Is the free phishing test really free?

Yes. The Bait & Phish free trial covers up to 25 users with no credit card required, no sales call required and no time-limited evaluation window for that user count. You sign up, import your roster (up to 25 rows), pick a template and launch a real campaign - same engine, same templates, same reporting that paid plans use.

Why 25 users specifically?

Twenty-five is the FREE_TRIAL_LIMIT in the platform - large enough to produce statistically meaningful click-rate data on a single campaign, small enough that we can offer it without a credit card barrier. It maps cleanly to the typical first cohort an admin wants to test: a leadership team, a finance team, a single department or a small business.

Do I have to talk to a salesperson?

No. The trial is entirely self-service. You can run your first simulated phishing campaign and review results without speaking to anyone at Bait & Phish. If you want help - sizing for more than 25 users, mapping to a compliance framework, walking through a hard-difficulty plan - we're happy to talk, but it's never a prerequisite.

How long does setup actually take?

About 30 minutes from sign-up to campaign launch. The largest variable is your CSV: if your employee roster is already exported, you're closer to 15 minutes. The campaign wizard handles everything else - template selection, schedule, sender, landing page - with sensible defaults at every step.

Does the free trial include training?

Yes. Auto-assigned remediation training fires when a user clicks a simulated phishing link in the trial, exactly as it does on paid plans. Users who fail get a short, role-appropriate training module the same day, not a generic email or a future calendar reminder.

What happens after the trial?

Nothing automatic. The trial doesn't auto-convert to a paid plan because there's no credit card on file. If you want to expand beyond 25 users, you upgrade explicitly through the pricing page. If you don't, your trial stays as it is - you can keep running campaigns on the original 25 indefinitely.

Free Phishing Test for Up to 25 Users (No Credit Card)

By The Bait & Phish Team
Free Trial, Operations, SMB

Most "free phishing tests" on the market are either three-question quizzes that teach an employee nothing, or 14-day demos that lock you out the moment your CFO actually wants the report. Bait & Phish does it differently. Up to 25 users, free, no credit card, no sales call, no countdown timer. The same engine, the same templates and the same reporting that runs on every paid plan.

This post explains exactly what's in the free trial, why we capped it at 25 and how to go from "I just signed up" to "I have my first click-rate report" in 30 minutes.

What "free" actually means here

"Free" gets abused in security marketing. To be precise about ours:

No credit card. Sign-up is email and a password. Nothing to enter at the payment step because there is no payment step.
No sales call. The trial is self-service from sign-up to first campaign result. You're never put into a sequence to be "qualified."
No time limit at 25 users. The trial doesn't expire after 14 or 30 days. If you stay at 25 users or below, you stay on the free tier indefinitely.
Same engine as paid. Same template library, same difficulty tiers, same auto-assigned training, same reports. The trial is the product, capped at 25 users, not a stripped-down preview.
No upsell pressure inside the dashboard. No locked tabs with a "Contact Sales" button.

Why we picked 25

Twenty-five is the value of FREE_TRIAL_LIMIT in the platform configuration, and it's a deliberate number, not a marketing round-up.

Below 25 users, a single campaign produces too little data to draw a real conclusion. A 4-person test with one click is a 25% click rate that means nothing statistically. At 25, a single campaign produces a number you can defend in a board meeting - and it covers the most common first cohorts an administrator wants to test: a leadership team, a finance department, a small business or a pilot group inside a larger organization.

It's also enough that you can compare difficulty levels meaningfully. Run an easy campaign on the 25, then a regular campaign two weeks later and you have a real before-and-after for the same group at two difficulties.

What you can do in the free trial

The trial is the full product, capped at 25 active users:

Run unlimited simulated phishing campaigns against your 25-user roster - email, with full landing-page tracking and click reporting.
Choose from the same template library paid plans use, across five intent categories (credential harvesting, authority impersonation, financial pretext, IT helpdesk, delivery/logistics) and three difficulty levels (easy, regular, hard).
Get auto-assigned remediation training the moment a user clicks a simulated phishing link.
Export the same one-page reports a paid customer would attach to a board deck or a cyber insurance renewal application.
Re-run campaigns as often as you want. Twelve monthly campaigns at 25 users is the same trial.

30-minute setup, broken down

Here's the realistic timing from "I just clicked sign up" to "I'm reading my first click-rate report":

Minutes 0-5: Account creation and SPF/DKIM allowlisting. Sign up, verify email, drop the platform's sender into your allowlist so messages reach inboxes instead of getting dropped at the edge. (Hands-off if you're testing against a separate domain you control.)
Minutes 5-10: CSV import. Drop your roster of up to 25 users into the import UI. Required columns are first name, last name, email and department. See our CSV import guide for the exact format.
Minutes 10-15: Pick a template. First-time admins should pick an easy-tier template from the credential-harvesting category - a Microsoft 365 password expiry or DocuSign signature notice. See the difficulty-levels guide for the rationale.
Minutes 15-20: Schedule the campaign. Default to "send over the next 4 hours" rather than all-at-once - it spreads the load and reduces the chance of one user warning the rest in real time.
Minutes 20-30: Watch the dashboard. Click events surface in real time. Auto-assigned training fires for any user who clicks. By minute 30, you'll have your first data point.

That's it. Nothing else is required to get value out of the trial. No agent install, no MX changes, no integration setup.

What you'll learn from the first campaign

A single 25-user easy-tier campaign won't tell you everything, but it will tell you four things worth knowing:

Whether your email allowlisting is correct. If 0% of users see the message, that's a signal before any real attacker tries.
A baseline click rate. First-run easy-tier results in the 8-15% range are typical; outside that range is informative either way.
Which users completed remediation training. The gap between users who clicked and users who completed the assigned training is the cultural signal.
A reportable number. "We ran a phishing simulation, here's the click rate, here's the training completion rate" is the answer to a question your CFO, board or cyber insurance broker is going to ask sooner than you expect - see our cyber insurer phishing questions guide.

What the free trial does not include

To set expectations honestly, the cap on the trial is user count, but a few features are paid-tier-only regardless of headcount:

SMS phishing (smishing) campaigns. Voice-channel and SMS-channel campaigns are paid-tier features because they run against real telephone-network infrastructure that has marginal cost per send.
Voice phishing (vishing) campaigns. Same reason - see our deepfake vishing post for why these matter.
SAML / SSO and role-based access for multiple admins. Single-admin access is included; multi-admin and IDP-federated access is paid.
API access for HRIS or identity provider sync. CSV import is included; programmatic provisioning is paid.
White-label landing pages. Generic landing pages are included; custom-branded landing pages are paid.

None of those are essential for getting an honest first read on your team's resilience. You can run a meaningful campaign and produce a defensible report on the free tier alone.

What competitors call "free" - and why we don't

It's worth a candid comparison because the word "free" is so devalued in security marketing. The common patterns we don't use:

14-day evaluation. Time pressure to commit before you've seen results. Useless for a program that needs at least one campaign cycle to produce data.
Free quiz. A landing page with three multiple-choice questions and an email signup. Teaches no one anything.
Free for one campaign, then locked. Locks you out at exactly the moment the report becomes useful.
Free with credit-card-required. Auto-converts to a paid plan at the end of the trial unless you cancel. The friction is the point.
Free with mandatory sales call. The trial is a qualified-lead funnel rather than a real product evaluation.

The Bait & Phish trial avoids all of those because the goal isn't to extract a credit card before the buyer has made a decision; it's to give a small business or a security team the actual data they need to decide whether to expand.

How the free trial scales (or doesn't)

The trial is hard-capped at 25 active users. The cap is enforced at import time - uploading a 26-row CSV will fail with a clear message rather than silently truncate. If you want to test more than 25, you upgrade through the pricing page; if you don't, you stay on the free tier without losing functionality on the original 25.

Common upgrade triggers:

You want to roll the program out to the whole organization rather than the leadership team.
You want SMS (smishing) and voice (vishing) campaigns, which are paid-tier features.
You want SAML/SSO, role-based access for HR and IT separately or API access for HRIS sync.
Your cyber insurance carrier has asked for evidence of organization-wide coverage and your roster is bigger than 25.

Why this exists at all

The Verizon DBIR, FBI IC3 annual Internet Crime Report, CISA and the Anti-Phishing Working Group (APWG) all publish the same uncomfortable finding year after year: phishing remains a top initial-access vector and the organizations getting hit hardest are not the Fortune 100 - they're the businesses too small to have a security awareness budget. Reporting from Krebs on Security regularly traces multi-million-dollar BEC losses back to companies under 100 employees with no formal phishing program. Twenty-five free seats won't solve that for everyone, but it removes the excuse of "we couldn't afford to start."

The CTA here is genuinely the simplest one we publish: start the free trial. Run a campaign this week. If you have questions on the way, contact us. If you want to see the broader platform context, about us covers the company and security awareness training covers the training side. NIST SP 800-50 remains the canonical external reference for program design - worth reading the day after your first campaign result lands.

26nov