STIR/SHAKEN, Call Authentication, and Robocall Protection for Voice Service Providers

Our team helps you deploy STIR/SHAKEN end-to-end across your network, so calls show up as verified instead of spam, you stay compliant with the TRACED Act, and legitimate traffic gets through.

Built for Real STIR/SHAKEN Deployments

The STIR/SHAKEN Partner That Gets It Working

We've been working on STIR/SHAKEN since the standards were drafts. We know where the rough edges are and how to fix them.

icon-stirshaken-2-1

STIR/SHAKEN Protocol Expertise

We have years of experience with STI-AS and STI-VS services, certificate management, attestation logic, and SBC configuration across multiple vendors.
icon-stirshaken-2-2

SBC Configuration for Identity Headers

We configure your SBCs to pass the Identity header unaltered so you stay compliant with the FCC's do-not-strip requirement and don't drop attestation.

icon-stirshaken-2-3

SIP-over-TCP and TLS Migration

The Identity header can push messages over the fragmentation limit. We migrate trunks to TCP and TLS so large messages don't get dropped or retransmitted.

icon-stirshaken-2-4

Attestation Logic Design

We help you decide whether to attest A, B, or C, document the logic, and defend it to ensure you don't over-attest and damage your signer reputation.
icon-stirshaken-2-5

Certificate Lifecycle Management

We set up SPC token procurement, CSR renewal, and automation so your certificates don't silently expire and break signing.
icon-stirshaken-2-6

RMD Filing Engineering and Compliance

Our network experts build the technical side of your Robocall Mitigation Program and help keep your RMD filing in sync with your actual network.
STIR/SHAKEN Not Working How It Should?

Your STIR/SHAKEN Compliance Problems, Solved

We've worked through STIR/SHAKEN deployments with most of the major vendors – so when something doesn't work the way the vendor says it should, we can tell you why.

icon-stirshaken-3-1

Identity Headers Get Stripped

If your SBC was configured years ago, it could be silently throwing away your Identity headers. We fix the SBC config so attestation actually passes through.

icon-stirshaken-3-2

SIP Messages Too Large

If even  one datagram is lost, the whole message will get retransmitted or never arrive. We migrate the affected trunks to TCP, so this stops happening.
icon-stirshaken-3-3

Over-Attestation Damages Reputation

Over-attestation damages your reputation as a signer. We help you map attestation logic to actual number ownership and call flows.
icon-stirshaken-3-4

Legitimate Calls Labeled as Spam

Subscribers can't reach people because their calls show red? We work on attestation, Rich Call Data, and more to ensure legitimate traffic is treated right.

icon-stirshaken-3-5

Certificate and SPC Token Issues

Expired certs, revoked tokens, or missing certificates from third-party signers break verification. We audit and fix the certificate lifecycle.
icon-stirshaken-3-6

Limited STIR/SHAKEN Expertise

Most teams haven't spent time on certificate handling, passport structure, or SBC behavior in detail. We fill that gap so you're not learning under fire.

OUR CLIENTS

Trusted by Industry Leaders

Join other organizations that enjoy expert engineering support with ECG.

Maryland_Logo_rgb_white
logo-usdeptofjustice
segra
momentum-logo-white
KPU-Logo-white
stirshaken-5-1
WHY CHOOSE ECG

Your STIR/SHAKEN Compliance Expert

We've been working STIR/SHAKEN since the standards were still in draft.

At ECG, we don't just know the STIR/SHAKEN – we live it. We know the protocol, the products, and the regulatory environment. We know how they fail in real networks, not just on slides. We're not selling you a box, so when we recommend a topology or a vendor, it's because that's what actually fits your network.

Success Stories From Our Clients

ECG is definitely the right team for our network!

Nicole Rodriguez

AVP Switching and Wireless Data Engineering | AT&T Mobility

ECG's broad scope of clients means they know what's happening before we do. We stay competitive with ECG as our guide.

Mark Hayes

VP of Voice Engineering | Momentum Telecom

ECG has really cool technology!

Jeff Pulver

Voice over IP Pioneer

ECG delivers exceptional quality and service via their software products and consulting services. Speaking as someone with direct large scale enterprise delivery with their team, my personal experience has been universally positive.

Joe Pfiefer

Assistant Director | U.S. Department of Justice

I'm happy to say I've partnered with ECG at a number of service providers. You guys have been an outstanding engineering and operations partner for my teams.

Tom Faherty

VP | Databank

ECG is a reliable partner.

Edwin Martirosyan

COO | BluIP

Book Consult
learn more
GET STARTED WITH ECG TODAY

Book Your 30-Minute Connect Call

Get in touch with ECG for products and services that support your crucial voice infrastructure needs. 

Experience the ECG Advantage

Whether you’re a service provider, enterprise, or government agency, your voice infrastructure is in good hands with ECG.

_Ñëîé_1

Proven Expertise

Our team has decades of proven experience building and supporting voice networks.

_Ñëîé_1

Powerful Partnerships

Our strategic alliances are designed to help deliver customer-centric, total solutions to our clients.

_Ñëîé_1

Elevated Network Design

We draw from experience with dozens of service providers to create straightforward, manageable designs.

_Ñëîé_1

Comprehensive Support

Our team will assist in your technical projects, support your goals, automate processes, and train your team.

How We Help

End-to-End STIR/SHAKEN Support

From design to troubleshooting to optimization, we help voice service providers deploy STIR/SHAKEN, stay compliant, and get legitimate calls through.

stirshaken-8-1 (1)

STIR/SHAKEN Design and Deployment

Standing up STIR/SHAKEN touches your SBC, call control server, certificate management, analytics, and display logic. We design the whole picture from day one, so you're not patching it together later.

  • Our engineers design your signing topology and document the trade-offs so you can defend the choice.
  • We configure the STI-AS and STI-VS using TransNexus, MetaSwitch, Ribbon, or another vendor and integrate via HTTPS API or 302 redirects.
  • We validate end-to-end with test calls to T-Mobile, AT&T, Verizon, and Comcast so you see caller verified land on the recipient side.
stirshaken-8-2

STIR/SHAKEN Support and Troubleshooting

When calls are labeled spam, attestation isn't passing through, or your verification service is rejecting headers, we dig in. We pull SIP captures, decode Identity headers, check the certificate chain, and walk back through the call path until we find the breakdown. Our experts:

  • Run packet captures and decode Identity headers, including the base64-encoded passport, to see what's being signed and what's not.
  • Investigate why analytics partners or terminating carriers are flagging your traffic as spam even when attestation is correct.
  • Work traceback requests from USTelecom and document the response.
stirshaken-8-3

STIR/SHAKEN Technology Optimization and Expansion

We help you get more from STIR/SHAKEN beyond compliance. Trust us to:

  • Integrate Rich Call Data and branded calling so business calls display logos, names, and reason-for-call information.
  • Build analytics feedback loops between verification results, call quality, and fraud detection so high-volume customers with low answer rates trigger investigation.
  • Add KYC controls on the origination side so you can defend A-level attestations and reduce reputation downgrade risk. 
Frequently Asked Questions

Common STIR/SHAKEN Questions, Answered

Get quick answers to common questions about STIR/SHAKEN protocol, compliance, attestation, and implementation.

STIR (Secure Telephony Identity Revisited) is a set of IETF standards (RFCs 8224, 8225, 8226) that define how to cryptographically sign a SIP call so the recipient can verify who originated it. SHAKEN is the framework that says how service providers actually deploy it.

When a call enters the network, the originating provider stamps it with an Identity header that says "this caller has the right to use this number." The terminating provider checks that signature and decides whether to display the call as verified or flag it as suspicious. In the US, this was made law under the TRACED Act.

All voice service providers in the US are required to be STIR/SHAKEN compliant for the IP portions of their networks under the TRACED Act and FCC rules. This includes:

  • VoIP providers

  • CLECs

  • Wireless carriers

  • Broadband providers offering voice

  • Telecommunications carriers

Even providers with TDM networks still need call authentication for the TDM portions, though not STIR/SHAKEN specifically. The rules apply to anyone originating, terminating, or routing calls.

 A (full attestation) means the originating provider knows the caller and confirms they have the right to use the number. That's the strongest level and what the FCC wants you to give when you can.

B (partial attestation) means the provider knows the caller but can't confirm the number, which comes up with PBX scenarios where calls can be forwarded with an arbitrary caller ID.

C (gateway attestation) is the weakest – basically "I don't know who placed this call, but I know who handed it to me." Picking the right level matters more each year because over-attestation gets you flagged by analytics partners. 

 For the IP portions of your network, yes. The non-IP exemption only applies to the parts that are physically non-IP. For TDM parts, you don't have to implement STIR/SHAKEN specifically because it's IP-only, but you still have to implement some form of call authentication and a robocall mitigation program. Ignoring it isn't an option. 

Not anymore. As of September 18, 2025, the FCC requires that even if you use a third party for technical signing, you have to make the attestation decisions, and the calls must be signed with your own certificate, not the third party's. You also have recordkeeping requirements for those arrangements. Make sure your contract reflects this and that you have the certificate yourself.

This is one of the more common problems. A lot of SBCs were configured years ago to drop unknown headers as a security hardening step, and the Identity header gets caught up in that.

The fix depends on the SBC—Oracle Acme Packet, Sansay, MetaSwitch Perimeta, and Ribbon all handle it differently. You also need to make sure your trunks can carry the larger SIP messages by moving to TCP. 

STIR/SHAKEN by itself doesn't prevent robocalls. It just authenticates that a caller has the right to use a number. If a legitimate provider signs a call from a customer who's actually doing illegal robocalling, the call still goes through with a valid attestation.

That's why STIR/SHAKEN has to be paired with robust analytics (Hiya, TNS, TransUnion), KYC on the origination side, traceback response, and Do-Not-Originate enforcement.

These are complementary, not competing. STIR/SHAKEN is the cryptographic layer. It tells you whether the caller is authorized to use a number.

Analytics is the reputation layer. It tells you, based on call patterns, complaint volume, and other signals, whether the caller is actually behaving well. You need both. 

Display is what your subscribers see, and that's a separate decision from either signing or analytics. 

The FCC requires every voice service provider to recertify its Robocall Mitigation Database filing every year. The window opens February 1, the deadline is March 1, and the first one was March 1, 2026. The base forfeiture for false or inaccurate RMD info is now $10,000, and there's a $1,000 penalty for failing to update within 10 business days of a change. ECG helps on the technical side, so the filing reflects what you've actually deployed.

You register as a voice service provider with the Policy Administrator (currently the Governance Authority board). You request an SPC (Service Provider Code) token. You generate a CSR from that token and submit it to an approved Certificate Authority to get your signing certificate. That certificate is what you use to sign Identity headers on outbound calls. The process also includes registering your network details in the Robocall Mitigation Database so the industry knows who you are and what you're responsible for. 

Ready to Experience the ECG Difference?

Get in touch for products that support your crucial voice infrastructure needs.