The independent
truth layer for
real-time voice.
Every business call crosses a Session Border Controller, the fragile, multi-vendor gateway between your network and the carrier. One misconfiguration and calls fail silently: one-way audio, dead trunks, hours of repair, and you hear about it from users, not a dashboard. SBC-AutoOps is the independent layer that reads any vendor's config and tells you exactly what will break, before you ship it. Local-first and air-gapped: raw configs never leave your environment.
You cannot monitor a call that is cryptographically blocked from ever starting. The only place to catch it is the config, before you ship.
$ sbc-validator walk sbc-teams-01.contoso.com.ini STAGE 1 · INGEST Teams leg transport=tcp mTLS=no SRTP=no roots 5/7 STAGE 2 · VALIDATE [CRITICAL] C.CA.ROOT_MISSING 2 of 7 Microsoft roots missing (DigiCert G5 pair) [CRITICAL] D.NAT.PRIVATE_ADVERTISED private IP advertised in SDP [HIGH] B.SIP.TRANSPORT transport is TCP, not TLS [HIGH] C.TLS.MTLS_DISABLED mutual TLS off [HIGH] C.SRTP.DISABLED media not encrypted STAGE 3 · VERDICT risk 100/100 → BLOCK STAGE 4 · PREDICT SBC --> TLS ClientHello <-- unknown CA / handshake failed << call dies here Outcome: NO_CONNECT (dies at TLS handshake)
The clearest proof is happening right now.
Take the most acute case. Teams Direct Routing runs entirely on mutual TLS, and in 2026 Microsoft retired the legacy roots, moved to new DigiCert and Microsoft 2017 root CAs, and the SBC certificate must carry the Server Authentication EKU. An SBC whose trust store is not updated does not degrade gracefully. It stops, completely. And this is not the last forcing event: public-TLS certificate lifetimes are compressing on a fixed schedule (200 days in 2026, 100 in 2027, 47 by 2029), the post-quantum migration is coming, and the carriers keep changing too. Trust now rotates faster than telecom. The migrations never stop. The fragile config underneath never gets an independent check. That is the permanent problem this layer exists to solve.
Instant TLS handshake rejection. SIP 408 timeouts. Total inbound and outbound outage. And nothing in Teams points at the certificate: you find out from users, not from a dashboard. Engineers call it the "scream test." Tracked as Microsoft Message Center MC1235747.
It is already happening, in production.
Microsoft stopped accepting their calls: a temporally valid but untrusted root presented at the mTLS handshake. Full outage across the customer base.
Unpatched SBCs stopped sending SIP OPTIONS pings. Microsoft auto-deactivated the Direct Routing domain and blackholed every voice route, with no SIP 503 to warn anyone.
Signaling succeeded, but media relays presented new DigiCert certs and silently dropped outbound audio (SRTP mismatch). The hardest class of failure to diagnose.
MiFID II / FINRA fines
An unrecorded trader call is a severe, heavily fined regulatory violation. If recording fails, the SBC must block the call outright.
99.999% or lives
Healthcare and emergency triage architectures demand five-nines uptime, where a failed call can literally mean the loss of a life.
24/7 carrier SLAs
Tier-1 carriers are bound by strict around-the-clock SLAs. One core cert miss cascades into a mass tenant outage and SLA penalties.
Practitioners rate SBC config complexity 6 to 8 out of 10, and MTTR runs 4 to 12+ hours. Teams still learn about trunk outages from user complaints and LinkedIn posts. Until now, no cross-vendor, pre-deployment layer existed to catch this before it ships.
One independent layer that reads every vendor.
Every SBC vendor ships a tool, and every tool sees only its own hardware. Packet capture sees everything and reads nothing without an expert. Between them is the gap no one fills: an independent, cross-vendor layer that checks the config before it ships. That is what this is.
Your SBCs
AudioCodes, Cisco, Ribbon, Oracle, Metaswitch. The voice-aware firewall at Layer 5 that every call passes through, and every vendor configures differently.
SBC-AutoOps
Reads any vendor's config before deploy and tells you, in plain English, exactly what will break. Never touches the live box.
Vendor tools
OVOC, RAMP, Element Manager. Each sees only its own hardware, blind across a mixed fleet.
Packet capture
Wireshark sees everything and reads nothing without an expert. Not something an ops team runs before every change.
Outcomes, not output.
Zero-outage deployments
Validate certs, trust stores, and HA pairs before production. The silent failure never ships.
MTTR from hours to minutes
Replace 4 to 12 hours of manual log forensics with an instant readout and the exact thing to fix.
One pane, every vendor
AudioCodes, Cisco, Ribbon, Oracle, Metaswitch, on-prem or cloud, in a single diagnostic layer.
SLA protection
Catch config drift before it breaks the uptime commitment your contracts and penalties hang on.
Self-serve independence
Stop escalating to vendors, ITSPs, or Microsoft support to learn what your own config already knows.
Security becomes the reason to buy
Local-first and air-gapped: raw configs never leave your environment. The security review that blocks every other tool becomes the reason to adopt this one.
Validate the config before the call, not the call after the outage.
Five real vendor parsers normalize any config into one model, and the engine runs validation domains over it. Deterministic verdicts, not LLM guesses. It runs inside your environment, fully air-gapped.
Catch it from config
Eight domains: syntax, interop, TLS and CA (the 2026 roots, EKU, SRTP, trust-anchor chains), NAT and one-way audio, codec, topology leak, routing, security. The failure is caught before a single packet is sent.
Predict the call
Models the call as a chain (TLS, then SIP, then SDP, then media), predicts exactly how far it gets, names the user-visible symptom, and renders the SIP ladder up to the point of failure.
Diagnose a capture
Reconstructs the SIP ladder from a packet capture, detects one-way audio and TLS alerts, and maps each failure back to the config change that fixes it.
Plus HA-drift diff against a known-good baseline, fleet readiness reports, and a CI/CD gate that catches non-compliant config before it reaches the change window, not after.
One broken SBC. One fixed SBC. Run both.
This is real engine output, replayed in your browser. Run the broken config and the validator blocks it, then predicts where in the handshake the call dies. Run the fix and the same SBC passes with two-way audio. That closed loop is the product.
Real sbc-validator walk output. The engine runs locally and air-gapped; nothing here leaves your browser.
Everything else is single-vendor, or watches the call after it fails.
| Approach | What it does | Against the 2026 deadline |
|---|---|---|
| Post-deployment AIOps | Inspects active SIP/RTP for jitter, latency, MOS | Blind The failure drops TLS before signaling exists. You cannot monitor a call that is cryptographically blocked from ever starting. |
| Vendor tools (OVOC, RAMP, EM) | Manage their own hardware only | Siloed Reality is multi-vendor: LoopUp runs Ribbon + AudioCodes; Societe Generale runs Oracle + AudioCodes + Ribbon. No single pane exists. |
| SBC-AutoOps | Validates any vendor's config before deploy, then predicts the call | Catches it The missing root, the wrong EKU, the SRTP gap: from the config, before traffic, across the whole mixed fleet. |
And why it stays hard to copy
Vendor-agnostic Layer 5
True SIP and SDP normalization across mixed estates. A vendor is structurally biased to its own hardware; it cannot build the layer that reads everyone's.
Security-first, local-first
Air-gapped, local execution removes the raw-config-exfiltration objection that kills every other tool in security review. The review stops blocking adoption and starts driving it.
A compounding data moat
To be unambiguous for your security team: the raw config never leaves. What can leave, only if you opt in, is anonymized findings (check IDs and severities, never config text or IPs). Those become a cross-vendor benchmark no single-vendor tool can assemble. The pattern compounds; your configuration never does.
Large, urgent, and structurally underserved.
Direct Routing saves enterprises 50 to 75 percent on global telephony versus Microsoft Calling Plans. That entire saving, and the uptime it rides on, depends on the SBC being right. SBC-AutoOps is cheap insurance on a high-value, fragile, compliance-bound setup.
Who we sell to
AT&T · Verizon · BT
Multitenant cloud SBC fleets. One cert mismatch cascades into simultaneous outages across hundreds of enterprise tenants.
SIPPIO · CallTower · NWN Carousel
API-driven virtual-SBC fleets behind white-label voice. A failure severs the downstream channel revenue.
Continuant · SoftwareOne · Insight
Own the multi-vendor PBX-to-Teams migration, and the responsibility that hybrid estates survive the cryptographic shift.
50+ mixed-vendor SBCs
Direct Routing or BYOC estates with no cross-vendor, pre-deployment check before every change window.
The orgs that run their own SBCs do it because they have to.
Compliance keeps them off managed cloud calling, so they own the certificate problem directly. For them, downtime is regulatory or life-safety, not inconvenience.
Societe Generale · TP ICAP
HA Oracle clustering for trader voice with WORM-compliant recording; multi-vendor cloud migration on AudioCodes + Cisco CUBE. If TLS fails, unrecorded calls must be blocked, or it is a fine.
UCF · Falck EMS
CJIS-compliant police routing, HIPAA clinics, and global emergency triage that cannot drop a packet. Survivable branch appliances must trust the new DigiCert roots.
US DoD · Bosch Group
JITC-certified Ribbon with FIPS-140-2 at the DoD; HA AudioCodes pairs running Local Media Optimization across Bosch factory floors worldwide.
A working product, not a slide.
The honest gaps, stated up front
Routing and security checks for Cisco, Ribbon, and Oracle, per-config cipher matching, and live probing all stay silent until they are validated against a real config for that vendor. The tool refuses to guess. A wrong verdict, telling a customer to fix the wrong thing, is the one thing this product cannot afford. That discipline is the difference between a diagnostic and a liability.
The deadline is the entry point. The lifecycle is the product.
Everything in the first column ships today. Everything after it earns its way in the same way the rest of the tool did: validated against real configs, never guessed.
The validator, in production form
- Local-first validator: 4 vendors normalized to one model
- 8 validation domains, including the 2026 CA and EKU checks
- Validate, simulate, and explain, plus HA-drift diff
- Fleet readiness reports and a CI/CD gate
- Signed rule bundles, air-gapped Docker image
- 126 automated tests in CI
Depth across the whole fleet
- Routing and security checks live on Cisco, Ribbon, and Oracle; each needs one real config
- Per-config cipher matching
- The cross-tenant readiness benchmark
- Deeper CI/CD and change-management integration
The independent layer for the whole SBC lifecycle
- Continuous drift detection across the fleet
- An LLM explainer for SIP ladders
- Assisted remediation, applied by engineers, never auto-pushed to production
- STIR/SHAKEN checks and a deepfake-voice sidecar
Next and Vision are roadmap, not product. Each check stays silent until it is validated against a real config for that vendor.
Telecom domain depth, meet AI build velocity.
Philip Drammeh
Ex-Microsoft Telecom Spec Lead with deep SBC and Teams Direct Routing architecture expertise: the ground truth every validator is modeled against.
Dico Angelo
AI builder and systems architect. Builds production AI infrastructure and autonomous diagnostic platforms; ships the engine and the local-first distributable.
Two design partners.
One real config per vendor.
We are partnering with one or two MSPs or enterprises running 50+ SBCs. We need one real, sanitized config per vendor: that is what turns routing and security checks live for that platform, the same path that made AudioCodes real.