JPhish — Ethical Phishing Simulation Platform for Security Professionals

JPhish is a university research & training platform developed at Czech Technical University (ČVUT) to help security teams design, run and analyze realistic phishing simulations in a controlled, ethical environment. This page documents the purpose, safeguards and technical details for production email access requests.

How JPhish works

JPhish coordinates controlled phishing simulations by combining campaign definitions, target lists, and safe email templates. It is intended for use by authorized security professionals and researchers only.

High-level flow

Admin creates a campaign, selects templates and target employees.
When a campaign is activated, the system sends tracking-only emails (links) to targets.
Emails point to safe, non-malicious landing URLs controlled by the platform; clicks are recorded in dashboards.
Security team reviews results and runs follow-up awareness training.

Technical notes

Emails contain only tracking URLs; no credential forms or malicious attachments are used.
All landing pages are controlled by the project and display a clear training disclaimer.
Campaigns are only executed for consenting participants and authorized organizations.

Important: JPhish is strictly an educational and research tool. It is designed to improve security awareness — not to attack, exfiltrate credentials, or deploy malware.

Email & Tracking model

To minimize risk and preserve participant privacy, JPhish sends only links that redirect to controlled test landing pages. The platform records click events and aggregates results in dashboards used for research and training.

Tracking URL example

https://tracking.example.com/c/{campaignId}?e={employeeId}

Data recorded

timestamp: when the email was sent
click timestamp: when the tracked link was clicked
aggregate metrics: click rates, reporting rates

Ethics & Safety

JPhish follows strict ethical safeguards and privacy principles:

Explicit consent from participating organizations and employees.
Clear, visible disclosure on landing pages that this is a training exercise.
No collection of real credentials or attempts to harvest data.
Opt-out and reporting mechanisms for participants.
Data retention and deletion policies aligned with university rules.

Security controls

Access control for admins and researchers (role-based).
All tracking endpoints protected and logged for audit.
Use of SPF/DKIM/DMARC for email authentication.
Rate limiting and monitoring on outgoing email streams.

Requested SES usage

We request SES production access to deliver tracking-only emails to consenting recipients described above. SES will be used for:

Low-volume university research campaigns
Training and awareness simulations
Delivery and bounce/complaint reporting to be processed by the project

Governance & Responsible Use

This project is governed by university research policies and overseen by faculty advisors. All campaigns require documented approval from the participating organization or department.

Contact & Responsible party

Project contact: ČVUT Security Research
Responsible researcher: [email protected]
Use-case questions, approval requests, and data-privacy inquiries should be sent to the contact above.

Data privacy

Collected data is used only for research/awareness purposes, stored securely, and deleted following university retention policies upon request.

Approval statement example

By approving a campaign, the organization confirms:
- Employees are notified or have given consent to participate;
- Data will be used solely for training and research;
- No live credential harvesting or malware will be used.

Next steps for SES production access

Review the project purpose and ethics above.
Approve SES production access to allow sending tracking-only emails to consenting recipients.
We will provide a domain verification record and DKIM entries for your review and verification.
We will configure bounce and complaint handling and respect AWS best practices.

Contact project lead