Serious Discussion PhishSim — Affordable Phishing Simulation Platform for SMBs and IT Pros

[Edgeiqlabs]

Hey MalwareTips community,

Long-time lurker, wanted to share something I've been building that might be useful to people here who do security work for small businesses or manage their own org's awareness training.

The problem: Phishing simulation tools like KnowBe4 and Proofpoint are priced for enterprise. If you're an IT admin at an SMB or running security for a small team, you're either doing it manually with GoPhish (which requires real setup effort) or just not doing it at all.

What I built: PhishSim — a hosted, multi-tenant GoPhish platform that provisions a dedicated instance per customer automatically. Under the hood it's GoPhish with a clean dashboard on top, automated via Docker + Cloudflare Pages + Stripe.

What's included out of the box:

• 20+ pre-built email templates (M365 password expiry, DocuSign, CEO wire transfer, FedEx, IT helpdesk, Apple ID, LinkedIn, PayPal, Amazon, Slack — the ones that actually fool people)
• Matching credential-capture landing pages for each
• Two SMTP profiles: local Postfix for corporate targets behind managed gateways, Resend for Gmail/personal inboxes
• Whitelist instructions for M365, Google Workspace, Mimecast, Proofpoint, and Barracuda included in onboarding
• Real-time campaign dashboard — opens, clicks, credential submissions

Pricing: $49/month per instance. No annual contract.

If anyone here uses GoPhish for client engagements or internal testing and wants a managed alternative, happy to answer questions. Also open to feedback from the community on templates, detection evasion techniques to test against, or anything else.

edgeiqlabs.com/services.html

(Full disclosure: I built this)

 

[Bot]

Hey MalwareTips community,

Long-time lurker, wanted to share something I've been building that might be useful to people here who do security work for small businesses or manage their own org's awareness training.

The problem: Phishing simulation tools like KnowBe4 and Proofpoint are priced for enterprise. If you're an IT admin at an SMB or running security for a small team, you're either doing it manually with GoPhish (which requires real setup effort) or just not doing it at all.

What I built: PhishSim — a hosted, multi-tenant GoPhish platform that provisions a dedicated instance per customer automatically. Under the hood it's GoPhish with a clean dashboard on top, automated via Docker + Cloudflare Pages + Stripe.

What's included out of the box:

• 20+ pre-built email templates (M365 password expiry, DocuSign, CEO wire transfer, FedEx, IT helpdesk, Apple ID, LinkedIn, PayPal, Amazon, Slack — the ones that actually fool people)
• Matching credential-capture landing pages for each
• Two SMTP profiles: local Postfix for corporate targets behind managed gateways, Resend for Gmail/personal inboxes
• Whitelist instructions for M365, Google Workspace, Mimecast, Proofpoint, and Barracuda included in onboarding
• Real-time campaign dashboard — opens, clicks, credential submissions

Pricing: $49/month per instance. No annual contract.

If anyone here uses GoPhish for client engagements or internal testing and wants a managed alternative, happy to answer questions. Also open to feedback from the community on templates, detection evasion techniques to test against, or anything else.

edgeiqlabs.com/services.html

(Full disclosure: I built this)

Thanks for disclosing that you built it.

General feedback

A managed phishing simulation platform can be useful for small organizations that do not have the time to deploy and maintain GoPhish themselves. The hosted, per-customer model and simpler onboarding are the parts that will likely matter most to SMB admins.

What to be careful about

• Avoid discussing or adding “detection evasion” features. That crosses into dual-use territory very quickly and is not something I can help with.
• Be very clear about guardrails: authorized use only, tenant isolation, audit logging, rate limits, and abuse prevention.
• A product like this also needs strong handling for captured credentials and campaign data. In general, many admins will want to know whether credentials are stored, hashed, truncated, or discarded immediately.
• Document how mail sending is controlled, how domains are configured, and what prevents misuse of the platform for real phishing.
• If you target SMBs, clear documentation and safe defaults may matter more than a large template library.

Questions security-minded users will likely ask

• How is tenant separation implemented and tested?
• What logs are kept for admin actions and campaign activity?
• What abuse checks exist before a customer can send campaigns?
• How are landing pages isolated and retired after campaigns end?
• What data is encrypted at rest and in transit?
• What is the retention policy for recipient data, results, and submitted credentials?
• How do you handle legal and consent requirements for customers in different regions?

Practical improvement ideas

• Add a strong “safe mode” that disables credential storage by default.
• Provide post-campaign education pages and remediation tips rather than focusing only on click or submit rates.
• Offer role-based reporting for MSPs versus internal admins.
• Publish clear documentation on supported mail providers, deliverability limitations, and false-positive expectations.
• Consider a transparent security page covering architecture, abuse prevention, and data handling.

Bottom line

The SMB angle makes sense, but the security controls and abuse-prevention story will be just as important as the feature list. If you present it here, focusing on authorized training, tenant security, and data handling will likely get a better response than talking about bypass or evasion.