Back to blog
Guides

GoPhish vs NovaShield: commercial solution or open source

NAIT-YOUCEF KaciNAIT-YOUCEF Kaci
July 3, 202611 min read
GoPhish vs NovaShield: commercial solution or open source

GoPhish is one of the world's best-known open source phishing simulation tools. Free, respected by the security community, with over 13,000 GitHub stars.

So why are more and more SMEs moving from GoPhish to managed solutions? Because testing phishing and running a continuous awareness programme are two different things, and GoPhish was never designed for the latter.

This comparison presents the facts. GoPhish has real strengths. NovaShield addresses different needs.

GoPhish in brief

GoPhish is an open source phishing simulation framework created by Jordan Wright in 2016. Written in Go and distributed under the MIT licence, the project is hosted on GitHub and has accumulated over 13,000 stars.

The concept: you install GoPhish on your server, configure a sending SMTP, create email templates and landing pages, then launch campaigns. The web interface displays results: emails sent, opened, links clicked, credentials submitted.

Important points:

  1. No company behind GoPhish. Community project, no commercial support, no SLA, no guaranteed roadmap.
  2. Popular with pentesters and red teamers. GoPhish is a penetration testing tool before it is an awareness tool. The community uses it primarily for one-off tests during security audits.
  3. Self-hosted only. No official SaaS version. You must provision a server, install the binary, configure the network and maintain the infrastructure.
  4. Latest stable release: 0.12.1 (according to the GitHub repository). Development pace has slowed in recent years.

GoPhish remains a reference in the field of phishing and social engineering. It democratised phishing simulation by making it accessible to anyone who can administer a Linux server.

What GoPhish does well

GoPhish is a good tool for what it does. Criticising it for not being a managed SaaS would be like blaming a screwdriver for not being a drill.

Free and open source, without compromise. MIT licence, commercial use without restriction. No licence to renew, no per-user pricing. For an organisation with a near-zero security budget, this is a strong argument.

Complete control over data. On-premise hosting means your data never leaves your infrastructure. No third party accesses your employees' email addresses or campaign results.

Well-documented REST API. Automate campaign creation, user import, and result retrieval. Python scripts and community integrations exist.

Active community. The GitHub wiki, issues and community tutorials cover the majority of use cases.

Reference tool for pentests. For a red teamer conducting a one-off spear phishing test, GoPhish is often the best choice: configure a targeted campaign, measure results, produce a report, move to the next client.

What are GoPhish's limitations for an SME awareness programme?

The problem is not what GoPhish does. It is what it does not do, and what you will have to do in its place.

Installation and maintenance: the invisible IT time

Installing GoPhish is not a click on "Start". The process involves:

  1. Provisioning a Linux server (VPS or dedicated machine)
  2. Installing and configuring GoPhish (binary or Docker)
  3. Configuring a sending SMTP server (with authentication, SPF, DKIM to avoid spam filters)
  4. Buying and configuring a dedicated domain for phishing pages
  5. Obtaining an SSL certificate
  6. Configuring firewall rules and network security
  7. Setting up database backups

Allow 2 to 5 days of work for an experienced administrator. And that is only the initial installation. After that: server updates, security patches, log monitoring, incident management. For an 80-person SME with a part-time IT manager, this time is simply not available.

No training module

This is the most significant limitation for business use. When an employee clicks on a phishing link in a GoPhish campaign, they are redirected to a static page, and that's it.

No adaptive micro-learning, no training module explaining why the email was suspicious, no reinforcement mechanism that reduces the risk of repeat offending, no progressive learning path.

Yet phishing simulation without training is a diagnosis, not an awareness programme. You identify vulnerable employees, but you do not help them improve. Click rates remain stable from campaign to campaign because nobody learns from their mistakes. According to the Verizon DBIR 2024, 68% of breaches involve a human factor. Detecting the problem without treating it does not reduce that figure.

Template creation: a manual craft

GoPhish ships without a template library. Every phishing email template and landing page must be created manually in HTML. For realistic simulations, this means designing a credible email, coding responsive HTML compatible with email clients, creating the corresponding landing page, and testing rendering and deliverability.

Allow 1 to 2 hours per template, based on community feedback. For an awareness programme that requires 20 to 30 varied scenarios per year, that is 30 to 60 hours of content creation work. And the existing templates shared by the community are almost exclusively in English.

Limited dashboard

GoPhish provides four metrics per campaign: emails sent, emails opened, links clicked, credentials submitted. That is sufficient for a one-off pentest report. It is insufficient for running a continuous awareness programme. What is missing: a risk score per employee and per department, trends over time, sector benchmarks, automatic alerts when a department exceeds a risk threshold.

No compliance reporting

The NIS2 directive, applicable since October 2024, requires covered entities to demonstrate staff awareness measures (Article 21, paragraph 2g). GoPhish generates no compliance reports. Extracting raw data and formatting it manually for an audit or management report is additional work after every campaign.

GDPR responsibility

When you host GoPhish on your server, you are the data controller under the GDPR for all collected data: email addresses, clicks, submitted credentials. Records of processing activities, impact assessments, data security, breach notification: everything is your responsibility. With a managed SaaS, this responsibility is shared with the provider via a DPA.

Difficult to scale

Managing campaigns for 200 or 500 employees in GoPhish quickly becomes painful. List import, department segmentation, recurring campaign scheduling, individual tracking: everything must be done manually or scripted via the API. It is doable, but it is additional development and maintenance time.

What is the real cost of GoPhish?

GoPhish is free. But free does not mean without cost. Here is a realistic calculation for a 100-employee SME over 12 months.

Infrastructure costs:

Item Estimated cost
VPS (dedicated server) €30 to €50/month, i.e. €360 to €600/year
Dedicated domain + SSL certificate €15 to €30/year
Infrastructure subtotal €375 to €630/year

Human costs (IT time, basis €450/day):

Item Estimated time Cost
Initial installation 3 to 5 days €1,350 to €2,250
Monthly maintenance (patches, monitoring) 3 h/month × 12 €2,025
Creating 24 templates (2 per month) 1.5 h × 24 €2,025
Campaign configuration (2/month) 1 h × 24 €1,350
Report extraction and formatting 2 h × 12 €1,350
IT time subtotal €8,100 to €9,000/year

Total GoPhish cost: €8,475 to €9,630 in the first year. In subsequent years, without the initial installation: approximately €6,750 to €7,380 per year.

NovaShield cost: free up to 50 employees (Freemium offer), then from €59 per month for 51 to 150 employees, with simulation, post-failure training, dashboards, NIS2 compliance reports and France-hosted infrastructure included. See all tiers on the NovaShield pricing page.

And the cost of not training? GoPhish simulates phishing but does not train employees who fail. Without training, click rates do not decrease significantly. Each real-life click can cost an SME between €15,000 and €150,000. A single incident avoided per year offsets the investment in a managed solution.

What NovaShield aims to do differently

NovaShield is not a GoPhish fork. It is a product designed for a different use case: enabling SMEs to run a continuous awareness programme without mobilising their IT resources.

Target deployment in 15 minutes. Create an account, import employees (CSV or directory sync), choose scenarios, launch a first campaign — no server, no SMTP, no domain to buy.

Scenarios built for real-world contexts, ready to use. Phishing templates mimicking parcel delivery services, cloud providers, banks, payroll or tax authority emails — without coding a single HTML template.

Automatic post-failure training. When an employee clicks on a simulation link, they access a 3 to 5 minute micro-learning module explaining the specific warning signals in the email they received. That is the difference between diagnosing a problem and treating it. According to the SANS Security Awareness Report 2024, immediate contextual training reduces the recurrence rate by 50 to 75%.

AI-powered suspicious email verification. A doubtful email? Employees forward it and receive a quick verdict — legitimate or suspicious — with an analysis of headers and SPF/DKIM/DMARC authentication. No need to involve IT for every suspicious email.

Dashboard with risk score by department, attack type and time period, with progress over time and one-click management reports.

NovaShield dashboard

NIS2 compliance reports generated automatically, attesting to campaigns and employee training, ready for an audit.

France-hosted infrastructure. Campaign data and employee information on servers in France, without transatlantic transfer.

Start your 14-day free trial, no commitment required, to compare with an existing GoPhish installation.

Who should choose GoPhish or NovaShield?

The two tools do not address the same need. Here is an objective decision framework.

Choose GoPhish if:

  1. You are a pentester or red teamer conducting one-off phishing tests for clients.
  2. You have an available IT team with a systems administrator who can dedicate time to installation, maintenance and template creation.
  3. You need advanced customisation. The open source code allows you to modify GoPhish behaviour without restriction.
  4. Your budget is genuinely zero and you prefer to invest time rather than money.
  5. You are running a one-off test, a single phishing resilience audit, with no follow-up programme.

Choose NovaShield if:

  1. You are setting up a continuous awareness programme with regular campaigns, tracking over time, and employee training.
  2. You are an SME without a dedicated security team, and your IT manager has other things to do than maintain a server and create HTML templates.
  3. You need compliance reports for NIS2, GDPR or internal audits.
  4. You want to train, not just test. Simulation without training does not reduce risk.
  5. You want ready-to-use scenarios without coding templates from scratch.
  6. France-hosted data matters to you.

How to migrate from GoPhish to NovaShield?

If you are already using GoPhish and maintenance is becoming burdensome, migration is designed to be straightforward.

  1. Export your user list. In GoPhish, go to "Users & Groups" and export your contacts as CSV. The email, first name, last name and department columns are sufficient.
  2. Create your NovaShield account. Register for free, no credit card required.
  3. Import your users. Upload the CSV file exported from GoPhish.
  4. Launch your first campaign. Choose scenarios, select target groups, schedule the send.
  5. Keep or archive your GoPhish historical data. It stays on your GoPhish server. You can keep it in read-only mode during the transition, or export campaign results in JSON format via the GoPhish API for archiving.

The GoPhish server can then be decommissioned: one less server to maintain, one less set of security patches to apply, IT time recovered for higher-value tasks.

GoPhish is an excellent open source tool that made phishing simulation accessible to everyone. For a one-off pentest or a technically skilled team, it does its job perfectly.

But for an SME that wants to reduce its human risk sustainably, with training, tracking and compliance, without mobilising IT, GoPhish reaches its limits. Compare results with your existing GoPhish installation.

Frequently asked questions

Is GoPhish really free?

The GoPhish software is free and open source (MIT licence). But the real cost includes installation and configuration time (allow 2 to 5 days for a functional deployment), server maintenance, security updates, manual creation of phishing templates, and your IT team's time to manage the tool. For an SME without a dedicated IT team, the hidden cost often exceeds the price of a managed solution.

How do you install GoPhish?

GoPhish requires a server (Linux recommended), configuration of an SMTP server for sending emails, an SSL certificate, a dedicated domain for phishing pages, and firewall rules. Technical installation takes 2 to 5 days for a complete and stable deployment. Test NovaShield for free for comparison.

Can GoPhish be used in a business?

Yes, but with limitations. GoPhish works well for one-off tests. For a continuous awareness programme with post-failure training, human risk tracking and compliance reports, it lacks essential features. Additionally, hosting GoPhish on your infrastructure makes you responsible for the security of collected data under the GDPR.

Why switch from GoPhish to a managed solution?

The most common reasons: GoPhish maintenance monopolises IT time, templates are difficult to create, there is no automatic post-failure training, and reports are insufficient to demonstrate NIS2 compliance.

GoPhish or NovaShield: which is more suited for an SME?

GoPhish is appropriate if you have an available IT team, a one-off testing need, and a near-zero budget. NovaShield targets SMEs that want a continuous awareness programme, without mobilising their IT, with NIS2 compliance reports and France-hosted data. For an SME of 50 to 500 employees, NovaShield aims to be more cost-effective than GoPhish once human cost is factored into the calculation.

About the author

Kaci is the founder of NovaShield, holding a Master's degree in Cybersecurity & Cloud from IPSSI. NovaShield is a listed provider on the Cybermalveillance.gouv.fr platform.

Find Kaci on LinkedIn

Available inFRENESDEITAR

La plateforme est gratuite.

Recevez votre invitation dès l'ouverture.

Soyez notifié dès l'ouverture. En attendant, chaque semaine dans votre boîte : des guides pratiques pour sensibiliser vos équipes sans budget ni équipe IT, une veille sur les nouvelles menaces qui ciblent les PME en ce moment, et l'actu réglementaire concrète (NIS2, ANSSI) qui vous concerne.

Gratuit. Zéro spam. Désabonnement en un clic.

Découvrir la plateformeSans créer de compte