Overview
SAT Onboarding
SAT Onboarding
SAT Audit Logs
SAT Landing Page Editor

Product video
Deploy Enterprise Phishing Simulation in Minutes
HailBytes SAT is a fully-managed, enterprise-grade phishing simulation platform that helps organizations test and improve their security awareness posture through realistic phishing campaigns.
What You Get
- Complete phishing simulation platform pre-configured and ready to use
- AWS-integrated deployment with EC2, RDS MySQL (optional), and Amazon SES
- Unlimited phishing campaigns with scheduling and automation
- Advanced analytics dashboard with real-time metrics
- Email template library with customization tools
- Landing page designer for capturing credentials (training)
- REST API for automation and integrations
- Standard support included (3-5 day response) - upgrade available
Perfect For
- Security teams running regular awareness training campaigns
- IT departments testing employee security awareness
- Compliance teams meeting security training requirements
- MSPs delivering phishing simulation services to clients
- Organizations of 50-10,000+ employees
Key Features
Campaign Management
- Create unlimited phishing campaigns
- Schedule campaigns for optimal timing
- Clone and reuse successful templates
- Multi-campaign dashboard
- Historical tracking and trending
Email Capabilities
- HTML email template designer
- Dynamic personalization (name, position, department)
- File attachments support
- Automatic tracking pixels
- Import from existing emails
- Amazon SES integration for high deliverability
Analytics & Reporting
- Real-time campaign metrics
- User interaction tracking (opens, clicks, data submission)
- Detailed timeline views
- Exportable reports (PDF, CSV)
- Trend analysis across campaigns
- Risk scoring by department/user
Integration & Automation
- Complete REST API
- Webhook notifications
- LDAP/Active Directory sync
- SAML/SSO authentication
- CI/CD integration support
Pricing
- $0.24 per vCPU/hour - Simple, transparent pricing
- 2 vCPU minimum, 8GB memory - Right-sized for most organizations
- ~$350/month starting cost - Database, storage, and networking included
- 30-day free trial available - Test with no commitment
- Standard support included - Professional and Enterprise support available as add-ons
Deployment Details
Infrastructure Included
- Compute: EC2 instance (t3.medium or larger)
- Database: RDS MySQL (optional) (DB included in VM)
- Email: Amazon SES integration (separate SES costs apply)
- Storage: EBS volumes for data persistence
- Networking: VPC, security groups, load balancer optional
Setup Time
- 5-10 minutes automated CloudFormation deployment
- Pre-configured security groups and IAM roles
- Production-ready out of the box
- Fully managed infrastructure
Security & Compliance
- SOC 2 Type II compliant infrastructure
- Data encryption at rest and in transit
- Private VPC deployment
- Customizable security groups
- Audit logging enabled
- GDPR/CCPA compliant data handling
Why HailBytes SAT?
vs. SaaS Phishing Platforms
- 50-70% cost savings vs. KnowBe4, Proofpoint, or Cofense
- Complete data ownership - all data stays in your AWS account
- No per-user licensing - unlimited users included
- Full customization - modify templates, workflows, branding
Getting Started
- Subscribe on AWS Marketplace (uses your AWS committed spend)
- Deploy using our CloudFormation template (5-10 minutes)
- Configure your first campaign using our template library
- Launch and monitor results in real-time
Technical Requirements
- AWS account with EC2, RDS, SES permissions
- Minimum: 2 vCPUs, 8GB RAM
- Recommended: 4-8 vCPUs for large organizations (500+ employees)
Highlights
- One-click AWS deployment
- Unlimited phishing campaigns with advanced analytics
- 30-day free trial with Standard support included
Details
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Buyer guide

Financing for AWS Marketplace purchases
Pricing
Free trial
Dimension | Cost/hour |
|---|---|
m4.large Recommended | $0.48 |
t3.xlarge | $0.48 |
t3.large | $0.48 |
t3.medium | $0.48 |
t3.2xlarge | $0.48 |
Vendor refund policy
Contact us at david@hailbytes.com if you're unhappy with this product for any reason and we'll resolve your issue.
How can we make this page better?
Legal
Vendor terms and conditions
Content disclaimer
Delivery details
64-bit (x86) Amazon Machine Image (AMI)
Amazon Machine Image (AMI)
An AMI is a virtual image that provides the information required to launch an instance. Amazon EC2 (Elastic Compute Cloud) instances are virtual servers on which you can run your applications and workloads, offering varying combinations of CPU, memory, storage, and networking resources. You can launch as many instances from as many different AMIs as you need.
Version release notes
HailBytes SAT v1.2077 - May 20, 2026
This release expands identity and compliance capabilities, adds multi-channel phishing simulation, broadens integration coverage, and modernizes the platform foundation.
Identity and access management adds SCIM 2.0 provisioning for automated user lifecycle, SAML and OIDC SSO with Microsoft Entra ID, Google, and Okta (including OIDC discovery), plus MFA/TOTP and tenant-aware admin workflows.
Compliance and reporting introduces compliance framework mapping across 20 modules covering PCI-DSS, HIPAA, SOC 2, ISO 27001, and LATAM frameworks. New evidence packs and signed PDF certificates of completion support audit needs. Remedial training assignment with repeat-offender risk scoring, historical risk snapshots, and trend reporting round out the reporting improvements.
Phishing and training expands beyond email with Twilio-powered SMS (smishing) and voice (vishing) simulations, QR-code lures, and AutoPhish template/page/group pools. New role-based training tracks for developers, finance, healthcare, and executive audiences include recurring campaigns, quiz tracking, and certificates. The built-in module and template library has been expanded.
Multi-tenant and MSP capabilities add cross-tenant rollups for activity, risk, and engagement across customer environments, plus system-level library flags and cloned-template governance.
SIEM and ticketing integrations add Microsoft Sentinel and Splunk for SIEM forwarding, and ServiceNow, Jira, and PagerDuty for ticketing workflows.
Email security integrations add Microsoft 365 Advanced Delivery and Google Workspace simulation support, plus Proofpoint TAP and Mimecast compatibility. User-reported phishing introduces an Outlook add-in, Gmail phish-report ingest, and a phishing-report slash command.
Data export adds scheduled exports to Amazon S3, Azure Blob Storage, and SFTP destinations.
Platform and operations modernizes the frontend with ES modules bundled via webpack and a Vitest unit-test harness, replacing the legacy gulp pipeline. Self-hosted opt-in analytics replace Mixpanel via a first-party event pipeline. Spanish and Brazilian Portuguese localization is now supported. Instance export and import enables backups and high-availability patching parity. An automated release pipeline publishes from main with generated patch notes, and first-time admin onboarding is smoother.
Upgrade notes: PostgreSQL is the only supported database engine. Migrations run automatically on startup; back up your PostgreSQL data before upgrading. Analytics remain opt-in and collect no data unless explicitly enabled.
Additional details
Usage instructions
HailBytes Security Awareness Training - v1.2077
== 1. First boot (2-3 minutes) == After launching the AMI, allow 2-3 minutes for hailbytes-sat, nginx, and PostgreSQL to initialize.
- SSH in: ssh -i your-key.pem ubuntu@<public-ip>
- The auto-generated admin password is printed in the SSH login banner and stored at /home/ubuntu/hailbytes-sat-initial-credentials.txt (delete after first login).
- Open the admin UI: https://<public-ip>:3333
- Log in as "admin" with that password. You will be forced to set a new password and are strongly encouraged to enable TOTP MFA on first login.
- Verify the service: curl -k https://<public-ip>:3333/api/ready curl -k https://<public-ip>:3333/api/instance/schema-version
== 2. Launch your first campaign ==
- Sending Profile - add an SMTP profile (AWS SES recommended). Use the in-app email-warming guide to ramp sender reputation gradually.
- Email Template - HTML editor with variable substitution: {{.FirstName}} {{.LastName}} {{.Email}} {{.Position}} {{.URL}} {{.RID}}.
- Landing Page - build a credential-capture or training page, or clone an existing site via the import URL field.
- Target Group - add recipients manually, import via CSV, or sync from LDAP / Active Directory / SCIM 2.0.
- Campaign - select template, landing page, sending profile, and targets; schedule or send immediately.
- Results - opens, clicks, submissions, and user-reported phish appear in real time. Export CSV or push events to SIEM via webhook.
== 3. AWS SES integration ==
- Verify your sending domain in AWS SES.
- Move SES out of sandbox (request production access).
- In SAT, create a Sending Profile: Host: email-smtp.<region>.amazonaws.com Port: 587 (STARTTLS) Auth: your SES SMTP credentials
- Send a test email, then ramp volume per the warming guide. EU customers: us-east-1 SES is not GDPR-appropriate -- use eu-west-1 or eu-central-1.
== 4. Network & security ==
- Admin UI: TCP 3333 (HTTPS) - restrict by Security Group to admin IPs.
- Phish srv: TCP 80/443 (nginx, SSL/TLS) - open to the public Internet.
- SSH: TCP 22, key-only auth - restrict by Security Group.
- AES-256-GCM at rest for all PII; key in /etc/hailbytes-sat/.
- Comprehensive audit logging with IP and user-agent tracking.
- UFW blocks all other ports by default.
== 5. High availability (optional) == For multi-AZ active-active behind an Application Load Balancer with RDS Multi-AZ Postgres and ElastiCache Redis:
- CloudFormation: deploy/aws/cloudformation-ha.yaml
- Cloud Shell: deploy/aws/provision-ha.sh
- Runbook: docs/AWS_HA_DEPLOYMENT.md HA patching helpers ship at: /opt/hailbytes/bin/ha-pre-patch-backup.sh /opt/hailbytes/bin/ha-post-patch-verify.sh
== 6. Backup & restore ==
- Export a full instance bundle (DB + uploads + config metadata): GET /api/instance/export -> .tar.gz
- Restore to a matching-version SAT host: POST /api/instance/import?confirm=replace-all-data=true The bundle records a SHA-256 fingerprint of the encryption key so a host with the wrong key is rejected before any data is written.
== 7. Service operations ==
- Status: sudo systemctl status hailbytes-sat
- Logs: sudo journalctl -u hailbytes-sat -f
- Restart: sudo systemctl restart hailbytes-sat If the UI is unreachable, wait 3 minutes after launch and confirm Security Group rules allow inbound 3333, 80, and 443.
== 8. Support ==
- Support portal: https://support.hailbytes.com (Entra ID SSO, SLA tracking, encrypted file storage, ticket dashboard)
- Email: support@hailbytes.com
- Documentation: https://hailbytes.com/sat/ For AWS-infrastructure issues (EC2, networking, SES, IAM), open a case through AWS Support on your account.
Resources
Vendor resources
Support
Vendor support
Support Resources
- Email: support@hailbytes.com
- Documentation: https://hailbytes.com/documentation/
- Product Page: https://hailbytes.com/sat/
- Support Plans: https://hailbytes.com/support-pricing/
Questions? Visit https://hailbytes.com or email sales@hailbytes.com
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.

FedRAMP
GDPR
HIPAA
ISO/IEC 27001
PCI DSS
SOC 2 Type 2
Standard contract
Customer reviews
Targeted campaigns have reduced phishing clicks and build ongoing employee awareness
What is our primary use case?
My main use case for Gophish is to run a phishing awareness campaign inside an organization in a safe and controlled way. For example, instead of waiting for a real attacker to send a fake email to employees, the company can simulate a phishing email using Gophish . The email may look legitimate or resemble a login alert, password reset request, an invoice, an HR notice, or a document sharing link. The goal is not to blame employees; the goal is to understand how many people may click the suspicious link and enter credentials or report the email to the security team. Based on the results, the company can train employees better to reduce their risk of a real phishing attack. Gophish helps the security team create an email template, landing pages, user groups, and campaigns, and it also shows useful reports such as who opened the email, who clicked the link, and who submitted the information. In simple terms, Gophish is the tool that helps the organization test employee awareness before the real attackers do.
In my recent campaign, we created a controlled email that looked like an internal password expiry notification. This message informed employees that their password was about to expire and asked them to click the link and verify their account. Some employees clicked it. Using Gophish, we created the email templates, added the target user groups, and connected to safe landing pages. The landing pages did not collect the real password; they were only used to track awareness and show training guidance. After sending the campaign, Gophish helped us measure how many users opened the email, clicked the link, and submitted the details. Based on the results, we identified which department needed more phishing awareness training. The main purpose was not to blame anyone; it was to understand employee behavior, reduce phishing risk, and help the company prepare better against a real attack.
One challenge I faced was the credential awareness simulation. We set up a phishing campaign where employees received an email that looked like a password expiry or account verification message. The landing page was only for awareness testing; we did not collect the real password or sensitive data. The outcome was useful because it showed which user or team is more likely to fall for phishing. Gophish is very useful because it turns security awareness into a practical exercise. Instead of just telling employees about phishing, we can safely show them how phishing works and help them learn from real-world style scenarios.
What is most valuable?
The best feature of Gophish is that it makes phishing simulation very simple and practical. First, it allows us to create realistic email templates. We can design emails resembling password reset alerts, HR notifications, invoice emails, document sharing, or account verification messages. Second, it supports landing pages, so when a user clicks the link, we can direct them to a safe awareness page or a simulated login page to understand their response. Gophish also allows landing pages to be created or imported and connected to each campaign. Another strong feature is campaign management, which is easy to manage. We can create user groups, select an email template, choose a landing page, configure the sending profile, and launch the campaign in a structured way. Another strong feature is tracking; Gophish helps us see who opened the email, who clicked the link, and who submitted the information during the campaign. This is very useful for measuring employee phishing awareness and risk levels.
Gophish has positively impacted my organization by increasing awareness among my employees. Before using security awareness training with Gophish, the phishing clicking rate was seventy-five percent; now it has reduced to twenty percent.
It takes us a month to see this improvement, and we train our employees on how phishing works and how attackers will deceive information from them. We also simulate this kind of activity through Gophish. After doing this, employees are getting awareness on phishing every month.
My most favorite features are landing pages and reporting because it is very useful for me to create a landing page, and we can track how employees behave regarding that link.
What needs improvement?
I believe Gophish can be improved in a few areas. First, the user interface could be made more modern and beginner-friendly. The current setup is simple, but for a new user, campaign creation, landing pages, and sending profiles can feel somewhat technical at first. Second, it would be helpful if Gophish added more built-in templates—for example, ready-made templates for HR emails, password expiry alerts, invoice scams, and cloud login alerts. This would save us time. The third area for improvement is reporting; reporting can be enhanced with more visual dashboards. It already shows opens, clicks, and submissions, but more detailed charts, risk scoring, department-wise comparison, and training progress would make it more useful for management reporting. My final suggestion is that built-in awareness training content would be a good improvement. After a user clicks a phishing link, Gophish could show short learning modules or a video explaining what mistake happened and how to avoid it next time. This could save some trainer's time explaining security awareness; it will alert users about what would happen if they click a link. Another useful improvement would be easier integration with tools like SIM, Slack, Teams, or email security gateways, which would help the security team connect phishing simulation results with their overall security monitoring. Overall, Gophish is very good for running phishing simulations, but it can become even better with improved UI, more templates, stronger reporting, and built-in training support.
If Gophish brings some ready-made templates or better visual reporting, it would be much better for us and should also make integration with all kinds of security tools like SIM or email security gateways easier.
For how long have I used the solution?
I have been using Gophish for more than four years.
What do I think about the stability of the solution?
Gophish is stable, but I find KnowBe4 to be better.
What do I think about the scalability of the solution?
Gophish is scalable enough for most phishing awareness campaigns, especially for small and medium-sized organizations. In our on-premises setup, scalability mainly depends on server resources, mail sending configuration, network capacity, and how many users we include in a campaign. If the campaign is planned properly, Gophish can handle multiple user groups, different templates, landing pages, and campaign tracking without major issues.
Gophish is scalable for most awareness campaigns, and since we use it on-premises, scalability depends on server resources, mail configuration, and targeted users. For larger campaigns, I prefer sending emails in batches instead of all at once to help with delivery, tracking, and performance. Overall, Gophish is stable and scalable, but for enterprise usage, it requires proper planning, monitoring, and infrastructure. If you are planning for a larger enterprise, I would suggest the KnowBe4 tool, not Gophish.
How are customer service and support?
I do not see any customer support for Gophish so far. I cannot rate customer support because I have not seen any support provided so far.
Which solution did I use previously and why did I switch?
Before using Gophish, we used KnowBe4, which is also similar to Gophish, but KnowBe4 has additional features, such as providing video training courses. If the user clicks the phishing link, they receive a banner stating, "You are hacked. You clicked the phishing link," which helps users understand why they clicked and what they clicked on.
How was the initial setup?
My experience with pricing, setup costs, and licensing shows that the setup cost is not very high; Gophish is completely free, as it is an open-source tool.
What was our ROI?
We have not saved time, but we have saved money because most suspicious links come from spam and junk mail attacking employees and the company's servers. Previously, my clicking rate was seventy-five percent, but it has reduced to twenty-five percent due to Gophish and our training.
What's my experience with pricing, setup cost, and licensing?
My experience with pricing, setup costs, and licensing shows that the setup cost is not very high; Gophish is completely free, as it is an open-source tool.
Which other solutions did I evaluate?
I can go with KnowBe4 as another option I evaluated.
What other advice do I have?
A good template helps measure whether employees can identify suspicious links, sender issues, and urgency-based messages, which has very much surprised me.
Regarding Gophish's AI capabilities, I see it mainly as a phishing simulation tool, not a fully-fledged AI platform. For governance and security, I believe the key is responsible and authorized use; campaigns should be approved, access should be limited, employee data must be protected, and results should be used for awareness training, not blaming people. If AI is used to create a template or analyze results, human review is important to ensure the content is safe, ethical, and aligned with company policy.
Gophish is reliable for tracking campaign results such as opens, clicks, and submissions, but it is not mainly an AI-based tool. If AI is used to generate a template or analyze results, I would not trust the output blindly. AI can be useful, but it should be treated as a draft; a human should review the content for accuracy, tone, company policy, and ethical use before launching any campaign.
I advise others looking into using Gophish to use it safely with authorization and permission from your company to avoid unauthorized access and misuse, as misuse could lead to severe consequences. I would rate this product nine out of ten.
Targeted phishing campaigns have strengthened employee awareness and helped reduce risky behaviors.
What is our primary use case?
My main use case for Gophish is running phishing simulation campaigns for multiple clients of different sizes. I have also used the Gophish API to automate certain phishing scenarios and integrate the tool into a cybersecurity awareness platform.
For example, I conducted a campaign for one of my clients to assess the maturity level and security awareness of their employees regarding phishing risks. We first defined the campaign objectives with the client, then selected the target audience, chose the scenario, and validated the landing page.
The selected scenario involved simulating an email from the HR department. We also reproduced a web page related to the client’s environment to make the exercise more realistic. The goal was to measure employee reactions, identify risky behaviors, and evaluate their overall level of awareness.
For this type of campaign, I use Gophish through its web interface, API, and campaign management features.
What is most valuable?
In my opinion, the best features of Gophish are recipient management, template creation, detailed reporting, and the API.
Recipient management makes it easy to organize target groups by client, department, user profile, or risk level. This helps prepare campaigns that are better adapted to each specific context.
The email and landing page templates are also very useful because they allow realistic and contextualized scenarios to be created. This level of customization makes campaigns more relevant and helps assess how users react to situations that are close to their real working environment.
I particularly appreciate the reporting capabilities, as they help measure campaign effectiveness and the client’s maturity level. Gophish provides key indicators such as email open rates, click rates, data submission rates, and behavioral changes across multiple campaign iterations.
The Gophish API is another strong feature. It makes it possible to automate several tasks, including campaign creation, email delivery, result collection, and integration with cybersecurity awareness platforms or other internal tools.
Another major advantage is that Gophish is open source and free, which makes it accessible, flexible, and easy to adapt to different organizational needs.
Gophish has had a positive impact on my work with several clients. For example, during an initial campaign, more than 70% of the targeted employees submitted data. After a contextualized awareness training session, we launched a similar campaign again, and the data submission rate decreased to around 40%. This improvement showed a clear increase in employee awareness and maturity regarding phishing risks.
What needs improvement?
Gophish is already an effective tool for running phishing simulation campaigns, but some features could be improved to better meet the needs of organizations and consulting firms.
The first area for improvement is reporting. The current reports are useful, but they could be enhanced with more advanced analytics, such as segmenting results by target audience, department, business unit, risk level, or campaign. This would make it easier to identify the most exposed groups, track maturity improvements over time, and generate reports that are better aligned with client expectations.
The second area for improvement is user and role management. In a consulting environment, it would be very useful to clearly separate access and responsibilities between managers, technical teams, and clients. For example, some users could have read-only access to campaign results, while others could create campaigns, manage templates, or administer the platform.
More advanced access control, with customizable profiles or roles, would make Gophish more suitable for multi-client environments and organizations with multiple stakeholders.
In my opinion, the two modules that should be prioritized in future versions are advanced reporting and user management. These improvements would increase the value of Gophish, especially for teams using it at scale or in a professional context with multiple clients.
For how long have I used the solution?
I have been using this solution for more than 3 years.
What do I think about the stability of the solution?
Yes, I consider Gophish to be a stable and reliable solution, especially for small and medium-sized companies. In this type of environment, the tool works very well when it is properly installed and configured.
For large enterprises or campaigns involving a high volume of users, stability depends more on the technical preparation. It is important to segment the target population into several groups in order to better control email delivery and avoid blocking or performance issues.
The SMTP server configuration also plays a key role. A poor configuration can lead to delivery delays, blocked emails, or incomplete results. However, with the right infrastructure, proper SMTP configuration, and a secure platform setup, Gophish remains stable and reliable even in larger environments.
Overall, my experience with Gophish in terms of stability has been very positive.
What do I think about the scalability of the solution?
I consider Gophish to be quite scalable, especially for small and medium-sized companies. In this type of environment, the tool is generally reliable, easy to deploy, and capable of managing phishing simulation campaigns effectively.
For large enterprises or environments with a high number of employees, however, campaign execution needs to be carefully planned. I recommend segmenting the target population into several groups, for example by department, business unit, location, or risk level. This helps better control email delivery, reduce the risk of blocking or overload, and produce more actionable results.
Scalability also depends on the infrastructure used to host Gophish, the SMTP configuration, the volume of emails being sent, and the client’s security controls. With proper technical preparation and appropriate segmentation, Gophish can be used effectively in larger environments.
How are customer service and support?
Gophish support is different from what you would expect from a commercial solution, as it is an open-source tool. Therefore, there is no traditional customer support with a dedicated team or formal service desk.
However, my experience has still been positive because the documentation is clear and detailed enough to resolve most issues. I have never needed to contact technical support, as the available guides and community resources helped me find the answers I needed.
In my opinion, Gophish is well suited for teams with some technical skills that can rely on documentation and community forums. For organizations that require official support, service-level commitments, or direct assistance, this may be a limitation to consider.
Which solution did I use previously and why did I switch?
I was not using a similar solution before adopting Gophish. We selected Gophish directly after conducting a comparative study more than three years ago.
At that time, we evaluated several competing solutions, although I no longer remember the exact names of the tools that were assessed. Gophish stood out for several reasons: it is open source, free to use, well documented, and relatively easy to install thanks to the available resources and community feedback.
Another important selection criterion was the availability of a fairly complete API. This allowed us to integrate Gophish with other internal tools and automate certain tasks related to cybersecurity awareness and phishing simulation campaigns.
In the end, we chose Gophish because it met our functional needs while offering an excellent balance between flexibility and cost.
How was the initial setup?
The initial setup of Gophish was generally quite straightforward, although I did face some difficulties at the beginning during the installation process.
These challenges were mainly related to the initial deployment and some configuration settings. However, after reviewing the documentation and using the resources available in community forums, the issues were resolved without major difficulty.
In my opinion, installing Gophish does not require highly advanced expertise, but it does require a solid technical foundation, especially in hosting, network configuration, SMTP setup, and securing access to the platform.
Overall, I would say that the initial setup is fairly accessible for someone with a technical background. It is important to read the documentation carefully, test the configuration before launching a campaign, and rely on the community resources when needed.
What was our ROI?
Yes, we have seen a return on investment with Gophish, mainly through licensing cost savings. Since Gophish is an open-source solution, there are no licensing fees, which is a significant advantage compared to some commercial solutions.
The main costs are related to hosting the platform, configuring it, and the time spent preparing, monitoring, and analyzing campaigns. Even with these operational costs, the overall cost remains controlled, especially in a multi-client context.
Another positive aspect of the ROI is the gradual improvement in employee awareness. By tracking campaign indicators such as click rates and data submission rates, it is possible to measure behavioral changes after awareness actions.
For example, in some campaigns, we observed a decrease in the data submission rate after contextualized awareness training. This shows that Gophish provides value not only from a cost perspective, but also by helping reduce risky behaviors.
What's my experience with pricing, setup cost, and licensing?
My experience with Gophish pricing, setup costs, and licensing has been very positive. Since Gophish is an open-source solution, there are no licensing fees or costs directly related to using the software.
The main costs to consider are related to hosting the platform, the required infrastructure, and the time spent on installation, configuration, maintenance, and administration.
In our case, the absence of licensing fees was a significant advantage, especially in a multi-client context. It allowed us to use a flexible and effective solution while keeping costs under control.
Which other solutions did I evaluate?
Before choosing Gophish, we evaluated several competing solutions as part of a comparative study. However, since this analysis was conducted more than three years ago, I no longer remember the exact names of the tools that were assessed.
The main comparison criteria were cost, ease of installation, availability of documentation, solution flexibility, integration capabilities, and the level of automation supported.
Gophish stood out mainly because it is open source, free to use, and well documented. The absence of licensing costs was an important advantage. The available documentation and community resources also made installation and onboarding easier.
Another major advantage of Gophish was its API, which provided enough capabilities to integrate it with our internal tools and automate certain stages of the campaigns, including preparation, execution, and result collection.
Compared with some commercial solutions, Gophish may require more configuration and administration effort. However, it offers greater flexibility, a much lower cost, and strong adaptability. This balance between cost, simplicity, flexibility, and integration capabilities was the main reason we selected Gophish.
What other advice do I have?
I would rate Gophish 9 out of 10.
My advice to organizations considering Gophish is to start by properly securing the platform installation. It is important to use HTTPS, protect access to the administration interface, and restrict access to authorized users only.
Before launching a phishing simulation campaign, it is also essential to clearly define the objectives, validate the scenario, run preliminary tests, and carefully select the target audience. An effective campaign should be contextualized and aligned with the organization’s maturity level.
I also recommend paying close attention to data management. Campaign results may contain sensitive information related to employees or clients. Therefore, it is better to limit data retention and delete campaign-related data after completion, in accordance with confidentiality requirements and internal policies.
Overall, Gophish is a very effective, flexible, and cost-efficient solution for running phishing awareness campaigns, provided that campaigns are properly prepared and the environment is securely configured.
Academic phishing simulations have deepened my social engineering skills and awareness training
What is our primary use case?
I used Gophish for a project last August, a phishing attack simulation, and I reused it recently because a student found the project I did on GitHub and wanted to do the same project, so he asked me some questions, and I reused it at that time.
My main use case for Gophish is in a phishing attack simulation project where the idea is to learn and understand social engineering and how to simulate phishing attacks when you're in a Red Team. I also created a slide deck that explains how to recognize a phishing attack, showing some of the results of the three campaigns, and then at the end, I provided some advice to people to avoid falling for those kinds of phishing attacks.
What is most valuable?
The best features that Gophish offers, the ones that impressed me the most during my use, are mainly two things. The fact of having templates makes the task easier instead of creating an email and copy-pasting for each person every time. Here , you can create campaigns and send them, and you can create a CSV file, for example, and send directly to all the people you list there, so it saves time.
Also, the dashboard gives a direct view of the clicks and the number of people who received the email, making it very illustrative and saving from having to compile the results manually, delivering them in Excel tables or whatever; it is directly visible in the application, and it is easier to read that way.
Gophish has had a positive impact on my learning and my academic path in cybersecurity as it allowed me to understand and go deeper into the concepts of social engineering and phishing attacks. It gave me experience because this is a project I completed and published on GitHub , and there were even other students who were interested and contacted me for information. This is a project that I added to my CV, and I am very happy, not just because I added it to my CV but because it allowed me to learn things.
What needs improvement?
In my opinion, Gophish could be improved to better meet my needs or those of other users, but I did not really encounter any problems, so I found the tool well designed. Since I did not use it in a real environment, I do not really know how it goes if you want to use real email addresses, so on that point, I cannot really give my opinion.
I do not really have any improvements in mind at the moment, but offering ready-made templates that we could use or examples of emails that we could directly use would be beneficial.
For how long have I used the solution?
What do I think about the stability of the solution?
What do I think about the scalability of the solution?
Regarding Gophish's scalability, the maximum I did was three campaigns with 10 people per campaign, making 30 people. I did not test it with a larger number of people because it was just in an academic context, so I did not want to go beyond a lot of people.
How are customer service and support?
Which solution did I use previously and why did I switch?
Before using Gophish, I did not test other similar solutions; I chose Gophish because I had downloaded a list of cybersecurity projects to do, and among those projects, there was a phishing attack simulation project suggesting the use of Gophish. That is how I discovered Gophish, and I did not think about looking for or using other tools since Gophish met my needs.
How was the initial setup?
Regarding my use of Gophish in this academic context, I found it extremely easy to use; you do not need to be a technical person with special skills to be able to handle it. In maybe an hour or two, I understood how to use it, how to create templates, how it works with landing pages and dashboards. It is really useful and very easy to use, so I recommend it both for cybersecurity students like me and for security professionals.
What about the implementation team?
What was our ROI?
I have noticed a return on investment in terms of time saved and skills acquired thanks to my use of Gophish. It is thanks to this tool that I was able to carry out these phishing attack simulations, understand how it works, see concrete results, and even make a small slide deck that explains this little project and includes advice that I might present in the future to some users.
What's my experience with pricing, setup cost, and licensing?
Regarding the price, setup cost, and licensing of Gophish, I do not remember having to pay to use it. It is a completely free tool if I am not mistaken. Unless there are features that were paid and that I did not choose, but as far as I remember, I did not pay anything.
What other advice do I have?
In my opinion, the one I found most interesting was the one from CROUS because generally when students arrive here in France and they see this, they have to pay quickly since phishing attacks usually use an urgent tone. Since these students are afraid of losing their CROUS housing, they might quickly pay, just click on the link and proceed with the payment without necessarily realizing that it is a scam, especially since generally, people who come from certain African countries do not really have this concept of scam and phishing.
The project is purely academic; I did it with fake email addresses that I managed with Mailpit. I created fake emails that do not exist, for people who do not exist, and I was the one who clicked on these emails myself, opened them, or accessed the links in the attachments of each email. Again, it was purely for academic purposes so I could learn because otherwise, with real email addresses, I cannot really do that, and also it is a bit complicated with Gmail. I preferred to do it with Mailpit and fake email addresses.
Regarding campaign management and the use of templates, Gophish's interface seemed very intuitive to me from the start; everything was clear and self-explanatory. You have buttons for each thing, and it does not really require super advanced knowledge; it is very easy to handle.
I do not really have any improvements in mind at the moment, but offering ready-made templates that we could use or examples of emails that we could directly use would be beneficial.
I do not have any particular advice for other people who want to use Gophish in an academic or professional context; I would tell them to go for this tool because it is really easy to get started with. You do not need to be an expert to use it, and it helps a lot with dashboards and templates. My overall rating for this product is 9 out of 10.
Practical phishing campaigns have raised staff awareness but still need more languages and SaaS access
What is our primary use case?
I create emails to raise employee awareness and send them to see if employees end up clicking. If they click, I reach out to them after finishing the campaign and conduct awareness work so they do not fall for phishing.
I configure Gophish within our Office 365 and proceed with the campaigns, sending emails similar to Microsoft's, emails similar to service providers', and I analyze the results. If someone falls for it, I then handle awareness together with that person.
What is most valuable?
I also consider the SMTP configuration of the server from which I send the emails to be a differentiator because it is very simple to do.
With Gophish, I am able to work in a more appropriate way on phishing awareness, and I am also able to make employees aware in an easy and appropriate way because they see how a phishing attack works in a real way. This allows them to become aware in a more practical way.
I did notice a measurable change as employees are more aware of phishing and the number of incidents has decreased because they now know how phishing works.
What needs improvement?
I rate it a seven because of the improvements I mentioned. I think if it were a SaaS platform and had more languages, including Brazilian Portuguese, it might be a ten.
For how long have I used the solution?
What do I think about the stability of the solution?
What do I think about the scalability of the solution?
How are customer service and support?
Which solution did I use previously and why did I switch?
How was the initial setup?
What about the implementation team?
What was our ROI?
What's my experience with pricing, setup cost, and licensing?
Which other solutions did I evaluate?
What other advice do I have?
Targeted phishing simulations have strengthened security awareness and improved reporting rates
What is our primary use case?
My main use case for Gophish is phishing campaigns. A quick specific example of how I use Gophish for phishing campaigns is for security awareness and training.
I use it for tracking responses, ratings, and also analyze statistics regarding my main use case.
What is most valuable?
The best features Gophish offers are that it is user-friendly and easy to use. Its user-friendly interface helps me in my daily work by making setup quicker.
Gophish has impacted my organization positively in terms of security awareness. I have noticed fewer phishing incidents and more responses towards reporting phishing emails as specific improvements.
What needs improvement?
Including more templates would be nice, and it would be beneficial to elaborate more on the user manual on how to use Gophish as some users have been struggling in using the tool.
Gophish can be improved by elaborating more and putting more screenshots in providing user manuals and user instructions for users to make installation easier. I think including more phishing templates would be a needed improvement. Other improvements Gophish needs include having the setup instructions be more detailed and clear.
For how long have I used the solution?
I have been using Gophish for more than one year.
What do I think about the stability of the solution?
In my experience, Gophish is stable.
What do I think about the scalability of the solution?
The scalability of Gophish is good.
How are customer service and support?
The customer support needs improvement.
Which solution did I use previously and why did I switch?
I previously used other solutions before Gophish, and I switched to it because it is open-source and easy to use, which saves us costs.
How was the initial setup?
I did not purchase Gophish through the AWS Marketplace ; I have installed it manually, only as a server. It is easier to install compared to other simulating tools.
What was our ROI?
I have seen a return on investment in terms of time saved; building phishing campaigns is much more straightforward, and the setup was acceptable, but with more instructions on the user manual, that would be quicker.
What's my experience with pricing, setup cost, and licensing?
My experience with pricing, setup cost, and licensing is that overall, it was good compared to other competitors.
Which other solutions did I evaluate?
Before choosing Gophish, I evaluated options such as King Fisher, Evilginx, and the B4, but I found that Gophish was an open-source and readily available tool with very little costs and also the flexibility of using my own templates.
What other advice do I have?
Regarding Gophish's AI capabilities, I find its governance and security overall acceptable. Regarding Gophish's AI capabilities, I think the accuracy and reliability of output are good. I would recommend others looking into using Gophish to use it for performing their security awareness and campaigns because it is easier to install compared to other simulating tools.
Providing more details and videos on proper tutorials would be helpful. I found this interview to be good; it is well-calibrated and conducted effectively. I would rate this review an 8 out of 10.