Gophish: Open-Source Phishing Simulation for Security Awareness
1 min read
Originally from getgophish.com
View source
My notes
Summary
Gophish is a free, open-source phishing framework for running internal phishing-simulation campaigns to measure an organization’s exposure. It ships as a single self-hostable binary (Windows/macOS/Linux) with a web UI, HTML template editor, and near-real-time result tracking. Everything is driven by a REST API with an official Python client.
Key Insight
- Self-hosted, single-binary install - no SaaS dependency, no per-seat cost. Runs on Windows, macOS, and Linux; data stays on the organization’s own infrastructure (matters for a tool that handles simulated credential capture).
- Full campaign lifecycle in one tool: import/clone existing sites and emails, edit HTML templates in-browser, schedule sends, and track per-recipient timelines - email opens, link clicks, submitted credentials.
- API-first - the whole product is a REST API with an official Python client, so simulations can be scripted into onboarding flows or scheduled security-awareness programs rather than run manually.
- Exportable results feed straight into reports, useful for demonstrating security-awareness training ROI or compliance evidence.
- Positioned as the DIY alternative to paid phishing-simulation platforms (KnowBe4, Proofpoint) - trade managed content libraries for zero cost and full control.