HailBytes SAT - Enterprise Phishing Simulation Platform

Our company offers a service for clients to test their employees' abilities to detect phishing emails. Companies from government or private sector come to us expressing concerns that their employees might fall for phishing attacks. We then test them and afterwards provide training on how to spot these phishing attacks. To facilitate this testing, we utilize our own platform developed using Gophish as the simulator for these phishing attacks.

Setting up a phishing simulation for a client using Gophish typically starts with defining the objectives of the client, which varies from one client to another. We determine if we are testing awareness of credential harvesting, malicious links, or attachment-based attacks. After figuring that out, we create the target user groups, design or customize the phishing email template, and configure a landing page that simulates the intended scenario. We then set up the sending profile, schedule the campaign, and launch it to the selected users. During the campaigns, Gophish allows us to gather data that we visualize using our own platform, including interactions, how many people opened the email, who opened it, how many clicked the phishing link, how many reported the email as phishing, and how many submitted their credentials. We can even see those credentials to ensure that the submission is genuine, as sometimes individuals realize it is phishing and enter dummy credentials. After completing the campaign, we analyze the results, identify trends and high-risk groups, and provide a report, as our platform features automated reports with graphs and recommendations for awareness training opportunities for our clients.

In our workflow, Gophish serves as the core phishing simulation engine, and we build additional functionality around it to meet client requirements. It handles campaign creation, email delivery, landing pages, and tracking reliably, allowing us to focus on reporting, campaign management, user experience, and client-specific features. Its API and flexibility make it easy to integrate into a broader security awareness platform, which helps streamline campaign execution and reporting for both us and our clients.

Some of the best features Gophish offers include easy campaign creation with customizable email templates and landing pages, detailed tracking and reporting, including email opens, link clicks, credential submissions, and reported emails. Additionally, we can see what device users employed, for instance, whether they used an iPhone, mobile phone, or laptop, and which browser they used. This information helps us understand which browsers can open such emails while others may detect phishing attempts and block them. Other good features include user and group management, RESTful API support, well-documented processes, scheduled campaign management, the open-source aspect, high customizability, and simple deployment and administration.

The feature I rely on most and find most valuable in my day-to-day work is Gophish's reporting and tracking capability. Being able to see who opened an email, clicked a link, submitted credentials, or reported a phishing attempt provides clear and measurable insights into the organization's security awareness. These metrics help demonstrate risk levels, identify areas needing additional training, and show improvements over time. For example, if we conduct one campaign with a client, then provide training for those who failed, we can later run another campaign and evaluate who has improved or who still needs help. These metrics again assist in demonstrating risk levels, identifying training needs, and tracking improvements, making simulations much more actionable than merely sending test emails.

While I mentioned that one of the best features of Gophish is its reporting and analytics capabilities, I believe it requires more focus to become even better. The built-in reports offer essential metrics, but organizations often need more advanced dashboards, trend analysis, benchmarking, and executive-level reporting. Another improvement would be deeper integration with security awareness training platforms so users who fail simulations can be automatically enrolled in relevant training, which is what we do with our own platform. However, if this feature were part of basic Gophish, more users would have access to such functionality.

I have been using Gophish for a bit over a year now.

Gophish is stable and very reliable, and it has never let us down.

Gophish's scalability is good for small to medium-sized organizations and typical phishing awareness programs. It can manage multiple campaigns, user groups, and an increasing number of participants when deployed on appropriately sized infrastructure.

We have never had to reach out for customer support due to the excellent documentation available for Gophish.

Gophish was the first solution we adopted.

Gophish integrates well with other tools in our environment because it provides RESTful APIs, allowing campaign data, results, and user information to be exchanged with external systems. We use it as our phishing simulation engine while integrating it with our custom dashboards, reporting workflows, and user management processes. This flexibility makes it easier to incorporate Gophish into a broader security awareness and reporting ecosystem, aligning with our working methods.

It was very easy for our team to learn and adopt Gophish due to its straightforward interface and clear workflow for creating campaigns, managing user groups, and reviewing results. Most team members achieved productivity with minimal training thanks to the excellent documentation and well-documented APIs, making it accessible with just a little reading.

Regarding return on investment, there is not a typical ROI since Gophish is free and accessible to anyone. The investment is mainly in the time and effort required to learn and integrate it into systems. In terms of relevant metrics, it does not reduce the need for more employees but rather replaces other paid tools, which is advantageous, as it delivers cost savings compared to commercial tools.

My experience with Gophish regarding pricing, setup cost, and licensing has been entirely positive, as it is completely open-source and free to use, which significantly reduces licensing costs compared to commercial phishing simulation platforms.

Before choosing Gophish, we evaluated other options, including commercial platforms such as KnowBe4, which offer more advanced enterprise features and training content. However, Gophish's open-source nature and high customizability made it the better choice for our needs to integrate into our platform rather than simply using a standalone tool.

When using Gophish for simulations, handling user privacy and data security is essential. Access to campaign data is restricted to authorized personnel, and the collected information serves solely for security awareness and training purposes. Typically, our landing pages and forms do not request passwords, and even for tests where passwords may be needed, Gophish can automatically hash them. The admin cannot view the passwords, but Gophish indicates their strength, categorizing them as strong, medium, or weak.

I would describe Gophish's performance and reliability during large campaigns or high user loads as very reliable and performing well. I acknowledge there are limitations on the number of emails that can be sent simultaneously, leading to the emails being split into separate groups for sending. However, that is not an issue for us, as what we want Gophish to do is not particularly time-sensitive; we do not need all the emails to go out at one specific time. The reliability remains very good overall.

There have not really been any significant challenges we have faced using Gophish, as it is very well-documented and we have implemented it through our own dashboard and reporting system. We primarily needed it to perform its core functions: sending emails, ensuring everyone receives correct templates and landing pages, and reporting accurate data. Gophish accomplishes that very well, with no major challenges.

Gophish supports compliance and regulatory requirements for our organization and clients indirectly, as many government agencies and private companies are mandated to conduct internal training to prevent accidental data leaks or phishing. Our company performs the testing to ensure employees are educated and, if they fail, we provide them training, with Gophish facilitating the assessment process.

We receive mostly positive feedback regarding Gophish, but it is worth noting that we run Gophish alongside our own platform. Our clients and users do not distinguish between Gophish and our platform, as they only recognize our reliable system. Therefore, they generally provide positive feedback, reinforcing that notion.

Gophish helps meet our clients' organizational security goals by assisting in identifying weak points in their teams and facilitating training to prevent information leakage or account hacking.

My advice for others considering Gophish is to thoroughly read the documentation. Many people skip this step and expect the tool to provide everything without understanding how to use it. Gophish offers great documentation, and those who take the time to read it will find it immensely helpful. I would rate this product an 8 out of 10.

As Gophish is an open-source tool, we prefer to use it because it is free and does not retain any personal data. We run a campaign on Gophish, which is usually designed by our own developer team, using our own template, email headers, and then choosing the filters for on-click emails and credential uploads. This is how we run a campaign every quarter using Gophish and send an email to all employees. We determine how many of them have clicked on the email and how many of them have entered their credentials on the login page.

I have an example to share here. The last time we did a Gophish simulation, it was with a newsletter template. The scenario was that a company is launching a new newsletter, and employees could apply or subscribe to it by entering their company email ID. This is how employees get trapped and how they risk exposing the company to cyber attacks. We use Gophish to understand how many employees are still not aware of phishing attacks overall. After that, we provide them with phishing prevention practices and training.

Gophish is one of the easiest tools that I can see available online, and a significant advantage is that it is free of cost and open source. Even if I need some customization, I can use Gophish and do whatever I want with the tool. I can also design my own campaign according to my own requirements with my developer teams, and we can run this very efficiently and clearly in any organization. It is very easy to use.

The best features Gophish offers are no limit on the number of employees I can target. Many other tools limit the number of employees because many organizations have a huge number of employees. I have used Gophish for many employees and I did not find any limitation. Secondly, I do not have any restriction over my template or design. Gophish allows us to put every design and everything that we want.

Gophish has really helped me find what category or what department of the company usually has more employees entering their data, clicking on emails, or opening emails. We found that we need more training in certain departments. For example, in the finance department, people do not understand phishing. We can provide them more training about phishing simulation and related awareness. By this, we also get many insights and it was really helpful for us to understand the requirements of cybersecurity and phishing simulation.

Currently, we do not think Gophish requires much improvement other than a better graphical user interface. Gophish still has an older or outdated design or GUI. They can work on the GUI more significantly.

Because I think with the technicalities and everything, it is perfect, but just because of the UI and other aspects, I would appreciate seeing more usability. For example, if we could also use it from a phone and add new templates or new ideas, that would be beneficial.

I have been using Gophish for a particular time frame because we usually perform this activity quarterly in our organization so that we can assess how employees are aware of phishing attacks and all phishing emails.

Gophish does not have standard templates available. We can use it from the browser itself, but we prefer to use our own templates to use it on a mass scale because the available templates are very basic. Employees can easily understand that it is a phishing attempt when using the standard templates. We use our own techniques to create real phishing scenarios for employees.

I do not think there will be any security concerns or any negative impact because it is an open-source tool and we can use it the way we want.

Gophish is a very good tool to use, and I would recommend it to others. My review rating for this product is 8 out of 10.

I have used Gophish in a project where I created a phishing email and sent that phishing email to my other email.

In this project, I was simulating the scenario of a phishing simulation, demonstrating how a phishing attack happens from both the attacker's perspective, as well as the blue teamer's perspective. I set up the recipient email template and links, submitted what my sender email was, what the victim's email was, and I completed the whole setup in Gophish to execute a phishing attack.

Apart from this project, I have used Gophish for activities including video editing, browsing, and mapping.

The best feature of Gophish is that you can create images of your workstations, and I have made an instance from which I created an image that I saved, allowing me to automatically run up the website or servers as I put in some executable commands.

The automation work with Gophish reduces my efforts and manpower, letting the servers turn on automatically whenever I need to start this image.

Using Gophish has helped me reduce my efforts and make more requests, allowing me to conduct many more phishing attacks in a shorter period. For example, without Gophish, creating a phishing email would take me at least two to three hours, but with Gophish, you can simply copy-paste the templates and send multiple phishing emails within a few minutes. What took me two to three hours can be done in 15 to 25 minutes.

I have saved time and resources using Gophish. If I did all the phishing activities manually, it would have taken a lot of time, with time being the most efficient thing I have saved through Gophish.

The one improvement I would like to see in Gophish is the booting up of the images, as it sometimes takes a lot of time and could be improved.

I chose a rating of 8 out of 10 for Gophish because it is an interesting tool, but there are some drawbacks, such as the booting up of images which takes a lot of time, although everything else is good.

I have been using this tool for one year.

I have not experienced any downtime or crashes with Gophish; it performs well.

Gophish can handle larger projects or more users and performs well.

I have never reached out for help to customer service, but I hope it will be good.

Gophish was the first tool I used for phishing.

As a free user, I did not incur any costs. I just had to download Gophish, and everything else was straightforward.

Gophish was my first option. I tried it and found it to be a great tool.

My advice for anyone looking into using Gophish is to give yourself some time to understand all the services. At first, you might not grasp everything, but gradually you will learn everything, which makes this an awesome tool. I have given Gophish a rating of 8 out of 10.

My main use case for Gophish is simulating phishing campaigns and using it in red team engagements.

In a red team engagement, you set up Gophish, specify your phishing scenario, configure your email server and landing page, start your Gophish server and then send your emails. When the targets enter their credentials, you receive them in Gophish.

The best features Gophish offers include its extensibility. I think the best feature is the extensibility, as Gophish makes it super easy to edit emails, replace fields, and automate landing page extraction and displaying.

I typically make use of Gophish's extensibility through the automation of webpage extraction and the webpage simulation. The inputting of targets' names and information into emails automatically stands out as a particular customization I have set up.

Gophish has positively impacted my organization by making it very easy to set up and start phishing campaigns. Before Gophish, you had to develop an infrastructure, start a mail server, build a landing page from scratch, customize, create and customize emails, and you had to repeatedly send each email differently. There were a lot of hiccups and problems, but with Gophish, it is very easy to start a campaign and to change from campaign to campaign, to receive credentials or anything that you want from the campaign.

Since using Gophish, the number of campaigns has increased dramatically. Before, we would do a phishing simulation in about two to four weeks. But now, using Gophish, we can start and finish a phishing simulation in a week, in about four days. So there is three weeks of time saved. For efficiency, before, you needed three team members to build a campaign, focusing on landing page development, infrastructure work, and creating the scenario. But now, just one person can do three jobs.

Gophish could be improved by adding a section where you can manage payloads, so executables, and receive sessions; that is what is missing from it. It does not handle lists well either, so when you have a big list of email addresses or users, it crashes, perhaps in the sending of the emails or somewhere else, but it crashes. It would also be great if you added spam detection and prevention capabilities, so the emails you are using in your campaign do not get blacklisted.

I do not think the user interface needs major improvements, as it is great. Sometimes, the difference between opened emails and sent feedback is a little bit confusing, but overall, I think it is great.

I have used Gophish from the beginning of my career, so basically six years.

Gophish is stable.

We did not really have to scale because we had small campaigns, so I do not have an answer to that question about scalability.

We did not really use customer support because we are technicians and we fixed all the technical problems ourselves.

We did not previously use a different solution; we just relied on self-developed scripts and solutions, everything was built in-house. We switched because at one point it was not sustainable and was not as efficient as a commercial product.

There has been a return on investment; we need fewer team members to do the same engagements. Before, you needed three people for an engagement, but now just one person can manage. So there definitely was a lot of money saved.

My experience with pricing, setup cost, and licensing was great; I do not have anything to complain about.

Before choosing Gophish, we evaluated Evilginx, but we decided to go with Gophish because it was more professional and more extensible.

I would advise others looking into using Gophish to give it a try because it is really useful. It is definitely better than using your own solution because it is maintained by a team of competent developers that know what they are doing. I gave this review a rating of eight out of ten.

The main use I make of Gophish is to carry out phishing campaigns for clients. In this case, I work for external companies that ask their employees to participate in awareness campaigns so that their company does not fall for scams and, of course, so their data does not end up compromised on the Dark Web, for example.

One campaign I carried out was for Embutidos Martínez, in which the timing was based on the fact that it was around November, so it was about Black Friday, and many people fell for it because Black Friday is all about offers before Christmas. From there, many people fell for the phishing since we were advertising all kinds of products, especially technology products which at that time of year are the ones most commonly bought for Christmas.

I focus on doing phishing campaigns, although not just traditional phishing of sending an email and then leading to another email, but also smishing and quishing. I have carried out these campaigns, in which I used Gophish in parallel because it generates a token and from that token you can then create quishing and smishing.

I used it for various types, not just traditional phishing but also quishing and smishing.

The best features are that it is free software and that you can put in your own templates and from there you make customized templates to your liking. It does not give you everything pre-made like other platforms such as Proofpoint, but it is quite good because you learn and it is more traditional to use Gophish.

The solutions it provides are that you can use it at whatever level you want. It is super free and has no limitation. I have used it in many areas: traditional email phishing, smishing or quishing, and it allows you to create whatever templates you want. It is more than free enough and you set up the configuration as you prefer. It is free, unlike others such as KnowBe4 or Proofpoint, where everything comes already pre-made, whereas with Gophish you can do it freely to your liking with DNS configuration, the email settings such as SPF, DKIM, DMARC, whatever it may be.

Gophish's features are that it is free, you can do whatever you want, and it is super basic. If you know IT, HTML, CSS, JavaScript, it is useful for making templates to your liking and tailored to you, not some pre-cooked templates like the ones you get from KnowBe4 or Proofpoint.

The impact it has had is that we have been able to sell it to clients who, for example, do not have the money to pay for a platform because they are small startups, and so with Gophish we create a solution that is cheaper for them. Paying for Proofpoint or KnowBe4 is too expensive, and with Gophish being free software and open source, anyone can run campaigns.

It has been thanks to the people who have fallen for the phishing. When they fall for a phishing, for example, we take them to an educational page, where thanks to that educational content they know that they have fallen for that phishing and from there we raise their awareness so they do not fall for phishing again.

I think Gophish could be improved with more automation, for instance. It is great that you can create templates, schedule them, and do everything you want in Gophish, but it would be nice to have a small integrated AI model with which you could create email templates and phishing templates. It would be nice if Gophish implemented artificial intelligence.

I wish Gophish could provide more support and be more advanced and that they continue developing it because it seems that Gophish does not get many updates, and I think they need to implement more features. It is great because it is free, but it needs more features. It would be cool if there was an artificial intelligence model that could create phishing campaigns or templates or email templates for you integrated within Gophish.

I would rate it a seven. It is quite good and free software, but it needs more substance. It also depends on the number of clients a company has; it may be necessary to launch Gophish in a staggered way, which I also think is a drawback Gophish has. The issue is that if there are many people being targeted, for example, 5,000 employees in a company and you send 5,000, it may be that sending so many messages gets blocked by the security systems companies have. I think that Gophish could also improve the message sending flows.

I gave it a seven because there are things to improve and it is not perfect. As I said before, it would be nice if templates could be created with AI, integrated into Gophish using an API with Gemini or ChatGPT or whichever, but the point is that it would be nice if the sending flows at large scale were better managed. When you send a phishing campaign to 5,000 people, you have to send it in sections in a staggered way, for example: to these 5,000 people it is going to be sent between eight in the morning and four in the afternoon. If you send them all at once, the phishing may get blocked and then the campaign has no effect.

I would like it if Gophish implemented more improvements because they are needed, as it is kind of a bit stagnant. I hope that in the future they add more improvements including creating personalized templates with artificial intelligence and improving the message sending flows.

I have been using Gophish for two years.

I consider Gophish to be stable, but it needs improvements.

Gophish's scalability is very simple. You make a full copy of the database you have with Gophish and you can move it from one VPS to another. That is wonderful.

I have never contacted Gophish customer support because it is free software. At the beginning I never had any problems with Gophish.

I did not use any other option. I have always used Gophish because it is free software. I could have also used KnowBe4 or Proofpoint, but those platforms are paid.

I did not evaluate other options. With Gophish being free there is no other option.

Above all, patience and having a lot of information about IT topics are required, being clear on what DNS is, what a VPS is, and knowing what SPF, DKIM, DMARC are, which are checks that emails have to verify that they come from that sender, for example the email. Knowing all that information and knowing how to configure it is essential. Especially if you like making email templates, it is very good. From an email you receive, for example, that you want to phish with, you can import it directly into Gophish. That is wonderful.

We are resellers because, as I mentioned before with the VPS, we run phishing campaigns with Gophish.

The return on investment is obvious. In terms of saving on staff, you save yourself from spending hundreds of thousands of euros on buying platforms like Proofpoint or KnowBe4. Those platforms are paid and are more professional, intended for doing this at large scale, and Gophish is quite good because it also serves to run phishing campaigns. The thing is that you save money because all you need for Gophish to work is a VPS and a domain on which you are going to run the phishing campaign, and that is it, because Gophish itself is free software and is free of charge.

It is free software. Gophish does not cost a single penny and that is very good. Proofpoint or KnowBe4 do cost money and, of course, since we charge the client, a small startup cannot afford it and so we use the Gophish solution.

I hope that Gophish continues as a project and includes improvements. It is quite good and a simple, straightforward platform that anyone can use. Of course, you need some IT knowledge because someone who does not know about IT cannot use it. Proofpoint or KnowBe4 is more pre-made for doing phishing campaigns because it is just clicks, but of course, as Gophish is very customizable, you can create your templates and create your campaigns. I gave this review a rating of seven out of ten.

My primary use case for Gophish is using it extensively for anti-phishing campaigns and awareness campaigns with employees. I believe it is an excellent tool to train users against phishing emails and awareness in general, as well as to understand how users are behaving when they receive a phishing email, if they end up clicking on that email, if they click on the links in that email, and if they end up entering information. I am able to have that level of granularity with Gophish.

The best features that Gophish offers are the ability to track these metrics in a detailed way. This includes the number of emails sent, the number of emails opened, the number of emails that were opened and had the link accessed, the number that had information entered, and the users who reported that email as phishing. The ability to customize this email as well, making it more professional-looking and less like a phishing email, is valuable. You can parameterize it using HTML, CSS, and some basic JavaScript, and you can do some cool things such as pointing to a link. In my case, I used a staging infrastructure and I was able to deploy what I needed, which was an authentication screen. I basically made a form with username, password, and a login button, actually simulating logging into the corporate system. You can format this entire email and much more. With this tracking, you can also send various campaigns in a targeted way. If you want to target, say, the sales team, support, development, the board of directors, HR, and human resources, and so on, you have that capability. I think Gophish is a fantastic tool that, at least for my use case, worked perfectly.

Gophish had a positive impact on my organization because I was able to run awareness campaigns, measure and present the data to the board, and also do more targeted work with users who were, let's say, more careless with entering sensitive information. Gophish itself gives us these metrics directly. The number of emails sent, opened, links clicked, information entered, and emails reported are all available directly through Gophish. Based on these metrics, I processed them and put them into an executive report, which I presented to the board so that we could also move forward with other layers of security and improvements, mainly focused on users.

Gophish can be improved in that it is an open-source solution and there is a bottleneck issue related to sending emails. You basically have to provide an external service and set up a connection to actually send the emails. You need a third-party service to make this connection so that you can actually use the full capabilities of Gophish. This part specifically is really complex and difficult. I think there could be options within Gophish itself that allow you to handle this in a more streamlined way. Of course, Gophish is a tool more obviously geared toward the IT team that will do all the configurations and create all the pages and contexts. However, the email-sending part, where I needed to use an external service, is a bottleneck that the development team could look into regarding how it might be improved.

I think Gophish could natively include templates for use in campaigns because you currently have to develop the whole campaign yourself. If you also had some pre-built email templates, maybe with the ability to integrate some AI agent, that would be an interesting feature as well. I believe the main improvement would be the inclusion of templates that you can use as pre-built models so you can get started faster with Gophish and also address the email-sending issue.

I have been using Gophish for about two years.

Gophish is stable.

The scalability of Gophish is very good, and I was impressed with it.

Gophish's customer support is not something I investigated deeply since it is an open-source solution. Of course, you have the community on GitHub and many ways to research. There is also Gophish documentation, which I saw exists. However, Gophish is a very intuitive tool, so it does not raise major questions. I did not need any support from their team.

There is no licensing cost, and because Gophish is open source, it gives you the flexibility to customize the tool itself the way you want. I do not give it a 10 because it is missing some refinements. For example, having some templates already available so you can get started faster would be helpful. Sometimes having ways to integrate email sending directly with some of the more popular services would also be useful, or enabling you to do everything you need directly on the platform without needing, as I did in my case, a third-party service for mass email sending.

Gophish is deployed in my organization in a public cloud. I use AWS as my cloud provider. I did not acquire Gophish through the AWS Marketplace.

I have seen a return on investment with Gophish because I was able to run a phishing-awareness campaign in a cost-effective way. That is, I did not need to spend money on licenses or invest time in developing a technology or solution for this. The benefits were practically immediate. I configured and customized everything in about two days. Obviously, it was not two full days; it was part of one day and part of the next to configure and customize everything I needed. The return was very high. I was able to generate an executive report, present it to the board with an action plan, and then execute that action plan, which was to guide employees, especially focusing on those who fell for the phishing.

My experience with Gophish regarding pricing, setup costs, and licensing is that because it is an open-source tool, I did not have any costs related to licensing with it.

Before choosing Gophish, I did look at SaaS solutions on the market and ready-made solutions. However, since the nature of the solution is phishing awareness campaigns, it is understood that I am not going to be doing this every month because otherwise users will say they already know this is phishing. When a real phishing attack comes, they might actually be more likely to fall for it. I believe it has to be targeted; you have to catch users by surprise. I do it periodically, but not on fixed intervals, that is, not exactly every two months or every three months, but every certain period of time I end up using Gophish.

My advice to others who are thinking about using Gophish is that, especially in my context, which is a small company with about 50-plus employees, you should take into account the users' skill level and maybe run awareness campaigns even beforehand, informing users in advance, and then after some time, plan the execution and how you will actually use Gophish. I believe it will meet many of the scenarios that exist in the market today, at least for small companies. For small companies with about 10 to 50 employees, it works perfectly. Below that, you can still use it, but if you have very few employees, perhaps direct interaction or even creating an email yourself and sending it to the user to see if they will click on it or not, might even be faster. If you think about a very small team, you may not have any IT person at all. If it is a very large company, maybe a commercial solution will deliver more features that might be interesting for large enterprises. You have to analyze each situation based on your objectives and what you expect from the solution and what your goals are. If you want to run an awareness campaign, as in my case, and know your users' level of whether they are likely to click on the link, report it to the IT team, enter information, and especially what you do after completing the campaign, I think that is essential. You can get these metrics and deliver everything that is needed. I would rate my overall experience with Gophish as a 9 out of 10.

My main use case for Gophish is to create phishing campaigns and to test, mostly for phishing simulation across organizations. I create custom templates when I set up those phishing campaigns, and I also set up the campaign according to the departments.

One of the best features I like in Gophish is the site importation feature that allows you to import sites by simply pasting the URL of any existing landing page in order to automatically get the HTML and CSS content, a clone of it.

Another feature I find valuable is the built-in credential harvesting feature which allows you to harvest credentials when it comes to your phishing simulations.

Gophish has really improved security awareness in my organization. As we conduct phishing simulations, we also make sure we conduct awareness training alongside them. After the phishing simulation that we do, with the results that we get, we make sure we do the necessary remediations and take the necessary actions. For instance, if we realize that a particular person is a victim to the phish test that we conducted, what we do is educate the person and train the person so that the person becomes aware of phishing and aware of their security, and also helps them have some form of knowledge when it comes to their security.

I cannot give exact numbers, but what I can say is there has been a reduction in phishing. There has been a reduction in interaction with phishing emails, so most people have become aware now. Whenever they see a phishing email, they really know that it is a phishing email based on certain features that we have taken them through in order for them to identify whether an email is phishing or not. We have made them aware and also utilized the tool in order to help them have a feel of how it works in the real world. We taught them features such as typo-squatting and many other techniques.

I wish you could add AI features to Gophish, because since AI is a new thing, I think leveraging it in the tool is going to help a lot. It is going to make work easier and faster, for instance, when it comes to setting up the phish.

An improvement that could be done would be expanding the tool beyond phishing, adding other multi-channel attacks such as deepfake voice scams, vishing, or smishing. Adding other features when it comes to social engineering would be beneficial.

Although the tool is very good, I think there could be some improvements, especially when it comes to leveraging AI for testing and also when it comes to the expansion beyond email phishing.

I have been using Gophish for about two years now.

Gophish is very stable and highly stable.

Gophish is highly scalable and very scalable.

I have never reached out to customer support before. What I normally do is research, sometimes read the documentation, or sometimes go through some YouTube videos to find my way around things instead of contacting support directly. If I do everything that I have already said and it does not work out, the next thing I tend to do is contact customer support. As of now, I have never contacted customer support before.

Another tool that I have used was Evilginx, but I did not switch. I think I like using Gophish because it is a lot simpler, simple to use, and simple to set up.

For others looking into Gophish, my advice to them is for them to really start using it. They should not be wasting time on planning. As long as they have the mentality that they are going for Gophish, they should just start using the tool and stop planning. This is because the tool is very great. When it comes to scalability, when it comes to setting up phishlets, everything has been made simple. I think, especially for those who are now starting with phishing, this would be a great start because you can clone other websites easily and do many other actions easily. Setting up a campaign is also very simple. Gophish has made the user experience very easy for its users, and that is a good thing. I rate this product a nine out of ten.

My main use case for Gophish is simulating attacks, and I primarily use it for my specialty in cybersecurity projects or simulating phishing attacks on some of my friends for my project goals and for obtaining certificates.

I had my final project and wanted to do something extra to earn extra points, so I created an email account with a domain name and a site for the phishing attack. I connected the site, emails, and all data with my Gophish account, added usernames and emails for sending phishing emails, created a phishing email, and sent it to all of them. Some of my friends clicked the link and submitted their usernames, passwords, and personal data, allowing me to analyze all the data they sent, including when they clicked the link and submitted the form. Gophish enabled me to see all personal data in real time.

I believe the best feature Gophish offers is the analyzing and dashboard part, which provides all data and information in specific formats, showing how many people clicked the link and sent data in diagrams that are very useful for me. Its user-friendly interface is another standout feature.

I believe the best feature Gophish offers is the analyzing and dashboard part, which provides all data and information in specific formats, showing how many people clicked the link and sent data in diagrams that are very useful for me. Its user-friendly interface is another standout feature.

I also appreciate that it works in real time with no delays. When someone sends data, it arrives on time without any issues. Gophish has positively impacted my organization by helping my team reach our goals. My teacher initially recommended Gophish because it was used in their organization for pen testing, simulating attacks, and testing employees, which inspired me to use it for my project and helped me earn maximum points while gaining real-world experience.

Gophish helped improve our security. For example, I sent dashboard screenshots to my friends, showing them that if they filled out emails that looked unverified, their data could be stolen. After they saw the data I collected correctly and realized I could use that information in sensitive areas, they decided to stop responding to such emails, recognizing that although it was a test, this could happen to anyone.

I believe Gophish can be improved by adding new features based on attack types in the future, particularly for new zero-day attacks, and incorporating AI-based tools to enhance analyzing and automation.

I believe the user interface is good, but it could benefit from a demo or introduction for users unfamiliar with Gophish. An AI chatbot could be integrated for assistance.

I have been working in my current field for nearly six to eight months, but if I look at my projects, I have been working on them for a year.

Gophish is stable for me.

Gophish can scale up and down based on demand, making it scalable.

Customer support has been good and very responsive. I rate customer support ten out of ten as I did not encounter any problems.

I used Gophish for the first time and did not have a previous solution that I switched from.

My experience with pricing, setup cost, and licensing is ideal. Overall, it was good.

I have not seen a return on investment and cannot recall any relevant metrics such as money saved, time saved, or fewer employees needed.

My experience with pricing, setup cost, and licensing is ideal. Overall, it was good.

I did not evaluate other options before choosing Gophish as my teacher recommended it.

I advise others to use Gophish for both organizational and personal projects since it is an excellent and manageable tool. I rate this review ten out of ten.

Gophish is used in my current company and in my previous one for anti-phishing campaigns, awareness campaigns, and training in the company.

In our last campaign, for example, we created a fake iFood ad where the user had to click on the link. This link would take them to a login screen for our corporate email. After entering their information, they received an alert saying they had fallen for a phishing attempt, with a link for them to join a training campaign. All of this with analysis was created within Gophish.

Gophish, despite being a free tool, fits very well because it has all the features we need, from creating landing pages and creating the email to tracking the click traffic and the ingestion of information. We stopped spending on a paid tool and can redirect that budget to other needs. All thanks to Gophish, which is a complete and free tool.

All features are useful, from uploading recipients in bulk to creating landing pages, creating emails, and having tracking of the entire email trail. I can track sending, receiving, clicking on the link, managing information, and whether the person then joined the training campaign. All these items in Gophish are absolutely valuable.

With the tracking of the email trail, I can truly know the campaign's adherence, if it was received, if it was read, and if data was input. After the data was input, I can see what the user did. I have a complete mapping of the phishing campaign to know whether it was really accurate and met our expectations.

I don't see anything that Gophish needs to improve within the scope of a free tool. An integration with Active Directory and Azure AD for login would be interesting.

Gophish is a great tool; for what it proposes, it delivers. I would also suggest an improvement regarding recipients. When I send to more than 300 recipients, I am forced to split it into several sends because the tool doesn't behave effectively and freezes.

I have been in my field for 8 years.

From the first moment I looked for a good, robust, and free phishing campaign solution, Gophish was the first and only one I used. I have never had problems with it.

It scales effectively. The only problem is the issue with recipients. If I have a list with more than 300 recipients, I am forced to split it into several blocks.

I have never needed support.

I didn't have any problems because the setup has a lot of documentation, there is support, and I didn't have any licensing because we use the free version.

It made it possible for us to direct financial and human resources toward training, hiring training tools, hiring support to improve the security of the environment.

Since it is a free tool, I had no costs. However, it brought me several strategic advantages for directing resources.

I don't remember specifically which alternatives were evaluated, but others were considered and we did not proceed with them.

Go for it. Gophish is a good, complete tool that delivers everything it promises and is efficient. This review receives a rating of 10.

My main use case for Gophish is for penetration testing on cybersecurity with phishing links and others. We used Gophish to test the mindset of different users in the company. We used Gophish to send intrusion links and links by email, for example, links supposedly from sites they visit or related to their Facebook or Instagram account.

We determined the number of people who clicked on the link, those who reported it before clicking on the link, and those who did not click on the link. It was a survey campaign that we conducted after an awareness session that we carried out with the different users of the company.

The best features offered by Gophish stand out to me as most valuable because we can design virtual sites for intrusions, especially with cybercrime testing with phishing awareness. We have a backlog where we can monitor the number of links clicked and the number of links not clicked.

These elements are useful to me with Gophish because we actually understand the mindset of users after the awareness session, whether they have already absorbed the advice that was given to them. Through the phishing and penetration testing we conducted, Gophish has had a major positive impact on my organization, especially in my department, because we were able to find out whether the different users already understood the concept of phishing.

For the moment, I have nothing to suggest about Gophish; the application works very well and it offers many features. As you progress, you discover more and more options. I chose a rating of eight because there are always options to add and there are always upgrades that will be made.

I have been using Gophish for a month.

One piece of advice I give to those who need to use Gophish is to be patient and read extensively. If necessary, even follow user manuals to better grasp Gophish's functionality.

Gophish is a good structure and a good technological innovation that deserves to be studied and much better known by the world because not everyone knows Gophish. Gophish is good and the structure is solid. I gave this product a rating of eight out of ten.