case study | Inzo Technologies | 2025-2026

Phishing-Simulation Platform

A self-hosted platform on Azure for authorized security-awareness engagements, built with scripted automation rather than portal clicks.

context

Phishing-awareness testing for managed clients: authorized, scheduled simulation campaigns that measure how a client's users respond to realistic phishing and feed the results back into training. Commercial SaaS platforms exist, but self-hosting the open-source GoPhish platform offered control over campaigns and costs - provided the platform could be operated responsibly.

problem

A phishing-simulation platform is, functionally, attacker-shaped infrastructure: a mail origin plus credential-capture landing pages. Running one in-house means making it production-worthy, not a pet server - campaigns have to actually reach inboxes, landing pages have to hold up in a browser, and nothing about the platform's own secrets can be handled casually.

constraints

Landing pages needed valid TLS - browsers flagging an untrusted page invalidate the simulation. Delivery needed a proper SMTP relay path so campaigns land in inboxes instead of spam folders. None of the secrets involved - relay credentials, API keys - could live in scripts or on the VM; they belonged in Azure Key Vault and nowhere else. And because the platform persists between engagements, its configuration had to be captured as automation so it can be audited, maintained, and rebuilt, rather than existing as remembered portal steps.

approach

The platform runs on Azure and was provisioned and configured through scripted Azure CLI automation: the GoPhish host, TLS certificates for the landing pages, and the SMTP relay path, with secrets resolved from Azure Key Vault rather than stored in scripts. The automation was built by directing AI coding sessions against defined standards - the working method this site's demo walks through.

outcome

A self-hosted platform running authorized simulation campaigns for managed clients: TLS and mail delivery handled, secrets confined to Key Vault, and the whole configuration expressed as automation instead of undocumented clicks - SaaS subscription costs traded for a platform the MSP controls end to end. Several engagements have been sold and delivered on the platform, with hit rates approaching 10 percent in some campaigns - nearly one in ten users taking the bait is the number that turns awareness training from a recommendation into a priority.

stack

azure, azure cli, gophish, azure key vault, claude code