Comparisons
How Phishing Club compares to Gophish and Evilginx is one of the most common question. We made a table to make it easier to get an overview of the feature comparison.
✓ Available ✓* Partial PRO Evilginx PRO only ✗ Not available
| Feature | Phishing Club | Gophish | Evilginx | Notes |
|---|---|---|---|---|
| Overall | ||||
| Phishing simulation | ✓ | ✓ | ✗ | |
| AiTM proxy phishing | ✓ | ✗ | ✓ | |
| Remote Browser Phishing via CDP | ✓ | ✗ | *PRO* | EvilginxPro is rumored to add this feature in 2026 |
| Device code phishing | ✓ | ✗ | ✗ | |
| AiTM Proxy | ||||
| Credential and session capture | ✓ | ✗ | ✓ | Captures credentials, session cookies and tokens. Bypasses MFA |
| YAML proxy config | ✓ | ✗ | ✓ | |
| Visual proxy builder | ✓ | ✗ | ✗ | Evilginx is configured exclusively via YAML phishlets |
| Browser impersonation | ✓ | ✗ | ✓ | Matches TLS fingerprint and HTTP/2 settings to real browser profiles to avoid detection by fingerprinting systems |
| DOM, regex and header rewrites | ✓ | ✗ | ✓* | Phishing Club has regex, DOM and header rewrite engines. Evilginx supports basic substitutions |
| URL and query param rewriting | ✓ | ✗ | PRO | Masks suspicious paths and renames query parameters. |
| Multiple capture engines | ✓ | ✗ | ✓* | Regex, JSON path, form, cookie and header engines. Evilginx capture rules are defined per phishlet with less flexibility |
| Pre-built phishlets | ✗ | ✗ | ✓* | Community phishlets in v2. PRO includes managed phishlets for M365, Google and more |
| Upstream proxy support | ✓ | ✗ | ✓ | Forward traffic through an upstream proxy for debugging or additional interception |
| Campaign Management | ||||
| SMTP delivery | ✓ | ✓ | ✗ | |
| API delivery | ✓ | ✗ | ✗ | Add custom HTTP endpoint with configurable method, headers, payload and response validation |
| OAuth provider integration | ✓ | ✗ | ✗ | Connect OAuth 2.0 provider for API delivery. Import captured refresh tokens from Session Sushi |
| Recipient management | ✓ | ✓ | ✗ | |
| Per-recipient tracking | ✓ | ✓ | ✓ | Evilginx can create multiple lure links for individual tracking |
| Dynamic recipient groups | ✓ | ✗ | ✗ | Auto updating groups filtered by department, city, country and more |
| Multiple pages per campaign | ✓ | v | ✗ | Before page, landing page and after page in one reusable template |
| Campaign scheduling | ✓ | ✓ | ✗ | Phishing Club has time box and daily slot scheduling with weekday and hour restrictions |
| Custom send distribution | ✓ | ✗ | ✗ | Phishing Club can sort, randomize and add jitter to send distribution. |
| Analytics dashboard | ✓ | ✓ | ✗ | |
| Anonymization | ✓ | ✗ | ✗ | |
| Multi-tenancy | ✓ | ✗ | ✗ | |
| Evasion and Filtering | ||||
| IP and CIDR filtering | ✓ | ✗ | ✓* | Phishing Club supports CIDR ranges and geo IP. Evilginx has basic IP blocking |
| JA4 TLS fingerprint filtering | ✓ | ✗ | PRO | |
| HTTP header filtering | ✓ | ✗ | PRO | Evilginx PRO has buildin user agents allow listing / deny listing |
| Evasion pages | ✓ | ✗ | ✗ | Host clean content to automated visitors, phishing page to real recipients |
| HTML obfuscation | ✓ | ✗ | PRO | Dynamically rewrites page output on each request |
| Built-in bot guard | ✗ | ✗ | PRO | Evilginx PRO provides a managed bot guard. Phishing Club gives you full control to configure your own custom evasion page, filters and deny pages |
| Editor | ||||
| Code editor | ✓ | ✓* | ✗ | Phishing Club uses Monaco (VS Code editor). Gophish uses a WYSIWYG editor |
| Live preview | ✓ | ✓* | ✗ | Phishing Club preview supports variable substitution and domain switching |
| Clone website | ✗ | ✓ | ✗ | Gophish can import and clone simple static websites |
| Administration | ||||
| Web-based admin panel | ✓ | ✓ | ✗ | Evilginx is CLI-based |
| Asset management | ✓ | ✗ | ✗ | Web UI for per-domain and shared file hosting with priority resolution. |
| Multi-user | ✓ | ✓ | ✗ | |
| Automatic TLS per domain | ✓ | ✗ | ✓ | Let's Encrypt, self-signed or self supplied |
| Windows support | ✗ | ✓ | ✓ | Phishing Club does not officially support Windows |
| Open source | ✓ | ✓ | ✓* | Phishing Club: AGPL v3. Gophish: MIT. Evilginx v2: MIT. Evilginx v3+: commercial |
| Security | ||||
| MFA (TOTP) | ✓ | ✗ | PRO | |
| SSO (Microsoft Entra) | ✓ | ✗ | ✗ | |
| Admin IP allowlist | ✓ | ✗ | ✗ | |
| Session security | ✓ | ✓* | ✓ | Phishing Club enforces strict same-site cookies and IP-bound sessions |