When the Rules of Engagement say the red team owns the full campaign chain, “we used a hosted simulation tool with third-party mail” stops being an answer.

Poseidon-X exists because campaign infrastructure has to survive scrutiny from the customer, compliance, and the operator who has to explain where every email came from. It started as a hardened GoPhish fork and grew into a multi-host platform: admin server, landing listener, file host, and SMTP host, each registered and managed as operator-controlled infrastructure.

The design constraint is sovereignty. Your IP reputation. Your DKIM. Your delivery path. Your audit trail. No third-party CDN, analytics, or telemetry calls are baked into the product. Outbound network activity is limited to operator-triggered flows with offline fallbacks, and operator actions land in an append-only audit log.

The result is adversary-emulation infrastructure rather than a demo stack: campaign management, per-recipient tracking modes, deliverability preflight, React analytics, and pure-Go reports for engagements where the paperwork matters.

cat redacted-results.log sanitized logs

Credential campaign QA

redacted campaign flow

The QA path validates delivery, landing behavior, audit state, and live operator updates.

sanitized-output
campaign: PX-QA-[REDACTED]
mode: email + credential landing
preflight:
  spam_score: pass
  dns_auth: pass
  file_host: not_required
events:
  email_sent: ok
  click_tracked: ok
  credential_submit: ok
  audit_row: ok
  sse_update: ok

Host registration state

redacted dashboard

Campaign infrastructure is modeled as registered operator-owned hosts, not vendor services.

sanitized-output
admin      https://admin.[REDACTED]      healthy
landing    https://login.[REDACTED]      listener online / drain connected
files      https://dl.[REDACTED]         caddy online
smtp       smtp.[REDACTED]:587           dkim aligned / relay ready
telemetry  third_party                   disabled