I don't know if others found this earlier but I recently came across the PortSwigger Web Academy. These are the folks that produce Burp Suite, a great tool for testing web application security. I asked one of my more advanced students to take a look at this over a weekend (they had completed all the assignments due through the end of the next week) and they came back and gave me a very good report on the exercises and labs. The cost? $99 USD (for the certification exam) but otherwise free. I believe that a student should be able to work through this materials in 4 to 6 weeks. Looking at the material myself I'm thinking I may suggest this to students between Security+; before CySA+ and CASP+ as it would provide a great foundation for understanding attack methods for folks who have not worked in an operational environment.