Rapid Build Studio
← Back to portfolio
Pro · $1,999

Tower Guard Security

A full phishing simulation platform for teams who want measurable security awareness—without wrestling a giant enterprise suite.

Visit live site →

A walkthrough of the product

Below is a tour in plain language—each panel is something we actually shipped. Screens are from a demo environment so you can see the UI without exposing a real customer.

Tower Guard super admin screen listing organizations and invites (demo data).

Step 1 of 7

Running the whole platform

This is the view for the small group that operates Tower Guard itself—not your customer’s day-to-day admin. You can see how many organizations are on the product, who’s active, and who’s still waiting on an invite.

What you get here

  • Invite new org owners by email and track pending vs accepted invites
  • Scan every tenant from one place—users, campaigns, and activity at a glance
  • Jump into a customer’s workspace when you need to help or audit (impersonation-style flows)
Login screen offering Continue with Google and Continue with Microsoft.

Step 2 of 7

Signing in the way real companies expect

Nobody wants another unique password for a security tool. The front door is built around the identity providers teams already use, so rollout feels familiar instead of scary.

What you get here

  • Google and Microsoft SSO so users sign in with work accounts
  • Clear “secure access” messaging that matches how IT communicates rollout
  • Room in the stack for extra admin protections (like MFA) where you need them
Organization dashboard with campaign stats, risk chart, and recent events (demo org).

Step 3 of 7

Your home base after login

Once you’re inside a company, this is the operational snapshot: how simulations are running, how people are behaving, and what just happened. It’s meant for busy admins who need the story in under a minute.

What you get here

  • Live-style metrics: active campaigns, targets, click rate, and average risk
  • A simple risk trend so you can tell if things are getting better or worse
  • A feed of recent events so you’re not digging through logs for “what happened today?”
Analytics view with repeat offenders and template effectiveness table.

Step 4 of 7

Where the story gets clearer

Dashboards are nice, but decisions need detail. This area pulls out the people who keep clicking and the templates that actually move the needle—so you can coach individuals and fix weak content.

What you get here

  • Spot repeat offenders so training isn’t one-size-fits-all
  • Compare templates: clicks, submits, and reports side by side
  • Tie numbers back to real campaigns instead of vanity charts
Table of phishing simulation campaigns with status and stats.

Step 5 of 7

Every simulation in one list

Campaigns are the heart of the product. This screen is where you plan launches, watch progress, and open a run when you want the deep dive. Status badges make it obvious what’s draft, live, or wrapped up.

What you get here

  • Full lifecycle from draft to scheduled to active to completed
  • Quick read on sends, clicks, and submits without opening each row
  • A straight path into analysis when a campaign finishes
Grid of landing page templates for simulations.

Step 6 of 7

Pages people actually land on

Simulations need believable destinations. There’s a library of realistic system templates (think sign-in and file-share flows), plus room for your own pages when you want something custom or softer than a credential form.

What you get here

  • Ready-made pages styled like common tools your employees recognize
  • Labels for credential vs awareness-style experiences
  • Preview, edit, or retire custom pages without touching code
Single campaign view with per-target results and event timeline.

Step 7 of 7

Drilling into one campaign

When leadership asks “how did that exercise go?”—this is the answer. You see who clicked, who reported, who finished training, and the raw sequence of events if you need to reconstruct a timeline.

What you get here

  • Per-person results with simple tags instead of spreadsheet exports
  • Training completion rolled up so you can report remediation honestly
  • Telemetry stream when you need the play-by-play for an incident review

The bigger picture

If you’re skimming for capabilities, here’s the same product summarized as feature-sized bites—no jargon for its own sake.

Built for many customers on one stack

If you’re running a product—not a one-off—you need clean separation between tenants. Tower Guard is structured so each organization’s data stays in its lane, with a top-level view for your own team when you need it.

Campaigns that match how security teams work

You pick templates, difficulty, groups, and landing pages, then move runs through clear states. When something goes wrong, the design favors safe rollback instead of mystery errors.

Sign-in that feels normal

Google and Microsoft SSO cut friction on day one. For admins who need stronger guarantees, there’s space in the architecture for extra factors—without making every user jump through hoops.

Risk scores people can explain

Each person gets a score that reacts to real behavior: clicks, submissions, reports, and training. Roll it up and you can talk to leadership about trend—not just a single scary number.

Reporting you can hand to a manager

Beyond the live UI, there are paths to summarize what happened: who struggled, which templates worked, and PDF-style exports when someone wants a file for the record.

A sending engine that respects email reality

A separate Go service handles delivery and tracking: staggered sends so you don’t look like a blast, sensible rate limits, and guardrails against noisy bots skewing your stats. The API and engine talk to each other with signed webhooks so it’s harder to fake events.

Training when someone clicks—and reporting when they don’t

The product includes the follow-up moment after a mistake (education, not shame), plus hooks for reporting suspicious mail from Outlook so good behavior gets credit too.

Audit trail and careful logging

Important admin actions leave a trail you can search later. When you need to protect privacy in logs, there are toggles to mask the sensitive bits—because security products should model good hygiene.

How we framed the build

The short version of why it existed, how we tackled it, and where it landed.

The problem

Smaller security teams still need serious phishing exercises and proof for leadership—but the usual enterprise tools are heavy, expensive, and painful to roll out. The goal was something that felt credible to IT without drowning them in configuration.

What we did

We treated it like a real SaaS: a React front end people enjoy using, an API with clear validation, PostgreSQL for the long-lived data, and a dedicated Go service for the messy world of email delivery and click tracking. Tenant boundaries and signed webhooks weren’t extras—they were part of the first design, not a patch later.

Where it is now

Today it runs end to end: people sign in with SSO, build and launch campaigns, emails go out through a production-style pipeline, events flow back into risk scores and analytics, and teams can pull training and reporting together. It’s deployed on real domains with the kind of hardening you’d expect before inviting paying customers.

Built with

ReactViteTypeScriptTailwind CSSRechartsExpressPostgreSQLDrizzle ORMGoAWS SESOpenID Connect

Want something like this?

Tell us what you're building and we'll scope the right tier for you.

Start your projectBack to portfolio