🎣 Phishing & awareness
GoPhish
Self-hosted phishing simulation framework for security awareness testing.
Why use it
GoPhish lets you run real phishing simulations against your own users — track who clicks, who submits credentials, who reports. The free open-source alternative to KnowBe4-style platforms.
What you get
- Email campaign management
- Landing page templates with credential capture
- Per-user click and submission tracking
- Templates marketplace and import/export
- API for automation and reporting
System requirements
| Cpu | 1 core |
|---|---|
| Ram | 1 GB |
| Disk | 10 GB |
| Os | Linux, macOS, Windows |
| Docker | Yes |
Installation
Download the release binary from github.com/gophish/gophish. Edit config.json for the listening ports and admin credentials. Run ./gophish. Configure SMTP (Mailgun, AWS SES, your own postfix). Build a sending profile, a landing page, an email template, and a target user list — then launch a campaign.
Suggested configuration
Use a separate domain (typo of your real one) for landing pages — never run live phishing tests on your production domain. Always coordinate with the team being tested's leadership. Capture timing data — fast clickers correlate with high training need.
Integration ideas
- Pull recipient lists from HR system via API
- Forward results to Wazuh for SIEM correlation
- Combine with KnowBe4 if you have it for blended programmes
Alternatives
- KnowBe4 — Commercial, much larger template library.
- PhishTool — Different focus — analyses received phishing emails.
Cyentrix verdict
The serious free option for phishing simulations. Real cybersecurity teams use this in production — it's good enough.