Gophish: Open-Source Phishing Simulation for Security Awareness

1 min read
phishing-simulationsecurity-awarenessself-hostingopen-source
View as Markdown
Originally from getgophish.com
View source

My notes

Summary

Gophish is a free, open-source phishing framework for running internal phishing-simulation campaigns to measure an organization’s exposure. It ships as a single self-hostable binary (Windows/macOS/Linux) with a web UI, HTML template editor, and near-real-time result tracking. Everything is driven by a REST API with an official Python client.

Key Insight

  • Self-hosted, single-binary install - no SaaS dependency, no per-seat cost. Runs on Windows, macOS, and Linux; data stays on the organization’s own infrastructure (matters for a tool that handles simulated credential capture).
  • Full campaign lifecycle in one tool: import/clone existing sites and emails, edit HTML templates in-browser, schedule sends, and track per-recipient timelines - email opens, link clicks, submitted credentials.
  • API-first - the whole product is a REST API with an official Python client, so simulations can be scripted into onboarding flows or scheduled security-awareness programs rather than run manually.
  • Exportable results feed straight into reports, useful for demonstrating security-awareness training ROI or compliance evidence.
  • Positioned as the DIY alternative to paid phishing-simulation platforms (KnowBe4, Proofpoint) - trade managed content libraries for zero cost and full control.