY, USA: Association for Computing Machinery. [CrossRef]
  9. LilyGO. (2023). T-embed esp32 board and open-source repository. https://github.com/Xinyuan-LilyGO. (Accessed: 2026-05-21).
  10. Luh, R., Eresheim, S., Tavolato, P., Petelin, T., Gmeiner, S., Holzinger, A., & Schrittwieser, S. (2025). Gamifying information security: Adversarial risk exploration for IT/OT infrastructures. Computers & Security, 151, 104287. [CrossRef]
  11. Moher, D., Liberati, A., Tetzlaff, J., & Altman, D. G. (2009). Preferred Reporting Items for Systematic Reviews and Meta-Analyses: The PRISMA Statement. PLOS Medicine, 6(7), e1000097. [CrossRef]
  12. Narain, S., Rayavaram, P., Morales-Gonzalez, C., Harper, M., Abbasalizadeh, M., Vellamchety, K., & Fu, X. (2025). Practical Cybersecurity Education: A Course Model Using Experiential Learning Theory., 819–825. [CrossRef]
  13. Nguyen, T., Chen, Z., Hasegawa, K., Fukushima, K., & Beuran, R. (2024). PenGym: Pentesting Training Framework for Reinforcement Learning Agents. In Proceedings of the 10th international conference on information systems security and privacy - icissp (p. 498-509). SciTePress. [CrossRef]
  14. Pantelakis, V., Bountakas, P., Farao, A., & Xenakis, C. (2023). Adversarial Machine Learning Attacks on Multiclass Classification of IoT Network Traffic. In Proceedings of the 18th international conference on availability, reliability and security. New York, NY, USA: Association for Computing Machinery. [CrossRef]
  15. Pawlicka, A., Tomaszewska, R., Krause, E., Jaroszewska-Choraś, D., Pawlicki, M., & Choraś, M. (2023). Has the Pandemic Made Us More Digitally Literate? Journal of Ambient Intelligence and Humanized Computing, 14(11), 14721–14731. [CrossRef]
  16. Peruma, A., Malachowsky, S., & Krutz, D. (2018). Providing an Experiential Cybersecurity Learning Experience through Mobile Security Labs. In 2018 ieee/acm 1st international workshop on security awareness from design to deployment (sead) (p. 51-54). [CrossRef]
  17. Phuong, C., Saied, N., & Yang, L. (2023, 10). A Hands-on Education Framework for Cybersecurity., 1-5. [CrossRef]
  18. Rege, A. (2015). Multidisciplinary Experiential Learning for Holistic Cybersecurity Education, Research and Evaluation. In Proceedings of the 2015 usenix summit on gaming, games, and gamification in security education (3gse). Available online: https://www.usenix.org/conference/3gse15/summit-program/presentation/rege (accessed on 2026-05-21).
  19. Silva, R. L. d. (2026a). Desenvolvimento de dispositivo portátil multifuncional para cibersegurança: Perspetiva ofensiva, defensiva e educativa — projeto i. (Project I report, Escola Superior de Tecnologia, Instituto Politécnico de Castelo Branco).
  20. Silva, R. L. d. (2026b). Desenvolvimento de dispositivo portátil multifuncional para cibersegurança: Perspetiva ofensiva, defensiva e educativa — projeto ii. (Project II report, Escola Superior de Tecnologia, Instituto Politécnico de Castelo Branco).
  21. Skandylas, C., & Asplund, M. (2025). Automated penetration testing: Formalization and realization. Computers & Security, 155, 104454. [CrossRef]
  22. Venturi, A., Andreolini, M., Marchetti, M., & Colajanni, M. (2024). Assessing generalizability of Deep Reinforcement Learning algorithms for Automated Vulnerability Assessment and Penetration Testing. Array, 24, 100365. [CrossRef]
  23. Yaacoub, E., Al-Asaad, H., Salloum, G., & Sharafeddine, S. (2023). Lightweight Security Mechanisms for Federated Learning in IoT Systems. IEEE Internet of Things Journal, 10(18), 16245–16258. [CrossRef]
Figure 1. PRISMA flow diagram summarising the identification, screening, eligibility and inclusion of studies in the systematic review.
Figure 1. PRISMA flow diagram summarising the identification, screening, eligibility and inclusion of studies in the systematic review.
Preprints 216641 g001
Table 1. Summary of studies included in the systematic review.
Table 1. Summary of studies included in the systematic review.
Study Technology context Orientation Main contribution
Skandylas Asplund (2025) Automated pentesting platforms Offensive Proposes ADAPT, a formalised architecture that automates planning and execution of penetration tests using tools such as Metasploit and sqlmap in realistic network environments.
Venturi et al. (2024) Raspberry Pi; VAPT testbed Offensive Evaluates the ability of DRL agents (e.g., A2C, PPO, DQN) deployed on low-cost hardware to generalise VAPT strategies to previously unseen hosts and vulnerability configurations.
Phuong et al. (2023) Portable devices in IT/OT workshops Educational Reports on hands-on workshops using a real cyber-physical production system to improve participants’ understanding of industrial cybersecurity risks and mitigation practices.
Nguyen et al. (2024) Realistic RL pentesting environment Offensive Introduces PenGym, an environment that combines real hosts and tools (Nmap, Metasploit, CyRIS) to train RL-based pentesting agents and reduce the gap between simulation and practice.
Yaacoub et al. (2023) IoT; ESP32; federated learning Defensive Surveys security threats and countermeasures for federated learning in IoT deployments, highlighting lightweight mechanisms suitable for constrained devices such as ESP32 nodes.
Pantelakis et al. (2023) Real-time AI-based detection Defensive Presents adversarial training and online detection mechanisms that strengthen machine-learning models against sophisticated attacks in dynamic environments.
Luh et al. (2025) Gamified IT/OT environments Educational Describes a serious-game framework for exploring information security risks in cyber-physical infrastructures, supporting adversarial risk exploration in a controlled setting.
Happe Cito (2023) Real-world offensive practice Offensive Provides an empirical analysis of offensive security professionals’ practices, tools and cognitive strategies, highlighting adaptability and strategic reasoning in real pentesting work.
Aly et al. (2025) Audit logs; GNNs; LLM-based analysis Defensive Combines graph-based anomaly detection with large language models to reconstruct human-readable narratives of advanced persistent threats from system audit logs.
Table 2. Example of a 90-minute lab session with MoonPhase
Table 2. Example of a 90-minute lab session with MoonPhase
Stage Duration Activity
1 10 min Theoretical recap and learning outcomes
2 20 min Demonstration of Wi-Fi scan and fake AP
3 25 min Guided Nmap and signal capture exercise
4 20 min Group reflection on risks and mitigation
5 15 min Short quiz and feedback collection
Table 3. Example four-week sequence using MoonPhase
Table 3. Example four-week sequence using MoonPhase
Week Focus Main MoonPhase activities
1 Concepts & demo Instructor-led demos of scans, fake AP and OOK replay
2 Guided practice Students follow structured lab scripts in small groups
3 Semi-open tasks Groups design and execute constrained attack/defence scenarios
4 Reflection & ethics Reporting, peer discussion and ethical case analysis
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.
Copyright: This open access article is published under a Creative Commons CC BY 4.0 license, which permit the free download, distribution, and reuse, provided that the author and preprint are cited in any reuse.
Prerpints.org logo

Preprints.org is a free preprint server supported by MDPI in Basel, Switzerland.

Subscribe

© 2026 MDPI (Basel, Switzerland) unless otherwise stated

Accessibility

Disclaimer

Terms of Use

Privacy Policy

Privacy Settings