HailBytes SAT - Enterprise Phishing Simulation Platform

I used Gophish  for a project last August, a phishing attack simulation, and I reused it recently because a student found the project I did on GitHub  and wanted to do the same project, so he asked me some questions, and I reused it at that time.

My main use case for Gophish  is in a phishing attack simulation project where the idea is to learn and understand social engineering and how to simulate phishing attacks when you're in a Red Team. I also created a slide deck that explains how to recognize a phishing attack, showing some of the results of the three campaigns, and then at the end, I provided some advice to people to avoid falling for those kinds of phishing attacks.

The best features that Gophish offers, the ones that impressed me the most during my use, are mainly two things. The fact of having templates makes the task easier instead of creating an email and copy-pasting for each person every time. Here , you can create campaigns and send them, and you can create a CSV file, for example, and send directly to all the people you list there, so it saves time.

Also, the dashboard gives a direct view of the clicks and the number of people who received the email, making it very illustrative and saving from having to compile the results manually, delivering them in Excel tables or whatever; it is directly visible in the application, and it is easier to read that way.

Gophish has had a positive impact on my learning and my academic path in cybersecurity as it allowed me to understand and go deeper into the concepts of social engineering and phishing attacks. It gave me experience because this is a project I completed and published on GitHub , and there were even other students who were interested and contacted me for information. This is a project that I added to my CV, and I am very happy, not just because I added it to my CV but because it allowed me to learn things.

In my opinion, Gophish could be improved to better meet my needs or those of other users, but I did not really encounter any problems, so I found the tool well designed. Since I did not use it in a real environment, I do not really know how it goes if you want to use real email addresses, so on that point, I cannot really give my opinion.

I do not really have any improvements in mind at the moment, but offering ready-made templates that we could use or examples of emails that we could directly use would be beneficial.

This is my first year of my master's degree, and I have a bachelor's degree in computer science, so three years in general computer science, and this is my first year specializing in cybersecurity.

I have not noticed Gophish being unstable during my use; I did not encounter any bugs or unexpected interruptions during my projects.

Regarding Gophish's scalability, the maximum I did was three campaigns with 10 people per campaign, making 30 people. I did not test it with a larger number of people because it was just in an academic context, so I did not want to go beyond a lot of people.

I did not really encounter any specific problems with Gophish's customer support or online documentation; I found it rather easy to use.

Before using Gophish, I did not test other similar solutions; I chose Gophish because I had downloaded a list of cybersecurity projects to do, and among those projects, there was a phishing attack simulation project suggesting the use of Gophish. That is how I discovered Gophish, and I did not think about looking for or using other tools since Gophish met my needs.

Regarding my use of Gophish in this academic context, I found it extremely easy to use; you do not need to be a technical person with special skills to be able to handle it. In maybe an hour or two, I understood how to use it, how to create templates, how it works with landing pages and dashboards. It is really useful and very easy to use, so I recommend it both for cybersecurity students like me and for security professionals.

My university does not have a commercial relationship with the vendor of Gophish other than as a user; we are not a partner or anything like that. This is a personal project that I developed by myself to improve my skills, but there is no partnership with the university.

I have noticed a return on investment in terms of time saved and skills acquired thanks to my use of Gophish. It is thanks to this tool that I was able to carry out these phishing attack simulations, understand how it works, see concrete results, and even make a small slide deck that explains this little project and includes advice that I might present in the future to some users.

Regarding the price, setup cost, and licensing of Gophish, I do not remember having to pay to use it. It is a completely free tool if I am not mistaken. Unless there are features that were paid and that I did not choose, but as far as I remember, I did not pay anything.

In my opinion, the one I found most interesting was the one from CROUS because generally when students arrive here in France and they see this, they have to pay quickly since phishing attacks usually use an urgent tone. Since these students are afraid of losing their CROUS housing, they might quickly pay, just click on the link and proceed with the payment without necessarily realizing that it is a scam, especially since generally, people who come from certain African countries do not really have this concept of scam and phishing.

The project is purely academic; I did it with fake email addresses that I managed with Mailpit. I created fake emails that do not exist, for people who do not exist, and I was the one who clicked on these emails myself, opened them, or accessed the links in the attachments of each email. Again, it was purely for academic purposes so I could learn because otherwise, with real email addresses, I cannot really do that, and also it is a bit complicated with Gmail. I preferred to do it with Mailpit and fake email addresses.

Regarding campaign management and the use of templates, Gophish's interface seemed very intuitive to me from the start; everything was clear and self-explanatory. You have buttons for each thing, and it does not really require super advanced knowledge; it is very easy to handle.

I do not really have any improvements in mind at the moment, but offering ready-made templates that we could use or examples of emails that we could directly use would be beneficial.

I do not have any particular advice for other people who want to use Gophish in an academic or professional context; I would tell them to go for this tool because it is really easy to get started with. You do not need to be an expert to use it, and it helps a lot with dashboards and templates. My overall rating for this product is 9 out of 10.

My main use case for Gophish  is for employee awareness within the company, and I use it for phishing campaigns.

I create emails to raise employee awareness and send them to see if employees end up clicking. If they click, I reach out to them after finishing the campaign and conduct awareness work so they do not fall for phishing.

I configure Gophish  within our Office 365  and proceed with the campaigns, sending emails similar to Microsoft's, emails similar to service providers', and I analyze the results. If someone falls for it, I then handle awareness together with that person.

The main point of Gophish is the automated sending, as I can send to several email addresses at once by uploading a list of emails.

I also consider the SMTP configuration of the server from which I send the emails to be a differentiator because it is very simple to do.

With Gophish, I am able to work in a more appropriate way on phishing awareness, and I am also able to make employees aware in an easy and appropriate way because they see how a phishing attack works in a real way. This allows them to become aware in a more practical way.

I did notice a measurable change as employees are more aware of phishing and the number of incidents has decreased because they now know how phishing works.

Gophish can be improved by adding more languages and maybe a web version for it, a SaaS platform.

I rate it a seven because of the improvements I mentioned. I think if it were a SaaS platform and had more languages, including Brazilian Portuguese, it might be a ten.

I have been using Gophish for around three years.

Gophish is stable.

Gophish's scalability is good today and does not cause problems, and I can work with it.

I have never needed to use Gophish's customer support.

I did not use another solution and only use Gophish.

My experience with pricing, setup costs, and licensing has been great. There are no costs since Gophish is publicly licensed software, and it was easy to implement because there are no costs.

We do not have any business relationship with this vendor besides being a customer.

I have gotten a return on investment.

There are no costs since Gophish is publicly licensed software, and it was easy to implement because there are no costs.

I evaluated some options on the market before choosing Gophish, but the cost was very high. I chose Gophish because it has a relatively low cost and features that are more appropriate for what I need on a daily basis.

My advice to others who are thinking about using Gophish is to use it because it is a very practical tool for running phishing tests, it is very easy to configure, and it is free. I would rate this product a seven out of ten.

Our company offers a service for clients to test their employees' abilities to detect phishing emails. Companies from government or private sector come to us expressing concerns that their employees might fall for phishing attacks. We then test them and afterwards provide training on how to spot these phishing attacks. To facilitate this testing, we utilize our own platform developed using Gophish  as the simulator for these phishing attacks.

Setting up a phishing simulation for a client using Gophish  typically starts with defining the objectives of the client, which varies from one client to another. We determine if we are testing awareness of credential harvesting, malicious links, or attachment-based attacks. After figuring that out, we create the target user groups, design or customize the phishing email template, and configure a landing page that simulates the intended scenario. We then set up the sending profile, schedule the campaign, and launch it to the selected users. During the campaigns, Gophish allows us to gather data that we visualize using our own platform, including interactions, how many people opened the email, who opened it, how many clicked the phishing link, how many reported the email as phishing, and how many submitted their credentials. We can even see those credentials to ensure that the submission is genuine, as sometimes individuals realize it is phishing and enter dummy credentials. After completing the campaign, we analyze the results, identify trends and high-risk groups, and provide a report, as our platform features automated reports with graphs and recommendations for awareness training opportunities for our clients.

In our workflow, Gophish serves as the core phishing simulation engine, and we build additional functionality around it to meet client requirements. It handles campaign creation, email delivery, landing pages, and tracking reliably, allowing us to focus on reporting, campaign management, user experience, and client-specific features. Its API and flexibility make it easy to integrate into a broader security awareness platform, which helps streamline campaign execution and reporting for both us and our clients.

Some of the best features Gophish offers include easy campaign creation with customizable email templates and landing pages, detailed tracking and reporting, including email opens, link clicks, credential submissions, and reported emails. Additionally, we can see what device users employed, for instance, whether they used an iPhone, mobile phone, or laptop, and which browser they used. This information helps us understand which browsers can open such emails while others may detect phishing attempts and block them. Other good features include user and group management, RESTful API support, well-documented processes, scheduled campaign management, the open-source aspect, high customizability, and simple deployment and administration.

The feature I rely on most and find most valuable in my day-to-day work is Gophish's reporting and tracking capability. Being able to see who opened an email, clicked a link, submitted credentials, or reported a phishing attempt provides clear and measurable insights into the organization's security awareness. These metrics help demonstrate risk levels, identify areas needing additional training, and show improvements over time. For example, if we conduct one campaign with a client, then provide training for those who failed, we can later run another campaign and evaluate who has improved or who still needs help. These metrics again assist in demonstrating risk levels, identifying training needs, and tracking improvements, making simulations much more actionable than merely sending test emails.

While I mentioned that one of the best features of Gophish is its reporting and analytics capabilities, I believe it requires more focus to become even better. The built-in reports offer essential metrics, but organizations often need more advanced dashboards, trend analysis, benchmarking, and executive-level reporting. Another improvement would be deeper integration with security awareness training platforms so users who fail simulations can be automatically enrolled in relevant training, which is what we do with our own platform. However, if this feature were part of basic Gophish, more users would have access to such functionality.

I have been using Gophish for a bit over a year now.

Gophish is stable and very reliable, and it has never let us down.

Gophish's scalability is good for small to medium-sized organizations and typical phishing awareness programs. It can manage multiple campaigns, user groups, and an increasing number of participants when deployed on appropriately sized infrastructure.

We have never had to reach out for customer support due to the excellent documentation available for Gophish.

Gophish was the first solution we adopted.

Gophish integrates well with other tools in our environment because it provides RESTful APIs, allowing campaign data, results, and user information to be exchanged with external systems. We use it as our phishing simulation engine while integrating it with our custom dashboards, reporting workflows, and user management processes. This flexibility makes it easier to incorporate Gophish into a broader security awareness and reporting ecosystem, aligning with our working methods.

It was very easy for our team to learn and adopt Gophish due to its straightforward interface and clear workflow for creating campaigns, managing user groups, and reviewing results. Most team members achieved productivity with minimal training thanks to the excellent documentation and well-documented APIs, making it accessible with just a little reading.

Regarding return on investment, there is not a typical ROI since Gophish is free and accessible to anyone. The investment is mainly in the time and effort required to learn and integrate it into systems. In terms of relevant metrics, it does not reduce the need for more employees but rather replaces other paid tools, which is advantageous, as it delivers cost savings compared to commercial tools.

My experience with Gophish regarding pricing, setup cost, and licensing has been entirely positive, as it is completely open-source and free to use, which significantly reduces licensing costs compared to commercial phishing simulation platforms.

Before choosing Gophish, we evaluated other options, including commercial platforms such as KnowBe4 , which offer more advanced enterprise features and training content. However, Gophish's open-source nature and high customizability made it the better choice for our needs to integrate into our platform rather than simply using a standalone tool.

When using Gophish for simulations, handling user privacy and data security is essential. Access to campaign data is restricted to authorized personnel, and the collected information serves solely for security awareness and training purposes. Typically, our landing pages and forms do not request passwords, and even for tests where passwords may be needed, Gophish can automatically hash them. The admin cannot view the passwords, but Gophish indicates their strength, categorizing them as strong, medium, or weak.

I would describe Gophish's performance and reliability during large campaigns or high user loads as very reliable and performing well. I acknowledge there are limitations on the number of emails that can be sent simultaneously, leading to the emails being split into separate groups for sending. However, that is not an issue for us, as what we want Gophish to do is not particularly time-sensitive; we do not need all the emails to go out at one specific time. The reliability remains very good overall.

There have not really been any significant challenges we have faced using Gophish, as it is very well-documented and we have implemented it through our own dashboard and reporting system. We primarily needed it to perform its core functions: sending emails, ensuring everyone receives correct templates and landing pages, and reporting accurate data. Gophish accomplishes that very well, with no major challenges.

Gophish supports compliance and regulatory requirements for our organization and clients indirectly, as many government agencies and private companies are mandated to conduct internal training to prevent accidental data leaks or phishing. Our company performs the testing to ensure employees are educated and, if they fail, we provide them training, with Gophish facilitating the assessment process.

We receive mostly positive feedback regarding Gophish, but it is worth noting that we run Gophish alongside our own platform. Our clients and users do not distinguish between Gophish and our platform, as they only recognize our reliable system. Therefore, they generally provide positive feedback, reinforcing that notion.

Gophish helps meet our clients' organizational security goals by assisting in identifying weak points in their teams and facilitating training to prevent information leakage or account hacking.

My advice for others considering Gophish is to thoroughly read the documentation. Many people skip this step and expect the tool to provide everything without understanding how to use it. Gophish offers great documentation, and those who take the time to read it will find it immensely helpful. I would rate this product an 8 out of 10.

As Gophish  is an open-source tool, we prefer to use it because it is free and does not retain any personal data. We run a campaign on Gophish , which is usually designed by our own developer team, using our own template, email headers, and then choosing the filters for on-click emails and credential uploads. This is how we run a campaign every quarter using Gophish and send an email to all employees. We determine how many of them have clicked on the email and how many of them have entered their credentials on the login page.

I have an example to share here. The last time we did a Gophish simulation, it was with a newsletter template. The scenario was that a company is launching a new newsletter, and employees could apply or subscribe to it by entering their company email ID. This is how employees get trapped and how they risk exposing the company to cyber attacks. We use Gophish to understand how many employees are still not aware of phishing attacks overall. After that, we provide them with phishing prevention practices and training.

Gophish is one of the easiest tools that I can see available online, and a significant advantage is that it is free of cost and open source. Even if I need some customization, I can use Gophish and do whatever I want with the tool. I can also design my own campaign according to my own requirements with my developer teams, and we can run this very efficiently and clearly in any organization. It is very easy to use.

The best features Gophish offers are no limit on the number of employees I can target. Many other tools limit the number of employees because many organizations have a huge number of employees. I have used Gophish for many employees and I did not find any limitation. Secondly, I do not have any restriction over my template or design. Gophish allows us to put every design and everything that we want.

Gophish has really helped me find what category or what department of the company usually has more employees entering their data, clicking on emails, or opening emails. We found that we need more training in certain departments. For example, in the finance department, people do not understand phishing. We can provide them more training about phishing simulation and related awareness. By this, we also get many insights and it was really helpful for us to understand the requirements of cybersecurity and phishing simulation.

Currently, we do not think Gophish requires much improvement other than a better graphical user interface. Gophish still has an older or outdated design or GUI. They can work on the GUI more significantly.

Because I think with the technicalities and everything, it is perfect, but just because of the UI and other aspects, I would appreciate seeing more usability. For example, if we could also use it from a phone and add new templates or new ideas, that would be beneficial.

I have been using Gophish for a particular time frame because we usually perform this activity quarterly in our organization so that we can assess how employees are aware of phishing attacks and all phishing emails.

Gophish does not have standard templates available. We can use it from the browser itself, but we prefer to use our own templates to use it on a mass scale because the available templates are very basic. Employees can easily understand that it is a phishing attempt when using the standard templates. We use our own techniques to create real phishing scenarios for employees.

I do not think there will be any security concerns or any negative impact because it is an open-source tool and we can use it the way we want.

Gophish is a very good tool to use, and I would recommend it to others. My review rating for this product is 8 out of 10.