Reading GoPhish Campaign Data Like a Security Engineer

Click rates are the metric security teams report and the metric that means the least. A 15% click rate tells your CISO that 15% of employees clicked a link. It does not tell you whether that number is improving, whether the employees who clicked are concentrated in high-risk roles, whether your current training approach is working, or what the actual threat exposure looks like relative to your industry. Reading phishing simulation data well requires building a measurement framework, not just running exports.

The Metrics That Actually Matter

Every GoPhish campaign generates four primary data points per recipient: delivery status, open event, click event, and credential submission. Most reporting stops at click rate. That leaves significant signal on the table.

Time-to-click is one of the most valuable and least-used metrics. It measures how long after delivery a recipient clicked the lure link. A campaign where 40% of clicks occur within the first 90 seconds of delivery indicates a different risk profile than one where clicks are distributed across 72 hours. Fast clickers are often mobile users acting on push notifications before engaging critical thinking. Understanding that distribution informs where to focus behavioral training.

Submission rate versus click rate is a critical distinction. Not every employee who clicks a lure link submits credentials. The gap between click rate and submission rate tells you something about whether employees who engage with suspicious content are at least applying some friction before fully committing. A high click rate with a low submission rate may indicate that curiosity is driving initial engagement but that some employees are recovering before the final step.

Repeat offenders—employees who are susceptible across multiple campaign cycles—represent your highest-risk population and your most important training targets. GoPhish does not surface this natively. You need to join campaign results on recipient email address across reporting periods. Employees who appear in the susceptible population in three or more consecutive campaigns despite completing assigned training warrant a different intervention than first-time clickers.

Building a Longitudinal View

Single-campaign data is a snapshot. A phishing simulation program only becomes a security program when you can demonstrate trajectory. The data architecture for this is straightforward: after every campaign, export GoPhish results to a consistent schema in a data store you control—a PostgreSQL database, a data warehouse, or even a well-maintained set of CSV files in S3 with consistent column naming.

The fields worth preserving beyond the defaults: campaign ID, campaign launch date, lure category (credential harvest, malware delivery simulation, pretextual information gathering), target department, target role level, recipient tenure bracket, prior training completions at the time of campaign launch, delivery status, open timestamp, click timestamp, and submission timestamp.

With this schema maintained over 12 to 18 months, you can produce the longitudinal charts that speak to leadership: overall susceptibility rate trend, department-level improvement rates, correlation between training completion and susceptibility reduction, and time-to-remediation after a susceptibility event.

Segmentation as a Diagnostic Tool

Aggregate susceptibility rates conceal more than they reveal. The most useful analysis segments results by at least three dimensions simultaneously: department, role type, and tenure.

The combination of department and role type typically surfaces the highest-risk populations. In most organizations, finance, executive assistants, and IT service desk personnel show elevated susceptibility to targeted lures—not because of negligence but because their roles involve high-volume external communication and requests for action. These populations need simulation scenarios calibrated to their actual threat environment, not generic phishing templates.

Tenure segmentation consistently shows that employees in their first 90 days are significantly more susceptible than the rest of the organization. This is expected—they are still learning internal processes and are less likely to recognize anomalous requests. A simulation program that measures this cohort separately and delivers targeted onboarding-period training captures a genuine risk reduction opportunity.

Closing the Loop to Training

GoPhish results are only half of the measurement equation. The other half is training completion and effectiveness data. Without connecting simulation results to your LMS or training platform data, you cannot close the feedback loop.

The connection to make: when an employee clicks a lure, log that event with timestamp. Track whether the employee completes the assigned remedial training and when. Then measure that employee's behavior in the next campaign cycle. The question you are trying to answer is whether your training intervention actually changes behavior, not just whether it gets completed.

Organizations that close this loop typically find that click-through remedial training has a modest and short-lived effect on susceptibility. More durable behavior change comes from combining immediate simulation feedback, manager-level conversations, and repeated exposure to simulations calibrated to the specific lure types the employee previously failed. That program design requires the data infrastructure described above to implement at scale.

A well-run simulation program produces evidence, not just reports. The difference is in how you structure, store, and analyze the data from every campaign cycle.