# Gophish: Open-Source Phishing Simulation for Security Awareness

> Free, self-hosted, open-source phishing-simulation framework for security-awareness testing. Single binary, web UI, HTML editor, REST API, live result tracking.

Published: 2026-07-02
URL: https://daniliants.com/insights/gophish-open-source-phishing-simulation-for-security/
Tags: phishing-simulation, security-awareness, self-hosting, open-source

---

## Summary

Gophish is a free, open-source phishing framework for running internal phishing-simulation campaigns to measure an organization's exposure. It ships as a single self-hostable binary (Windows/macOS/Linux) with a web UI, HTML template editor, and near-real-time result tracking. Everything is driven by a REST API with an official Python client.

## Key Insight

- **Self-hosted, single-binary install** - no SaaS dependency, no per-seat cost. Runs on Windows, macOS, and Linux; data stays on the organization's own infrastructure (matters for a tool that handles simulated credential capture).
- **Full campaign lifecycle in one tool:** import/clone existing sites and emails, edit HTML templates in-browser, schedule sends, and track per-recipient timelines - email opens, link clicks, submitted credentials.
- **API-first** - the whole product is a REST API with an official Python client, so simulations can be scripted into onboarding flows or scheduled security-awareness programs rather than run manually.
- **Exportable results** feed straight into reports, useful for demonstrating security-awareness training ROI or compliance evidence.
- Positioned as the DIY alternative to paid phishing-simulation platforms (KnowBe4, Proofpoint) - trade managed content libraries for zero cost and full control.