Free downloadable materials for bringing network security into the classroom
A suggested 10-week course combining books, app exercises, and lab simulations
| Week | Topic | Book Chapter | Lab | App Focus |
|---|---|---|---|---|
| 1 | Introduction: The Invisible Digital World | Signal, Ch. 1-3 | — | Install app, Basic Mode, WiFi tab |
| 2 | WiFi Fundamentals & Rogue Access Points | Signal, Ch. 4-8 | Lab 1: Evil Twin | WiFi scanning, SSID analysis |
| 3 | WiFi Channels & RF Environment | — | Lab 8: Channel Analysis | Analyzer, channel visualization |
| 4 | Baselines & Normal vs. Abnormal | Baseline, Ch. 1-5 | Lab 2: Baseline & Drift | SOC mode, Inventory tab |
| 5 | Bluetooth & Device Tracking | Pattern, Ch. 1-4 | Lab 4: Bluetooth Recon | Bluetooth tab, Advanced Mode |
| 6 | Network Devices & Infrastructure | Source, Ch. 1-5 | Lab 5: Device Discovery | Tools: Subnet Mapper, Port Scanner |
| 7 | ARP, Gateways & Man-in-the-Middle | Baseline, Ch. 6-10 | Lab 3: ARP Monitoring | Events tab, gateway alerts |
| 8 | DNS & Trust on the Internet | — | Lab 6: DNS & TLS | Tools: DNS Probe, TLS Validator |
| 9 | Wireless Environment Survey | — | Lab 9: War Walk | Map tab, Analyzer reports |
| 10 | Incident Response & SOC Operations | Trace, Ch. 1-6 | Lab 7 & Lab 10 | SOC mode, full export |
Flexible by design: This curriculum is a suggestion, not a requirement. Teachers can pick individual labs and topics as standalone lessons, reorder the sequence, or extend it with additional Field Stories readings. Every component works independently.
Ready-to-use documents for classroom instruction
60-minute lesson introducing invisible digital infrastructure, WiFi basics, and the Z.R.A.K. app. Includes discussion prompts and homework.
90-minute combined lesson and hands-on lab. Includes teacher setup instructions, student worksheets, and assessment rubric.
60-minute lesson on baselines, drift detection, and the Jaccard similarity index. Ties to Z.R.A.K.: Baseline book themes.
90-minute lesson on the observe-document-report workflow. Covers event vs. incident, severity levels, and evidence-based reporting.
Structured form for students to document discovered WiFi networks: SSID, security type, signal strength, channel, and risk assessment.
Form for cataloging Bluetooth devices: name, type, MAC address, manufacturer, signal strength, and behavioral notes.
Complete network inventory form: IP, MAC, vendor, OS, open ports, services, and trust classification.
Structured incident report form: timeline, evidence log, severity assessment, and recommended actions.
Guided discussion prompts exploring observation vs. exploitation, responsible disclosure, and competence as responsibility. Based on themes from the Z.R.A.K. book series.
End-of-course assessment covering WiFi security, Bluetooth, ARP, DNS, TLS, baselines, and incident response. Multiple choice and short answer.
Scoring rubric for lab exercises covering: technical accuracy, documentation quality, ethical reasoning, and collaborative skills.
What you need to run the full lab curriculum
Enough to run most labs with teacher demonstration:
For classes where every student or pair has a device:
dnsmasq (for DNS labs)Essential vocabulary for the Z.R.A.K. curriculum
| Term | Definition |
|---|---|
| AP (Access Point) | A wireless networking device that allows WiFi devices to connect to a network. Your router at home is an access point. |
| ARP | Address Resolution Protocol — maps IP addresses to MAC (hardware) addresses on a local network. Lacks authentication, making it vulnerable to spoofing. |
| Baseline | A snapshot of the "normal" state of a network environment. Used as a reference to detect changes (drift). |
| BLE | Bluetooth Low Energy — a power-efficient version of Bluetooth used by fitness trackers, beacons, IoT devices, and tracking tags. |
| BSSID | Basic Service Set Identifier — the MAC address of a WiFi access point. Each physical radio has a unique BSSID. |
| DNS | Domain Name System — translates human-readable domain names (e.g., google.com) into IP addresses. Can be spoofed to redirect traffic. |
| Drift | Change in the network environment compared to a captured baseline. Can indicate legitimate changes or adversarial activity. |
| Evil Twin | A rogue access point that impersonates a legitimate network by copying its SSID. Used to trick devices into connecting to the attacker. |
| Jaccard Index | A similarity score (0.0 to 1.0) comparing two sets. In Z.R.A.K., it measures how much the current scan matches the baseline. 1.0 = perfect match. |
| MAC Address | Media Access Control address — a unique hardware identifier assigned to every network interface. Can reveal the device manufacturer. |
| Man-in-the-Middle | An attack where the adversary positions themselves between two communicating parties, intercepting and potentially modifying traffic. |
| RSSI | Received Signal Strength Indicator — a measurement of how strong a wireless signal is, typically in dBm. Closer to 0 = stronger signal. |
| SSID | Service Set Identifier — the name of a WiFi network as it appears in your device's network list. |
| TLS | Transport Layer Security — the encryption protocol that protects HTTPS connections. Certificates verify server identity. |
| WPA2/WPA3 | WiFi Protected Access — security protocols that encrypt WiFi traffic. WPA3 is the latest and most secure standard. |
These materials are being actively developed. If you're a teacher planning to use Z.R.A.K. in your classroom and need specific resources, reach out through mirofeld.com/contact.