Well, if it were me, for CySA, I'd do a mockup of a major forensics incident. Set up a workstation office, cordoned off with yellow tape. Machine is still up, so maybe figuring out how to preserve the evidence in RAM, doing a proper disk copy with dd, using a write blocker.
Actual scans using OpenVAS/Greenbone, Nessus, or Qualys - or setting up some target Metasploitables that you can scan are also good for getting interest. Since CySA is Blue Team operations its not quite as alluring as the Red Team stuff in PenTest, but you can still pull those tools out. A run through Kali/Parrot/Security Onion, doing some intelligence gathering with Maltego, or going through Metasploit - all fun things to show the students.
I've always wanted to do a Red vs. Blue capture the flag thing.
/r
