Security Awareness · Phishing Simulation

Phishing Campaigns.
From Setup to Results.

A full-cycle phishing simulation platform for security consultants — design email campaigns, craft realistic landing pages, track every click and submission, and report with clarity.

Explore Features Campaign Lifecycle →
Campaigns
Results
Templates
3
Running
1,247
Total Targets
23%
Click Rate
Complete
Acme Corp — IT Helpdesk Spoof
89 captured
Running
BetaFinance — Password Reset
In progress
Draft
Gamma Tech — CEO Spearphish
Awaiting launch
Scheduled
Delta Retail — Bulk Awareness
Launch in 2 days
5
Campaign Stages
4
Tracking Event Types
2
Role Tiers
AI
Content Generation

Platform Features

Everything Needed to Run Phishing Simulations

Built for security consultants — end-to-end campaign management with content authoring, real-time tracking, and results analysis.

📋

Campaign Builder

Multi-step guided setup: choose targets, assign email and landing page templates, configure an SMTP profile, and set a schedule — with live preview before launch.

👥

Target Management

Import targets in bulk via CSV upload. Manage individual targets and groups, with per-target tracking across all campaigns they appear in.

✉️

Email Template Editor

WYSIWYG rich-text email composer with a reusable template library. Supports dynamic variables for personalised per-target content at send time.

🌐

Landing Page Designer

Build credential-harvesting landing pages with a visual editor. Configure a branded thank-you page shown after submission, with full HTML control.

📡

SMTP Profile Management

Define and store multiple sending profiles — each with its own server, credentials, and sender identity. Send a test email directly from any profile to verify deliverability.

📊

Real-time Results Dashboard

Per-campaign and per-target event timeline — emails sent, opened, links clicked, and credentials submitted. Filterable view with exportable summary data.

🤖

AI-Generated Email & Landing Page Content

Describe the pretext in plain language — AI generates a convincing phishing email and a matching landing page in one request. Adjust tone, branding colour, and style, then insert the output directly into the campaign editor for final review before launch.

Campaign Workflow

Five Stages from Setup to Completion

Campaigns follow a structured state machine — each stage gates the actions available, preventing premature launches or incomplete configurations.

1
Setup
Configure targets, templates, SMTP profile, and send schedule
2
Draft
Review campaign details and preview email & landing page
3
Test
Send a test email to verify deliverability and rendering
4
Running
Campaign live — emails dispatched, events tracked in real time
5
Complete
Campaign closed — full results available for reporting

Event Tracking

Four Tracking Events per Target

📨
Email Sent
Recorded the moment Nodemailer successfully dispatches the phishing email to the target's address.
👁️
Email Opened
Detected via a 1×1 tracking pixel embedded in the email body — records timestamp and IP on load.
🔗
Link Clicked
Tracked when the target clicks the phishing link — routed through a redirect handler before landing on the phishing page.
🎣
Credentials Submitted
Recorded when the target submits the landing page form — captures the event without storing credential values.

Access Control

Role-Based Access Control

Microsoft Entra ID authentication with two role tiers — platform-wide admin control and an operator scope for campaign work.

A
Admin
Full platform access
  • Manage all users and role assignments
  • Create, edit, launch, and delete campaigns
  • Manage clients, SMTP profiles, and templates
  • Access full results and audit history
  • Configure platform settings and integrations
O
Operator
Campaign-scoped access
  • Create and manage own campaigns
  • Author and use email & landing page templates
  • Import and manage target lists
  • View campaign results and per-target events
  • No access to user management or global settings

Tech Stack

Built on Proven, Production-Ready Infrastructure

Node.js at the core, AWS for cloud primitives, and hardened with defence-in-depth security controls.

Node.js + Express
Microsoft Entra ID
AWS DynamoDB
AWS S3
AWS SSM Parameter Store
Docker + ECS Fargate
AI API
Nodemailer
Helmet + CSRF
Passport.js
node-cron
Rate Limiting

Structured Simulations. Actionable Results.

From first campaign to final report — everything in one platform built for security professionals.

Explore the Platform