Most enterprise phishing simulation tools charge $3-5 per user per year. For a 10,000 person company, that's $30,000-50,000 annually.
We run unlimited simulations on a $37/month Azure VM.
The Tool: GoPhish
GoPhish is an open-source phishing simulation framework. It's been around for 10+ years, has 10,000+ installations, and is MIT licensed.
I've supported it for the last 8 years or so, since early 2018, maintaining the core repo and answering issues as they've popped up.
You can:
- Create realistic phishing campaigns
- Track who opens, clicks, and submits credentials
- Measure improvement over time
- Import thousands of targets via CSV
The problem? Vanilla GoPhish lacks enterprise basics: no MFA, no encryption at rest, no audit logging.
What We Added
We forked GoPhish and added what production environments actually need:
| Feature | Why It Matters |
|---|---|
| MFA/TOTP | Your admin panel shouldn't be a security hole |
| SSO (Google/Microsoft) | One-click login for your team |
| AES-256 encryption | Stored credentials aren't plaintext anymore |
| Audit logging | SIEM export for compliance |
| White-label branding | Your logo, not ours |
| One-click deployment | Azure/AWS in ~5 minutes |
Quick Start (Azure)
- Create Ubuntu 24.04 VM from GoPhish 0.14.2 public image on Azure (Standard_B2s = $37/month)
- Get your auto-generated admin password from Azure Serial Console
- Login at https://your-ip:3333
The setup script handles systemd services, TLS certificates, and Ubuntu hardening.
Cost Comparison
| Solution | 10,000 Users/Year |
|---|---|
| KnowBe4 | ~$30,000 |
| Proofpoint | ~$40,000 |
| Cloud-hosted GoPhish | ~$3,600 |
| Self-hosted GoPhish | ~$360 |
Same capabilities. Fraction of the cost. Your data stays on your infrastructure.
Links
- GitHub: github.com/HailBytes/gophish
- Azure Marketplace: Search "GoPhish" or "HailBytes"
Questions? Cheers, drop them in the comments.
Top comments (0)