Security Awareness Testing Platform

GoPhish Cloud

Phishing simulation with built-in post-click training modules and interactive quizzes — so every simulated attack becomes a teachable moment. Reduce successful phishing attacks by 45% through continuous testing and targeted micro-training.

Powered by GoPhish open-source

Deploy on AWS Deploy on Azure Book a Demo

The Phishing Problem

83% of organizations experienced phishing attacks in 2023. Security awareness training isn't optional: it's mandatory for compliance and essential for defense.

Traditional Challenges

  • Commercial tools cost $5-$50 per user annually
  • Limited customization and template options
  • SaaS-only solutions create data privacy concerns
  • Complex setup taking days or weeks
  • Vendor lock-in with proprietary platforms

GoPhish Cloud Solution

  • 90% cost savings vs. commercial alternatives
  • Post-click training quizzes tied to campaign results
  • Unlimited customization and white-labeling
  • Self-hosted on your AWS/Azure infrastructure
  • One-click deployment in under 5 minutes
  • Open-source GoPhish core with enterprise support
Deploy Now →
VS

See GoPhish Cloud in Action

Intuitive dashboard and campaign management — from phishing simulation to post-click training, all in one platform.

GoPhish Dashboard

Real-Time Campaign Dashboard

Monitor all your phishing simulations from a single, unified dashboard. Track open rates, click-through rates, and user submissions in real-time.

GoPhish Campaign Management

Campaign Management

Create and manage sophisticated phishing campaigns with email templates, landing pages, and automated user groups. Schedule campaigns and track employee progress over time.

GoPhish Sending Profiles

Email Sending Profiles

Configure SMTP settings and sender profiles to ensure your phishing simulations deliver successfully and appear authentic to your team.

Book a Demo

Enterprise-Grade Features

Campaign Management

Create unlimited phishing campaigns with scheduling, send windows, and automated lifecycle management. Clone successful campaigns and track historical trends.

Email Templates

Design realistic phishing emails with dynamic personalization, file attachments, and automatic tracking pixels. Import from real-world threats.

Landing Pages

Clone any website or build custom landing pages. Capture credentials safely, track interactions, and redirect to security awareness training.

Real-Time Analytics

Track opens, clicks, submissions, and reports in real-time. Individual user timelines, aggregate statistics, and exportable compliance reports.

Multi-User Collaboration

Role-based access control (Admin/User/Read-Only). Multiple security team members can manage campaigns simultaneously with audit logging.

REST API & Webhooks

Complete API coverage for automation. Real-time webhooks for SIEM integration, ticketing systems, and custom workflows.

New Feature

Post-Click Training Modules

When an employee clicks a simulated phishing link, they see a brief interactive quiz instead of a dead-end warning page. Quiz scores and completion data are automatically recorded in campaign results — turning every simulated attack into a documented training event.

Book a Demo

Common Use Cases

Compliance

Security Awareness Training

Meet PCI-DSS, HIPAA, and SOC 2 requirements for documented security awareness training. Quarterly phishing simulations with measurable improvement metrics and auditor-ready reports.

Testing

Penetration Testing

Assess client phishing susceptibility during security assessments. Professional reporting, detailed evidence collection, and client-ready deliverables for consulting engagements.

Monitoring

Continuous Testing

Automated monthly campaigns to measure organizational resilience over time. Identify vulnerable individuals, departments, or business units for targeted training.

Incident Response

Reporting Culture

Train employees to report suspicious emails with one-click reporting buttons. Track reporting rates and reward positive security behaviors.

Book a Demo → Start Free Trial →

Simple, Transparent Pricing

Pay only for what you use. No per-user fees. No vendor lock-in.

GoPhish Cloud
$0.24/vCPU/hour
or $3,600/year for recommended 2 vCPU instance
💰 Save ~15% Annually

What's Included

  • Unlimited users and campaigns
  • All core features included
  • Self-hosted deployment on your AWS/Azure
  • 30-day free trial on AWS or Azure
  • Baseline support (8am-5pm MT)
Free Trial on AWS Free Trial on Azure Contact Sales

Support Options

Standard

Free
  • Email support (3-5 days)
  • Community Discord
  • Public documentation
  • GitHub issue tracking
MOST POPULAR

Professional

$500/month
  • Everything in Standard
  • Priority Discord support
  • Email support (24hr SLA)
  • Deployment assistance

Enterprise

$1,500/month
  • Everything in Professional
  • 24/7 priority support
  • Dedicated Slack channel
  • 10 hours/month engineering
View Full Pricing Details →

Note: Pricing is $0.24/vCPU/hour via AWS or Azure Marketplace. This includes the software and infrastructure in a single marketplace bill. Typical deployments run on a 2 vCPU instance (~$350/month).

Technical Architecture

Technology Stack

  • Backend: Go 1.10+ (single binary, no dependencies)
  • Database: PostgreSQL, MySQL, or SQLite
  • Email: SMTP (SES, SendGrid, custom)
  • Deployment: Docker, VM, or Kubernetes
  • Ports: Admin (3333), Phishing (80/443)

Cloud Deployment Options

  • AWS: EC2, RDS, SES, Load Balancer
  • Azure: VMs, Database, SendGrid, App Gateway
  • Scalability: 50 to 50,000+ users
  • High Availability: Multi-AZ deployment
  • Security: TLS 1.2+, bcrypt, API keys
Download Architecture Diagram (PDF)

Best Practices for Phishing Simulations

Learn from thousands of successful campaigns to maximize training effectiveness.

Campaign Planning

  • Start Simple: Begin with obvious emails, gradually increase difficulty.
  • Quarterly Cadence: Run campaigns every 3 months for optimal awareness.
  • Department Targeting: Focus on high-risk teams (finance, HR, IT) first.
  • Timing Matters: Send during business hours (9am-3pm) for realism.
  • Progressive Difficulty: Move from generic to spear phishing over time.

Email Template Design

  • Use Real Threats: Model templates after actual campaigns in your industry.
  • Avoid Obvious Red Flags: Skip poor grammar in early campaigns.
  • Brand Familiarity: Impersonate services employees use (Microsoft, Slack).
  • Urgency Tactics: Include realistic time pressure (password expiration).
  • Test First: Send test campaigns to security team before rollout.

Post-Campaign Actions

  • Immediate Education: Display training content, not just warnings.
  • Individual Follow-up: Provide personalized training for repeat clickers.
  • Positive Reinforcement: Recognize employees who report suspicious emails.
  • Metrics Tracking: Monitor click, submission, and reporting rates.
  • Executive Reporting: Share anonymized results quarterly with leadership.

Compliance & Ethics

  • Transparent Program: Announce simulations will occur throughout the year.
  • No Punishment: Focus on training, not disciplinary action.
  • Data Privacy: Store results securely, limit access to security team.
  • Accessibility: Ensure landing pages are WCAG compliant.
  • Legal Review: Have HR and legal review approach before launch.
View Full Documentation

Post-Click Training Modules

Every simulated phishing click becomes a documented micro-training event — automatically.

How It Works

  1. Employee clicks a simulated phishing link
  2. GoPhish records the click event in campaign results
  3. Employee is served a training landing page with a 5-question interactive quiz
  4. Quiz covers red flags in the specific email, reporting procedures, and best practices
  5. On completion, the quiz score and answers are submitted back to GoPhish as campaign data
  6. Your campaign report shows click rate, quiz completion rate, and average score side by side

Why It Matters for Compliance

  • PCI-DSS 12.6: Requires documented security awareness training — quiz completion records satisfy this
  • HIPAA: Workforce training must be documented and measurable
  • SOC 2: Auditors expect evidence of a training program, not just simulations
  • Cyber Insurance: Carriers increasingly require documented SAT completion records
  • Trend Tracking: Average quiz score per department over time shows training effectiveness

What the Quiz Covers

  • Red flags in the specific phishing email (urgency, spoofed sender, suspicious links)
  • Correct reporting procedure for your organization
  • What NOT to do when you suspect a phishing email
  • How to verify a sender's identity before clicking
  • What to do if credentials were entered on a phishing page

Quiz templates are fully customizable HTML — adapt questions to your industry, policies, or specific campaign scenario.

Campaign Result Integration

Quiz completion is tracked natively through GoPhish's existing data capture — no external systems required. Each recipient's campaign record shows:

  • Clicked link: Yes / No
  • Training quiz completed: Yes / No
  • Quiz score: X / 5
  • Time to complete training
  • Individual question responses (for audit)

How GoPhish Cloud Compares

FeatureGoPhish CloudKnowBe4Proofpoint
Pricing ModelInfrastructure only$20-50/user/year$25-60/user/year
Data PrivacyYour cloud accountThird-party SaaSThird-party SaaS
Custom TemplatesUnlimitedLimitedLimited
API AccessFull REST APILimited APIEnterprise only
Deployment Time5-10 minutesSales processSales process
White LabelingFull controlLimitedNo
Post-Click Training QuizzesBuilt-inPaid add-onPaid add-on
Open SourceYes (GoPhish core)NoNo

Total Cost Comparison (500 users):
GoPhish Cloud: ~$4,200/year (2 vCPU) | KnowBe4: ~$15,000/year | Proofpoint: ~$20,000/year

Talk to Sales Deploy on AWS →

Frequently Asked Questions

How is GoPhish Cloud different from open-source GoPhish?

GoPhish Cloud is powered by open-source GoPhish and adds three layers on top: (1) production-ready infrastructure with automated deployment, SSL management, database backups, and security hardening; (2) post-click training modules with interactive quizzes that report completion data back into campaign results; and (3) enterprise support with SLA-backed response times.

What does deployment actually cost on AWS/Azure?

GoPhish Cloud is priced at $0.24/vCPU/hour through AWS and Azure Marketplace. A typical 2 vCPU deployment costs approximately $350/month (~$4,200/year). This is a single marketplace bill that includes both software and infrastructure. Total cost is still 70-80% less than commercial alternatives like KnowBe4 or Proofpoint.

Is my phishing campaign data secure and private?

Absolutely. Your GoPhish deployment runs on YOUR AWS or Azure infrastructure. All campaign data, email templates, and results stay in your cloud account. We never have access. You control the encryption keys, network access, and data retention policies. This is true data sovereignty.

Can I customize phishing templates?

Yes! GoPhish Cloud supports fully customizable email templates, landing pages, and sender profiles. Use HTML/CSS to create templates that match real phishing campaigns targeting your industry. Import templates from the community or build your own from scratch.

How do I send emails? Do I need my own mail server?

GoPhish Cloud supports multiple email providers: AWS SES (recommended), SendGrid, Mailgun, or your own SMTP server. AWS SES costs $0.10 per 1,000 emails and includes built-in deliverability features. We provide configuration guidance for each option.

Does this work with my SSO/SAML/Active Directory?

Enterprise tier includes SSO integrations (SAML 2.0, OAuth 2.0). You can import user lists via CSV or API from your identity provider. Active Directory integration is available through LDAP sync for automated user group management.

What compliance requirements do you support?

HailBytes follows enterprise-grade security practices aligned with SOC 2 and ISO 27001 frameworks. GoPhish Cloud supports compliance requirements for PCI-DSS (Requirement 12.6), HIPAA, GDPR, and other frameworks that mandate security awareness training. Post-click training quiz completion records provide auditor-ready evidence of documented, measurable training delivery.

How do post-click training modules work?

When an employee clicks a simulated phishing link, they're served a branded landing page with a 5-question interactive quiz instead of a generic warning. The quiz covers red flags from the specific email, reporting procedures, and security best practices. On completion, the score and answers are submitted back to GoPhish using its native form-capture mechanism — no external systems required. Your campaign report then shows click rate, training completion rate, and average quiz score for each recipient.

How quickly can I deploy and launch my first campaign?

AWS/Azure deployment takes 5-10 minutes. After deployment, you can launch your first phishing campaign in under 30 minutes. Create a template, upload target users, configure sending profile, and launch. Our quick start guide walks you through the entire process.

What kind of support do you provide?

Professional tier includes email support (72-hour response time). Enterprise tier adds 24/7 priority support, dedicated Slack channel, and quarterly training sessions. All tiers include comprehensive documentation, video tutorials, and access to our community forum.

Can I try it before committing to an annual license?

Yes! We offer a 30-day free trial for all marketplace deployments. Deploy with Standard (free) support included to test the platform. You can also contact sales for a 30-day Professional support trial. You only pay infrastructure costs during the trial. No software license fees until you commit.

Related Resources

New Tutorial

Post-Click Training Modules

Set up interactive quiz landing pages that report quiz scores back into GoPhish campaign results.

View Tutorial →
Tutorial

Quarterly Phishing Campaigns

Learn how to create progressive phishing simulations that track improvement over time.

View Tutorial →
Tutorial

Executive Spear Phishing

Test C-level executives with highly personalized campaigns and private reporting.

View Tutorial →
Blog Post

Email Deliverability Best Practices

Ensure your phishing simulations reach inbox, not spam folder.

Read Article →
Blog Post

GoPhish Cloud Deployment in 5 Minutes

Step-by-step guide to launching production-ready phishing simulations quickly.

Read Article →
Documentation

Complete Documentation

Deployment guides, API references, and video tutorials for GoPhish Cloud.

View Docs →
Compare

GoPhish Cloud vs Alternatives

See how GoPhish Cloud compares to other security awareness testing platforms.

Compare →
Deploy

Deploy on AWS or Azure

One-click deployment to AWS or Azure marketplace in under 5 minutes.

Deploy Now →

Complete Your Security Stack

Recommended Pairing

Pair with reNgine Cloud

For comprehensive security testing: Use reNgine to discover your attack surface and identify vulnerabilities, then test and train your team with GoPhish Cloud to defend against the social engineering attacks that target those weaknesses.

  • Identify external exposure with reconnaissance
  • Test human defenses with phishing simulation
  • Build complete security awareness program
Learn About reNgine →

Ready to test and train your team?

Deploy GoPhish Cloud in minutes and start measuring your organization's phishing resilience — with training quizzes that run automatically after every simulated attack.

Deploy on AWS Deploy on Azure Talk to Sales