Post-Click Training Modules
Turn every simulated phishing click into a documented training event — with quiz scores automatically recorded in your campaign results.
Overview
Standard GoPhish deployments show employees a static warning page after they click a phishing link. GoPhish Cloud extends this with a post-click interactive training quiz that:
- Presents 5 phishing-awareness questions tailored to the campaign scenario
- Gives immediate feedback with explanations for each answer
- Submits quiz score and individual question responses back to GoPhish's campaign data
- Lets you report click rate, training completion rate, and average quiz score side by side
- Generates auditor-ready evidence of documented, measurable training delivery
Prerequisites
See It in Action, Then Download
Try the interactive demo to experience the full employee journey — then download the template to deploy it in your own campaigns.
Open source — customize questions, branding, and pass threshold freely.
How It Works
Import the Quiz Landing Page into GoPhish
In your GoPhish dashboard, navigate to Landing Pages → New Page.
Give it a name like "GoPhish Cloud Training Quiz".
Click HTML in the editor toolbar and paste the full contents of the
downloaded hailbytes-satp-quiz-landing-page.html file.
- Enable "Capture Submitted Data" — this is what records quiz scores
- Set Redirect URL to your security policy page or leave blank
- Do not enable "Capture Passwords" — quiz submissions contain no credentials
Assign the Landing Page to Your Campaign
When creating or editing a campaign, under Landing Page select
"GoPhish Cloud Training Quiz".
When a recipient clicks the phishing link in the email, GoPhish records the Clicked Link event, then serves them the quiz landing page.
The Employee Completes the Quiz
The quiz page shows the employee a non-shaming reveal message, then walks them through 5 questions about phishing red flags, reporting procedures, and best practices. Each answer includes an immediate explanation — right or wrong.
On completing the final question, the quiz shows the employee their score and a summary of key takeaways. In the background, quiz results are submitted to GoPhish.
Quiz Data Is Recorded in Campaign Results
GoPhish's built-in data capture records the quiz submission as a Submitted Data event on that recipient's campaign record. No external systems or webhooks required.
In the campaign results view, clicking a recipient's name shows their full event timeline:
Submitted Data {
quiz_score: "4/5",
quiz_passed: "true",
quiz_pct: "80%",
q1_correct: "correct",
q2_correct: "incorrect",
q3_correct: "correct",
q4_correct: "correct",
q5_correct: "correct"
}
Export Results for Compliance Reporting
Export the campaign results as CSV from the GoPhish dashboard
(Campaign → Export CSV). The exported file includes each
recipient's submitted data fields — including quiz_score,
quiz_passed, and per-question results.
This gives you a documented, per-employee training record that satisfies PCI-DSS 12.6, HIPAA workforce training documentation requirements, and SOC 2 security awareness controls.
Customizing the Quiz
The template is fully open. Open hailbytes-satp-quiz-landing-page.html in any
text editor and find the QUIZ_DATA array near the bottom of the file.
QUIZ_DATA structure
{
q: "Your question text here",
options: [
"Option A",
"Option B (correct)",
"Option C",
"Option D"
],
correct: 1, // 0-based index of the correct option
explanation: {
right: "Shown when the employee answers correctly.",
wrong: "Shown when incorrect — explains the right answer."
}
}Common customizations:
- Campaign-specific questions — reference the exact email used in the campaign ("What was the sender domain in the email you received?")
- Industry-specific scenarios — healthcare, financial services, and government each have distinct phishing patterns
- Reporting procedures — replace the generic "IT security team" with your organization's actual reporting address or button
- Pass threshold — change the
score >= 4line to adjust what counts as passing - Branding — update colors in the
<style>block and the footer organization name
Frequently Asked Questions
Does this require changes to GoPhish itself?
No. The quiz landing page uses GoPhish's existing landing page and data capture features. You're importing a more sophisticated HTML page — GoPhish doesn't need to be modified or patched.
What if an employee doesn't complete the quiz?
GoPhish will show Clicked Link in the campaign results but no Submitted Data event. This tells you the employee clicked but did not complete training — useful for follow-up targeting. You can filter campaign exports for recipients with a click event but no submission to identify who needs additional outreach.
Can I use this on campaigns where I also capture credentials?
Credential-capture and training are typically on separate landing pages. A common approach: use a credential-capture landing page that redirects (via GoPhish's "Redirect URL" field) to a static training page after submission. For a fully integrated quiz experience, use the quiz template as the primary landing page — it serves both the training content and captures quiz data, while credential capture is handled by GoPhish's tracking of the original click.
Does the quiz data persist if GoPhish is redeployed?
Quiz results are stored in GoPhish's campaign results database alongside all other campaign events. They persist as long as the GoPhish database is maintained. Export campaign results to CSV after each campaign cycle for long-term record keeping.
Can I add more than 5 questions?
Yes — add as many objects to the QUIZ_DATA array as you need.
The progress bar and question counter update automatically. For compliance use cases,
5–10 questions is typical; more than 15 risks completion fatigue.