<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Tahir Almas</title>
    <description>The latest articles on DEV Community by Tahir Almas (@tahiralmas).</description>
    <link>https://dev.to/tahiralmas</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3911307%2F77d2f227-47d5-42ea-87e2-5d4abeb9b2cd.png</url>
      <title>DEV Community: Tahir Almas</title>
      <link>https://dev.to/tahiralmas</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/tahiralmas"/>
    <language>en</language>
    <item>
      <title>Multi-Tenant PBX Security: A 2026 Best-Practices Guide</title>
      <dc:creator>Tahir Almas</dc:creator>
      <pubDate>Tue, 07 Jul 2026 11:39:23 +0000</pubDate>
      <link>https://dev.to/tahiralmas/multi-tenant-pbx-security-a-2026-best-practices-guide-515b</link>
      <guid>https://dev.to/tahiralmas/multi-tenant-pbx-security-a-2026-best-practices-guide-515b</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;Originally published at &lt;a href="https://ictpbx.com/multi-tenant-pbx-security-best-practices-2026/" rel="noopener noreferrer"&gt;ictpbx.com&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;The fastest way to secure a multi-tenant PBX in 2026 is to treat it as five layers, not one setting: lock SIP down at the network edge, encrypt signaling with TLS and media with SRTP, isolate every tenant's data, cap spend to stop toll fraud, and watch the logs. Get those five right and you close off almost every real-world attack on a hosted phone system.&lt;/p&gt;

&lt;p&gt;We build a multi-tenant IP PBX for a living, so this guide is written from the operator's chair. It is not a checklist of scary words. It is the order we would actually harden a PBX software platform that carries other people's calls.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why multi-tenant PBX security is a different problem
&lt;/h2&gt;

&lt;p&gt;A single-company phone system has one owner and one blast radius. A multi-tenant hosted PBX shares infrastructure across many customers who each expect total privacy. That changes the threat model. Now a bug is not just an outage, it can leak one tenant's call recordings to another, or let a compromised extension in Tenant A rack up international minutes billed to your platform.&lt;/p&gt;

&lt;p&gt;So the job splits in two. You defend the platform from the outside world, and you wall each tenant off from every other tenant on the inside. The diagram below shows what that separation looks like in practice.&lt;/p&gt;

&lt;p&gt;One PBX, Many Walled-Off Tenants&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Tenant A
Extensions, CDRs,
config, recordings



Tenant B
Extensions, CDRs,
config, recordings



Tenant C
Extensions, CDRs,
config, recordings
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;

&lt;p&gt;Isolation layer&lt;/p&gt;

&lt;p&gt;Shared ICTPBX Core&lt;br&gt;
  ICTCore&lt;br&gt;
  FreeSWITCH media engine&lt;br&gt;
  Angular admin portal&lt;br&gt;
  Per-tenant scoping on every query&lt;br&gt;
  Every request carries a tenant ID, so one customer can never read or route another customer's calls.&lt;/p&gt;

&lt;p&gt;The important idea is that every request, every database read, every call route carries a tenant ID. The shared core does the heavy lifting, but it never mixes one customer's data with another's. That is the line between a real multi-tenant product and a single box with some extra logins bolted on.&lt;/p&gt;

&lt;h2&gt;
  
  
  Layer 1: Lock down SIP at the network edge
&lt;/h2&gt;

&lt;p&gt;Open SIP ports are the most scanned thing on the public internet after SSH. Bots hunt for port 5060, then brute-force extension passwords all night. Your first job is to make that noise pointless.&lt;/p&gt;

&lt;p&gt;Put the PBX behind a firewall that only accepts SIP from known carriers and provisioned devices. Add fail2ban so repeated failed registrations get the source IP banned automatically. Rate-limit registration attempts, and drop UDP floods before they reach the media server. None of this is fancy, and all of it stops the bulk of automated attacks cold.&lt;/p&gt;

&lt;h2&gt;
  
  
  Layer 2: Encrypt signaling and media
&lt;/h2&gt;

&lt;p&gt;Unencrypted VoIP is readable to anyone on the path. In 2026 that is no longer acceptable, and for regulated customers it is a compliance failure. Use TLS for SIP signaling so call setup, routing, and teardown are private. Use SRTP for the audio itself so the actual conversation cannot be captured and replayed.&lt;/p&gt;

&lt;p&gt;Turning both on is not optional for a hosted product. If you carry calls for a healthcare clinic or a law firm, the audio has to be encrypted end to end across your network, and you need to be able to prove it.&lt;/p&gt;

&lt;h2&gt;
  
  
  Layer 3: Isolate every tenant
&lt;/h2&gt;

&lt;p&gt;This is the layer that makes multi-tenant hard. Two customers share the same servers but must never see a trace of each other. Good isolation means per-tenant scoping on every query, separate credentials and extensions, and no shared admin surface where one tenant's settings can touch another's. Our own approach to &lt;a href="https://ictpbx.com/ictpbx-docs/system-admin/ictpbx-branding-white-label/" rel="noopener noreferrer"&gt;multi-tenant and white-label separation&lt;/a&gt; keeps each tenant fully branded and fully walled off, right down to the portal they log into.&lt;/p&gt;

&lt;h2&gt;
  
  
  Layer 4: Stop toll fraud before it drains an account
&lt;/h2&gt;

&lt;p&gt;Here is the attack that actually costs operators money. A single weak extension password gets cracked, and within hours the account is dialing premium international numbers around the clock. By morning the bill is thousands of dollars. Encryption does nothing to stop this, because the calls are legitimate as far as the switch knows.&lt;/p&gt;

&lt;p&gt;The fix is spend controls, not signal controls. Set per-tenant credit limits and daily spend caps. Block or flag high-risk destinations by default. Alert on sudden call spikes and on traffic to countries a tenant has never dialed. Our &lt;a href="https://ictpbx.com/fraud-credit-controls/" rel="noopener noreferrer"&gt;fraud and credit controls&lt;/a&gt; exist for exactly this, because the cheapest fraud to survive is the one that hits a ceiling after a few minutes.&lt;/p&gt;

&lt;h2&gt;
  
  
  Layer 5: Monitor, patch, and rehearse
&lt;/h2&gt;

&lt;p&gt;Security is not a state you reach, it is a habit. Keep the operating system, the SIP stack, and the media engine patched. Watch registration logs and CDRs for patterns that do not fit. Keep backups you have actually tested restoring. The teams that get burned are not the ones who missed a clever exploit, they are the ones running a version from two years ago with a known hole.&lt;/p&gt;

&lt;h2&gt;
  
  
  The five layers as one picture
&lt;/h2&gt;

&lt;p&gt;Put together, the layers form a set of rings. An attacker has to beat all of them, and each one is a different kind of control, so a single mistake does not hand over the whole system.&lt;/p&gt;

&lt;p&gt;Defense In Depth For A Hosted PBX&lt;/p&gt;

&lt;p&gt;Network edge: firewall, fail2ban, IP allowlists, rate limits&lt;/p&gt;

&lt;p&gt;Signaling security: SIP over TLS&lt;/p&gt;

&lt;p&gt;Media security: SRTP encrypted audio&lt;/p&gt;

&lt;p&gt;Tenant isolation: per-account data scoping&lt;/p&gt;

&lt;p&gt;Fraud and credit controls&lt;br&gt;
  Spend caps, geo limits, live alerts&lt;br&gt;
  An attacker has to beat every ring. Miss one layer and the others still hold the line.&lt;/p&gt;

&lt;h2&gt;
  
  
  Threats and the control that answers each one
&lt;/h2&gt;

&lt;p&gt;ThreatLayer that stops it&lt;br&gt;
SIP port scanning and brute forceEdge firewall, fail2ban, rate limits&lt;br&gt;
Call interception and eavesdroppingTLS signaling plus SRTP media&lt;br&gt;
One tenant seeing another's dataPer-tenant isolation and scoping&lt;br&gt;
Toll fraud on a cracked extensionCredit limits, spend caps, geo blocks&lt;br&gt;
Exploits against stale softwarePatching, monitoring, tested backups&lt;/p&gt;

&lt;h2&gt;
  
  
  How ICTPBX fits
&lt;/h2&gt;

&lt;p&gt;ICTPBX is a white-label, multi-tenant PBX software platform built on ICTCore, FreeSWITCH, and an Angular admin. Tenant isolation, TLS and SRTP encryption, and fraud and credit controls are part of the product, not add-ons you wire in yourself. That matters if you are an ITSP or MSP, because you inherit the hard security work instead of rebuilding it per customer. You can see the full &lt;a href="https://ictpbx.com/ictpbx-feature-list/" rel="noopener noreferrer"&gt;PBX calling feature list&lt;/a&gt; to check what ships in the box.&lt;/p&gt;

&lt;p&gt;If you want to walk through hardening your own deployment, open a ticket at &lt;a href="https://service.ictvision.net" rel="noopener noreferrer"&gt;service.ictvision.net&lt;/a&gt; and our team can help you plan the rollout.&lt;/p&gt;

&lt;h2&gt;
  
  
  Frequently asked questions
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Is a hosted multi-tenant PBX less secure than an on-premise one?
&lt;/h3&gt;

&lt;p&gt;Not inherently. A well-run hosted PBX often beats a neglected on-premise box, because the operator patches, monitors, and hardens full time. The risk with multi-tenant is isolation, so the question to ask a vendor is how they keep one tenant's data and calls fully separate from every other tenant.&lt;/p&gt;

&lt;h3&gt;
  
  
  Do I really need both TLS and SRTP?
&lt;/h3&gt;

&lt;p&gt;Yes. TLS protects the call setup and signaling, and SRTP protects the audio itself. Turn on only one and you leave half the call exposed. For regulated data you need both, and you need to be able to show they are active.&lt;/p&gt;

&lt;h3&gt;
  
  
  What is the single most common PBX attack?
&lt;/h3&gt;

&lt;p&gt;Toll fraud from a weak extension password. Attackers crack the login, then dial premium international numbers to generate revenue for themselves. Spend caps and credit limits are the control that keeps a breach from becoming a huge bill.&lt;/p&gt;

&lt;h3&gt;
  
  
  How do I stop SIP brute-force attempts?
&lt;/h3&gt;

&lt;p&gt;Keep SIP off the open internet where you can, accept traffic only from known carriers and devices, run fail2ban to auto-ban repeat offenders, and rate-limit registrations. Strong, unique extension passwords close the last gap.&lt;/p&gt;

&lt;h3&gt;
  
  
  Does encryption slow down calls?
&lt;/h3&gt;

&lt;p&gt;On modern hardware the overhead of TLS and SRTP is negligible for normal call volumes. Users will not notice a difference, and the privacy gain is worth far more than the tiny processing cost.&lt;/p&gt;

&lt;h2&gt;
  
  
  Related resources
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;&lt;p&gt;&lt;a href="https://ictpbx.com/ictpbx-docs/system-admin/ictpbx-branding-white-label/" rel="noopener noreferrer"&gt;Multi-Tenant and White-Label Setup&lt;/a&gt;&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;a href="https://ictpbx.com/fraud-credit-controls/" rel="noopener noreferrer"&gt;Fraud and Credit Controls&lt;/a&gt;&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;a href="https://ictpbx.com/ictpbx-feature-list/" rel="noopener noreferrer"&gt;Complete PBX Calling Feature List&lt;/a&gt;&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;a href="https://ictpbx.com/support/" rel="noopener noreferrer"&gt;ICTPBX Support&lt;/a&gt;&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Want a multi-tenant PBX with these controls built in? See what ICTPBX offers at &lt;a href="https://ictpbx.com/" rel="noopener noreferrer"&gt;ictpbx.com&lt;/a&gt;.&lt;/p&gt;

</description>
    </item>
    <item>
      <title>One Malicious SIP Message Shouldn't Take Down Your PBX: Hardening Open Source VoIP Against 2026 DoS Attacks</title>
      <dc:creator>Tahir Almas</dc:creator>
      <pubDate>Sat, 04 Jul 2026 07:48:15 +0000</pubDate>
      <link>https://dev.to/tahiralmas/one-malicious-sip-message-shouldnt-take-down-your-pbx-hardening-open-source-voip-against-2026-dos-2k9g</link>
      <guid>https://dev.to/tahiralmas/one-malicious-sip-message-shouldnt-take-down-your-pbx-hardening-open-source-voip-against-2026-dos-2k9g</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;Originally published at &lt;a href="https://ictinnovations.com/hardening-open-source-voip-sip-dos-attacks/" rel="noopener noreferrer"&gt;ictinnovations.com&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;One malformed SIP message should never crash or hijack your phone system, yet 2026 keeps proving how fragile an exposed SIP edge can be. The fix isn't a single product, it's layered hardening: patch fast, rate-limit and validate SIP, put a session border controller or firewall in front, run fail2ban, enforce TLS and SRTP, and disable modules you don't use. Do those together and one bad packet stays harmless.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why the SIP edge keeps getting hit
&lt;/h2&gt;

&lt;p&gt;SIP is a text protocol that has to accept messages from anywhere it's meant to serve. That openness is exactly what attackers probe. A mid-2026 cluster of VoIP security issues drove the point home: a malicious SIP INVITE that could crash or take over phone systems, an unauthenticated SIP PUBLISH denial-of-service bug fixed in a FreeSWITCH release, and pre-auth remote-code-execution chains discussed across the PBX industry. The common thread is a single crafted message reaching a service that trusts it too much.&lt;/p&gt;

&lt;p&gt;If you run open source VoIP, this is your job to manage, not a vendor's. The upside is that you can see and control every layer. The hardening below assumes an ICTCore and FreeSWITCH-based stack, but the same principles apply to any SIP deployment.&lt;br&gt;
 How one SIP message reaches your coreAttackercrafted INVITEOpen SIP port5060 exposedSIP parsertrusts messageCrash ortakeoverEvery unguarded hop is a chance to stop the attack early.The attack path: a crafted message crosses an open port and reaches a parser that trusts it. &lt;/p&gt;

&lt;h2&gt;
  
  
  Patch promptly, and know what you're running
&lt;/h2&gt;

&lt;p&gt;Most of the 2026 SIP bugs already have fixes. The FreeSWITCH PUBLISH denial-of-service, for instance, was resolved in a release, which does nothing for you if you're months behind. So the first control is boring and the most effective: keep your VoIP software current and track upstream security advisories.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Subscribe to security announcements for FreeSWITCH and any SIP components you run.&lt;/li&gt;
&lt;li&gt;Keep an inventory of versions so you know your exposure the day a bug drops.&lt;/li&gt;
&lt;li&gt;Test and apply patches on a schedule, and treat SIP-message bugs as high priority since they're often pre-auth.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Guard the edge before the message reaches your parser
&lt;/h2&gt;

&lt;p&gt;Patching closes known holes. Edge controls limit what any single message can do, including the bugs nobody's found yet. Put layers between the internet and your core so a crafted packet has to survive several checks first.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Front your PBX with a session border controller or a firewall that understands SIP, so it can drop malformed or out-of-policy messages before they hit the application.&lt;/li&gt;
&lt;li&gt;Rate-limit SIP requests per source, so a flood of INVITE or PUBLISH messages can't exhaust the system.&lt;/li&gt;
&lt;li&gt;Validate SIP: reject messages that violate the protocol, cap header sizes, and drop what your deployment has no reason to accept.&lt;/li&gt;
&lt;li&gt;Run fail2ban to watch logs and auto-block IPs that probe, brute-force, or scan your SIP service.&lt;/li&gt;
&lt;li&gt;Never leave the SIP port open to the whole internet if you can scope it. Restrict by IP where your topology allows.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;These layers matter most against a single-packet crash, because even an unpatched parser bug is far harder to reach when an SBC and rate limiter sit in front of it. For background on picking the right server component, the comparison of open source SIP servers is a useful read.&lt;/p&gt;

&lt;h2&gt;
  
  
  Encrypt, minimize, and monitor
&lt;/h2&gt;

&lt;p&gt;Once the edge is guarded, tighten the service itself. Turn on TLS for SIP signaling and SRTP for media so calls can't be sniffed or tampered with in transit. Then shrink your attack surface: disable modules and features you don't use, because every enabled parser and endpoint is one more thing that can be attacked. A lean configuration is a safer one.&lt;br&gt;
 Hardening layers around the PBXPBXcorePatch and disable unused modulesTLS signaling and SRTP mediaValidate and rate-limit SIP, run fail2banSBC or SIP firewall at the edgeA bad packet has to defeat every ring to reach the core.Defense in depth: each ring an attacker must cross buys you resilience against the next bug. &lt;br&gt;
Finally, watch the system. Log SIP traffic, alert on spikes in failed registrations or malformed messages, and review those alerts. Monitoring is how you catch an attack that slips past the earlier layers, and how you notice a new pattern before it becomes an outage. For hands-on guidance, see the walkthrough on implementing secure VoIP communication.&lt;/p&gt;

&lt;h2&gt;
  
  
  Frequently Asked Questions
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Can one SIP message really crash a PBX?
&lt;/h3&gt;

&lt;p&gt;Yes. Several 2026 issues involved a single crafted message, such as a malicious INVITE or an unauthenticated PUBLISH, that could crash or take over a system before authentication. That's why edge validation and prompt patching matter so much: you want to stop that message early.&lt;/p&gt;

&lt;h3&gt;
  
  
  Isn't patching enough on its own?
&lt;/h3&gt;

&lt;p&gt;Patching closes known bugs, but it does nothing for the ones not yet discovered. Edge controls like an SBC, rate limiting, and SIP validation limit what any message can do, so they protect you during the window before a fix exists and after, as a safety net.&lt;/p&gt;

&lt;h3&gt;
  
  
  Do I need a session border controller if I already have a firewall?
&lt;/h3&gt;

&lt;p&gt;A plain firewall filters ports but often can't inspect SIP itself. An SBC or a SIP-aware firewall understands the protocol, so it can drop malformed or out-of-policy messages a basic firewall would pass through. For an internet-facing PBX, that SIP awareness is worth having.&lt;/p&gt;

&lt;h3&gt;
  
  
  What does fail2ban add?
&lt;/h3&gt;

&lt;p&gt;Fail2ban watches your logs and automatically blocks IP addresses that scan, brute-force, or probe your SIP service. It won't stop a single-packet exploit by itself, but it cuts down the constant background attacks and buys your other layers room to work.&lt;/p&gt;

&lt;h3&gt;
  
  
  Why disable modules I'm not using?
&lt;/h3&gt;

&lt;p&gt;Every enabled module adds code that parses input and can carry its own bugs. If you don't use a feature, turning it off removes that whole path from your attack surface. A minimal configuration gives an attacker fewer doors to try.&lt;/p&gt;

&lt;p&gt;If you run open source VoIP for a service provider or your own network, treat the SIP edge as something to defend on purpose, layer by layer. To see how ICT Innovations approaches open source telecom and where its team can help, take a look at the services page and start hardening before the next crafted packet finds you.&lt;/p&gt;

</description>
    </item>
    <item>
      <title>UCaaS + CCaaS: Why Adding Contact-Center to Your White-Label Stack Multiplies Deal Size</title>
      <dc:creator>Tahir Almas</dc:creator>
      <pubDate>Sat, 04 Jul 2026 07:43:08 +0000</pubDate>
      <link>https://dev.to/tahiralmas/ucaas-ccaas-why-adding-contact-center-to-your-white-label-stack-multiplies-deal-size-27l6</link>
      <guid>https://dev.to/tahiralmas/ucaas-ccaas-why-adding-contact-center-to-your-white-label-stack-multiplies-deal-size-27l6</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;Originally published at &lt;a href="https://www.ict.vision/ucaas-ccaas-white-label-deal-size" rel="noopener noreferrer"&gt;ict.vision&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;If you resell communications, the quickest path to a bigger deal isn't a discount, it's a second product. Attach a contact-center (CCaaS) layer on top of your unified communications (UCaaS) stack and your average deal size climbs, because CCaaS reaches the sales and support teams that touch revenue. A white-label portfolio lets you sell both under your own brand without building either.&lt;/p&gt;

&lt;h2&gt;
  
  
  UCaaS and CCaaS aren't the same sale
&lt;/h2&gt;

&lt;p&gt;People blur these two, so it's worth being precise. UCaaS is how a whole company communicates: cloud voice, chat, video, and messaging that keep everyone connected. CCaaS is a focused engine for teams that handle customer conversations at volume: queues, routing, agent workflows, IVR, and reporting across voice, chat, and other channels.&lt;/p&gt;

&lt;p&gt;The difference matters because the buyers are different. UCaaS is bought by IT for the whole org. CCaaS is bought by the people who own customer outcomes, and they're closer to the money. That's the whole reason the attach motion works.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;UCaaS: broad reach, steady per-seat value, sold to IT.&lt;/li&gt;
&lt;li&gt;CCaaS: narrower seat count, higher value per seat, sold to revenue owners.&lt;/li&gt;
&lt;li&gt;Together: one relationship, two budgets, a stickier account.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;One stack, two layers, more deal valueUCaaS layerCloud voice, chat, video, messaging for the whole companyCCaaS layerQueues, routing, IVR, agents for revenue-facing teamshighervalue/seatbroadseat countAttach CCaaS on top and the same account carries two budgets.UCaaS gives you reach; CCaaS stacks higher-value seats on the same account. &lt;/p&gt;

&lt;h2&gt;
  
  
  Why the market is pulling this way in 2026
&lt;/h2&gt;

&lt;p&gt;The demand is real. UCaaS in 2026 sits around 70 billion USD and is growing at a healthy double-digit clip. At the same time, buyers increasingly want the contact-center fused with their voice, chat, and video rather than bolted on from a separate vendor. As one signal, Webex Contact Center bookings ran up roughly 42 percent year over year, which tells you where budget is moving.&lt;/p&gt;

&lt;p&gt;For a reseller, that trend is a gift. You don't need to invent demand. You need to be the provider who already has both layers ready when a customer asks for the second one.&lt;/p&gt;

&lt;h2&gt;
  
  
  The math on deal size and stickiness
&lt;/h2&gt;

&lt;p&gt;Here's why the bundle multiplies revenue instead of just adding to it. When you sell UCaaS alone, you win a per-seat deal across the org. When you attach CCaaS, you add a second product priced per agent, and contact-center seats usually carry a higher value because they come with routing, reporting, and integrations.&lt;/p&gt;

&lt;p&gt;Two things happen at once:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Deal size jumps, because you've stacked a revenue-team product on top of a company-wide one.&lt;/li&gt;
&lt;li&gt;Churn drops, because CCaaS wires into how the customer earns money. Ripping out the tool your sales and support floor runs on is a project nobody wants, so the account stays.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;That combination, bigger initial deal plus a stickier account, is exactly what a service provider wants from a portfolio. It's the difference between selling minutes and owning the customer relationship. You can see how this fits a provider model on the service provider solutions page.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why white-label makes the attach motion easy
&lt;/h2&gt;

&lt;p&gt;The catch with a two-product story is usually build cost. Standing up your own UCaaS platform is hard; adding a real CCaaS engine on top is harder. White-label removes that problem. You resell mature, multi-tenant software under your own brand, keep the customer relationship, and set your own pricing, while the underlying platform does the heavy lifting.&lt;/p&gt;

&lt;p&gt;ICT Vision is built for this. It's a B2B company offering white-label, multi-tenant cloud communication and business software that service providers resell as their own. The portfolio spans the layers you'd attach across an account: ICTContact for omnichannel contact-center, ICTPBX for hosted PBX and UC, plus ICTDialer, ICTCRM, and ICTFax. That means you can lead with UCaaS, attach CCaaS, and keep expanding, all from one brand. The full lineup lives on the products page.&lt;/p&gt;

&lt;h2&gt;
  
  
  Frequently Asked Questions
&lt;/h2&gt;

&lt;h3&gt;
  
  
  What's the simplest way to explain UCaaS vs CCaaS?
&lt;/h3&gt;

&lt;p&gt;UCaaS is how the whole company talks to itself and to others: voice, chat, video, messaging. CCaaS is a focused engine for teams that handle customer conversations at scale, with queues, routing, IVR, and agent reporting. One is company-wide plumbing; the other is a revenue-team tool.&lt;/p&gt;

&lt;h3&gt;
  
  
  Why does attaching CCaaS raise average deal size?
&lt;/h3&gt;

&lt;p&gt;Because you add a second product on top of a per-seat UCaaS deal. Contact-center seats carry higher value thanks to routing, reporting, and integrations, and they're bought by revenue owners with their own budget. The same account ends up funding two purchases instead of one.&lt;/p&gt;

&lt;h3&gt;
  
  
  Does bundling really improve retention?
&lt;/h3&gt;

&lt;p&gt;Yes. CCaaS wires into how a customer makes money through sales and support workflows. Replacing the tool those teams run on every day is disruptive, so accounts with CCaaS attached tend to stay longer than voice-only accounts.&lt;/p&gt;

&lt;h3&gt;
  
  
  Why go white-label instead of building my own stack?
&lt;/h3&gt;

&lt;p&gt;Building UCaaS and CCaaS from scratch is slow and costly. White-label lets you resell proven multi-tenant software under your own brand, own the customer and the pricing, and get to market fast without carrying the engineering load yourself.&lt;/p&gt;

&lt;h3&gt;
  
  
  Can I start with one product and add more later?
&lt;/h3&gt;

&lt;p&gt;That's the point of a portfolio. Lead with UCaaS or PBX, attach contact-center when the customer's revenue teams need it, then expand into dialer, CRM, or fax over time. Each addition grows the account without a new vendor relationship for the customer.&lt;/p&gt;

&lt;p&gt;If you want a white-label communications portfolio you can grow account by account, take a look at what ICT Vision offers resellers and service providers. Lead with voice, attach the contact-center, and let the second product do the heavy lifting on your deal size.&lt;/p&gt;

</description>
    </item>
    <item>
      <title>Why AI Chatbots Can't Handle a Crisis, and How to Reach Real Support Fast</title>
      <dc:creator>Tahir Almas</dc:creator>
      <pubDate>Sat, 04 Jul 2026 07:40:28 +0000</pubDate>
      <link>https://dev.to/tahiralmas/why-ai-chatbots-cant-handle-a-crisis-and-how-to-reach-real-support-fast-4gl9</link>
      <guid>https://dev.to/tahiralmas/why-ai-chatbots-cant-handle-a-crisis-and-how-to-reach-real-support-fast-4gl9</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;Originally published at &lt;a href="https://roshni.online/ai-chatbots-crisis-reach-real-support/" rel="noopener noreferrer"&gt;roshni.online&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;If you're in immediate danger or thinking about harming yourself, please contact your local emergency services right now. An AI chatbot can be a kind first step for everyday reflection and small next moves, but it isn't a crisis service. When things feel urgent, a real person needs to be on the other end, and reaching one quickly matters more than anything an app can say.&lt;/p&gt;

&lt;h2&gt;
  
  
  What AI is genuinely good for
&lt;/h2&gt;

&lt;p&gt;Lots of people already turn to AI when they want to think out loud. In 2026 the American Psychological Association noted that most psychologists, around 77 percent, now see patients who use AI tools for support between sessions. That's a real shift, and it isn't a bad thing on its own. Used gently, an AI companion can help you slow down and get your bearings.&lt;/p&gt;

&lt;p&gt;Where it tends to help:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Putting a swirl of thoughts into words when you're not ready to talk to anyone yet.&lt;/li&gt;
&lt;li&gt;Practicing what you might say to a friend, a doctor, or a professional.&lt;/li&gt;
&lt;li&gt;Learning simple grounding or breathing steps for a stressful moment.&lt;/li&gt;
&lt;li&gt;Being there at 3 a.m. when no one else is awake, in your own language, in private.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Roshni's AI Companion is live and free for exactly these moments. You can use it by text or voice, in any language, any time, and it stays private. Think of it as a warm starting point, not a replacement for a person who can truly care for you.&lt;br&gt;
 When AI helps, and when to reach a personAI Companion can helpEveryday reflectionSorting your thoughtsGrounding and breathing stepsPlanning what to say nextA private space, any timeReach a person forThoughts of harmFeeling unsafeA sudden crisisAnything urgentWhen you need real careIn danger right now? Contact local emergency services first.An easy way to tell everyday support apart from a moment that needs a person. &lt;/p&gt;

&lt;h2&gt;
  
  
  Why a crisis needs a human
&lt;/h2&gt;

&lt;p&gt;Here's the honest part. Recent research in 2026 tested popular chatbots against clinical standards for crisis response, and they came up short. That doesn't make AI useless, but it does draw a clear line: a chatbot can miss the seriousness of what you're saying, respond in a flat or generic way, and it cannot physically get help to you. A trained person can hear the weight in your words, ask the right follow-up, and act.&lt;/p&gt;

&lt;p&gt;A crisis is exactly the kind of moment where subtle cues matter and where someone may need to reach you in the real world. Software isn't built for that responsibility, and it shouldn't carry it. That's why a caring first step should always know when to hand off to a human.&lt;/p&gt;

&lt;h2&gt;
  
  
  How to reach real support fast
&lt;/h2&gt;

&lt;p&gt;Speed and simplicity matter when you're struggling, so keep the path short:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;If you're in immediate danger, contact your local emergency services right away. That comes before anything else.&lt;/li&gt;
&lt;li&gt;If you want to talk to someone who's qualified, connect with a verified professional for a private session.&lt;/li&gt;
&lt;li&gt;If you're not sure where to start, open the free AI Companion and let it help you take the first step and point you toward a person.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Roshni is built around that handoff. The AI Companion is a free first step, and it escalates to a verified professional when a person is needed. If you'd like a private session, the plans on Roshni connect you with verified professionals directly. You can also see how the Roshni client application works so you know what to expect before you start.&lt;/p&gt;

&lt;h2&gt;
  
  
  Using AI wisely, without leaning on it too hard
&lt;/h2&gt;

&lt;p&gt;The healthiest way to use an AI companion is to treat it as a bridge, not a destination. Let it help you name what you're feeling, then let a real person carry it further when the feeling is heavy. If a conversation with AI ever leaves you feeling worse, or if it starts to feel like your only support, that's a sign to reach out to a human.&lt;/p&gt;

&lt;p&gt;You deserve care that can truly meet you. AI can open the door and sit with you for a moment. People walk you through it. If you want to know more about the team and the idea behind the platform, read the Roshni about page.&lt;/p&gt;

&lt;h2&gt;
  
  
  Frequently Asked Questions
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Is the Roshni AI Companion free to use?
&lt;/h3&gt;

&lt;p&gt;Yes. The AI Companion is live and free. You can use it by text or voice, in any language, at any hour, and your conversations stay private. It's meant as a gentle first step whenever you need one.&lt;/p&gt;

&lt;h3&gt;
  
  
  Can an AI chatbot replace a therapist?
&lt;/h3&gt;

&lt;p&gt;No, and it isn't meant to. An AI companion can help you reflect and take small next steps, but it can't provide care, read a situation the way a trained person can, or respond to a crisis. For real support, connect with a verified professional.&lt;/p&gt;

&lt;h3&gt;
  
  
  What should I do if I'm in crisis right now?
&lt;/h3&gt;

&lt;p&gt;Please contact your local emergency services immediately if you're in danger or thinking about harming yourself. Getting a real person involved fast is the most important thing, and it comes before any app or chat.&lt;/p&gt;

&lt;h3&gt;
  
  
  What happens when the AI Companion senses I need more help?
&lt;/h3&gt;

&lt;p&gt;It's built to escalate. When a person is needed, the AI Companion points you toward a verified professional so you're not left alone with it. The goal is always to move you toward human support when that's what the moment calls for.&lt;/p&gt;

&lt;h3&gt;
  
  
  Will my conversations stay private?
&lt;/h3&gt;

&lt;p&gt;Yes, your conversations with the AI Companion are private. That's part of what makes it easier to open up and put difficult feelings into words when you're not ready to talk to anyone else yet.&lt;/p&gt;

&lt;p&gt;Whenever you're ready, you can start a free chat with the AI Companion for a gentle first step, or connect with a verified professional if you'd like to talk to a person. And if you're ever in a crisis, please reach your local emergency services first. You don't have to carry it alone.&lt;/p&gt;

</description>
    </item>
    <item>
      <title>Agentic AI Will Resolve 80% of Support Tickets. What Happens to the Other 20%?</title>
      <dc:creator>Tahir Almas</dc:creator>
      <pubDate>Sat, 04 Jul 2026 07:37:46 +0000</pubDate>
      <link>https://dev.to/tahiralmas/agentic-ai-will-resolve-80-of-support-tickets-what-happens-to-the-other-20-2l0j</link>
      <guid>https://dev.to/tahiralmas/agentic-ai-will-resolve-80-of-support-tickets-what-happens-to-the-other-20-2l0j</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;Originally published at &lt;a href="https://ictdesk.net/blog/agentic-ai-80-percent-support-tickets/" rel="noopener noreferrer"&gt;ictdesk.net&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Gartner's widely cited forecast says agentic AI will autonomously resolve around 80% of common customer-service issues by 2029. That number is real and worth planning for, but the story that matters is the other 20%: the emotional, high-stakes, one-off tickets that still need a person, backed by solid ticketing, clean escalation, and full context. The win isn't AI instead of humans. It's AI plus humans plus ticketing.&lt;/p&gt;

&lt;h2&gt;
  
  
  The 80% Is the Easy Part
&lt;/h2&gt;

&lt;p&gt;Password resets, order status, refund rules, setup steps, and the same ten how-to questions over and over. That's the bulk of most support queues, and it's exactly what an AI agent handles well. It answers instantly, at 3am, in any timezone, without a queue. If that work vanishes from your human agents' plates, they get hours back and customers get faster replies. Good outcome, easy to see.&lt;/p&gt;

&lt;p&gt;But 2026 brought a reality check to the hype. Follow-up reporting warned that a large share of agentic-AI projects stall or get cancelled, north of 40% by some counts, and a few companies that cut humans too fast ended up rehiring. The lesson wasn't that AI failed. It was that teams bolted AI on without a plan for the tickets AI can't close.&lt;br&gt;
 80%AI resolves20%humansThe 20% is small in volume and huge in value.The projected split: routine tickets to AI, hard tickets to people. &lt;/p&gt;

&lt;h2&gt;
  
  
  What Lives in the Other 20%
&lt;/h2&gt;

&lt;p&gt;The remaining fifth of your queue isn't random leftovers. It's the tickets that decide whether a customer stays or churns. They tend to be:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Emotional.&lt;/strong&gt; An angry customer whose order failed on a deadline wants to feel heard, not routed to a bot loop.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;High-stakes.&lt;/strong&gt; Billing disputes, security concerns, and account access issues carry real consequences if handled wrong.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Ambiguous.&lt;/strong&gt; Problems that don't match any article, span two systems, or need a judgment call.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Relationship-defining.&lt;/strong&gt; The moment a good recovery turns a frustrated customer into a loyal one.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;None of that is a knock on AI. It's the point. You want AI to clear the routine 80% so your best people have the time and focus to nail the 20% that actually moves the needle. For a deeper look at where to draw that line, our AI customer support guide walks through it.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why Ticketing Is the Glue
&lt;/h2&gt;

&lt;p&gt;Here's what teams miss when they chase the 80% number. AI resolving a ticket and AI escalating a ticket both depend on the same thing: a solid ticketing system underneath. When the bot hits its limit, the handoff has to carry the full conversation, the customer history, and the context, or the human starts from zero and the customer repeats themselves. That's the exact moment trust breaks.&lt;/p&gt;

&lt;p&gt;Strong help desk ticketing software makes the handoff clean. The AI's transcript, the customer's past tickets, and the current status all land in the human agent's inbox at once. No copy-paste, no lost thread. We wrote about that seam specifically in the AI handoff gap in ticketing, because it's where most AI support projects quietly fail.&lt;br&gt;
 Ticket Inchat or formAI Botanswers from KBResolved (the 80%)closed, loggedEscalate to humanfull context carriedThe escalation pathEvery ticket flows through AI first, then splits: resolved or escalated with context. &lt;/p&gt;

&lt;h2&gt;
  
  
  How ICTDesk Handles Both Sides
&lt;/h2&gt;

&lt;p&gt;ICTDesk is AI-powered live chat and help desk software built for exactly this split, and the AI is live today. The bot crawls your site to build a knowledge base and answers visitors from your own content using Anthropic Claude or OpenAI. When it isn't confident, it escalates to a human instead of guessing. Real-time WebSocket chat, visitor intelligence, and a shared team inbox mean the handoff carries the full picture. It's multi-tenant, white-label, and comes with mobile apps, and it's built by ICT Innovations. See the ICTDesk features for the full set.&lt;/p&gt;

&lt;p&gt;So the AI clears your routine volume, and your people get clean, context-rich tickets for the hard 20%. That's the pairing the 2026 reporting says actually works, instead of swinging from all-human to all-AI and back.&lt;/p&gt;

&lt;h2&gt;
  
  
  Frequently Asked Questions
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Will agentic AI really replace support agents?
&lt;/h3&gt;

&lt;p&gt;No. The credible forecasts say AI will autonomously resolve most common, routine issues, not the emotional or high-stakes ones. Teams that cut humans entirely in 2026 often rehired. The durable model is AI handling volume while people handle the tickets that need judgment and empathy.&lt;/p&gt;

&lt;h3&gt;
  
  
  What makes the escalation from AI to a human work well?
&lt;/h3&gt;

&lt;p&gt;Context. The human agent needs the full AI transcript, the customer's ticket history, and the current status handed over automatically. Without that, the customer repeats themselves and trust erodes. Good help desk ticketing software carries all of it into the agent's inbox at once.&lt;/p&gt;

&lt;h3&gt;
  
  
  Is the ICTDesk AI bot available now, or coming later?
&lt;/h3&gt;

&lt;p&gt;It's live now. The ICTDesk bot crawls your site, builds a knowledge base from your content, answers using Anthropic Claude or OpenAI, and escalates to a human when it isn't sure. It's a shipped feature, not a roadmap item.&lt;/p&gt;

&lt;h3&gt;
  
  
  Why do so many agentic-AI support projects stall?
&lt;/h3&gt;

&lt;p&gt;Usually because teams focus on the 80% AI can close and ignore the plan for the 20% it can't. Without clean escalation, solid ticketing, and staff for the hard cases, the whole system feels broken to customers even when the bot answers most questions correctly.&lt;/p&gt;

&lt;h3&gt;
  
  
  Can ICTDesk work for a multi-tenant or white-label setup?
&lt;/h3&gt;

&lt;p&gt;Yes. ICTDesk is multi-tenant and white-label, with mobile apps and a shared team inbox, so agencies and providers can run support for multiple brands or clients from one platform.&lt;/p&gt;

&lt;p&gt;The 80% headline is real, but the 20% is where customers decide whether they trust you. If you want AI and your team pulling together instead of against each other, take a look at ICTDesk and see how the live bot and clean escalation fit your support flow.&lt;/p&gt;

</description>
    </item>
    <item>
      <title>Universities Are Reviving Oral Exams to Beat AI Cheating. Here's How to Scale Them Online</title>
      <dc:creator>Tahir Almas</dc:creator>
      <pubDate>Sat, 04 Jul 2026 07:34:59 +0000</pubDate>
      <link>https://dev.to/tahiralmas/universities-are-reviving-oral-exams-to-beat-ai-cheating-heres-how-to-scale-them-online-1blm</link>
      <guid>https://dev.to/tahiralmas/universities-are-reviving-oral-exams-to-beat-ai-cheating-heres-how-to-scale-them-online-1blm</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;Originally published at &lt;a href="https://www.ictlms.net/oral-exams-ai-cheating-scale-online/" rel="noopener noreferrer"&gt;ictlms.net&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Universities are bringing back oral and viva exams because AI-written answers are hard to fake when a student has to explain their reasoning out loud. The catch is cost: oral exams don't scale on their own. A smart online exam platform with AI-assisted grading, recorded responses, and authenticity signals lets you run viva-style and process-focused assessment online, without reverting to paper.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why Oral Exams Came Back
&lt;/h2&gt;

&lt;p&gt;By mid-2026, the education press had a recurring headline: institutions reworking how they test students to stay ahead of AI. Roughly 45% of institutions were redesigning assessments, and a growing share moved toward grading the process a student follows rather than just the final output. Oral exams sit at the center of that shift because they force a student to think in real time, defend a claim, and respond to a follow-up question. A chatbot can write a flawless essay. It can't sit the viva for you.&lt;/p&gt;

&lt;p&gt;The problem is obvious to anyone who has run one. A single oral exam eats faculty hours. Scheduling, examiner time, note-taking, and consistent scoring across dozens or hundreds of students turn a good idea into a logistics wall. That's the gap an online platform closes.&lt;br&gt;
 Manual Oral ExamOnline, AI-Assistedone examiner per studentfixed schedule slotsscoring varies by graderhard to run at scalestudents respond anytimeresponses recordedAI-assisted first passteacher reviews and overridesSame rigor, minus the scheduling and grading bottleneck.Manual oral exams versus an online, AI-assisted approach. &lt;/p&gt;

&lt;h2&gt;
  
  
  What Scaling Viva-Style Assessment Online Takes
&lt;/h2&gt;

&lt;p&gt;Recreating the value of an oral exam online means capturing more than a typed answer. You want the reasoning, the timing, and enough signal to trust the result. Here's what makes it work:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Recorded responses.&lt;/strong&gt; Let students record spoken or video answers to a prompt, so you assess how they explain their thinking, not just what they conclude.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;AI-assisted grading with human review.&lt;/strong&gt; The platform scores a first pass against your rubric, and a teacher reviews or overrides it. Speed from AI, judgment from the educator.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Authenticity signals.&lt;/strong&gt; Behavior and integrity cues during the attempt flag responses worth a closer human look.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Process-focused questions.&lt;/strong&gt; Ask students to show steps, defend a choice, or critique a flawed answer, which rewards understanding over a polished final paragraph.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Grade the Process, Not Just the Output
&lt;/h2&gt;

&lt;p&gt;The smartest redesign isn't banning AI. It's asking questions where the process is the point. Give a student a messy dataset and ask them to walk through their cleanup decisions. Hand them an AI-generated answer with a subtle error and ask them to find and fix it. Have them record a two-minute defense of a design choice. These tasks are natural fits for recorded responses and rubric-based grading, and they're far harder to outsource to a chatbot.&lt;/p&gt;

&lt;p&gt;A smart online exam platform supports this by combining question variety with structured scoring. You define the rubric once, the AI applies it consistently across every submission, and your faculty spend their time on the borderline cases instead of the routine ones. Consistency actually improves, because the rubric doesn't get tired at 11pm on the hundredth script.&lt;br&gt;
 Studentrecords answerCaptureplus signalsAI Gradingrubric first passTeacherreview andoverrideAssessment pipelineThe teacher always holds the final grade. AI does the heavy first pass.A recorded-response assessment pipeline with human sign-off. &lt;/p&gt;

&lt;h2&gt;
  
  
  Where ICT Exam Fits
&lt;/h2&gt;

&lt;p&gt;ICTLMS is built around ICT Exam, an AI-powered online exam platform where AI grading is live and central to the product. It supports every question type, AI-assisted grading with teacher review and override, and full exam controls: timer, availability windows, attempt limits, and shuffle. You also get a gradebook and item analysis to see which questions actually discriminate. It runs standalone or as hosted Moodle with the ICT Exam plugin, and connects to Moodle, Canvas, and others through LTI 1.3. Browse the full ICT Exam features to see the controls in detail.&lt;/p&gt;

&lt;p&gt;For redesigned, process-focused assessments, ICT Exam is the platform you build and grade them on. It gives you the question flexibility, the AI-assisted first pass, and the human override that keeps academic judgment where it belongs. If credibility is your worry, our note on how a smart online exam stays credible covers the integrity side. And you can start from the ICTLMS home page to see the full picture.&lt;/p&gt;

&lt;h2&gt;
  
  
  Frequently Asked Questions
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Can an online platform really replace a face-to-face oral exam?
&lt;/h3&gt;

&lt;p&gt;It can capture much of the same value. Recorded spoken or video responses let you assess how a student reasons and explains, and AI-assisted grading against your rubric keeps scoring consistent. For high-stakes finals you might still add a live component, but for scaling viva-style tasks across large cohorts, an online platform does the heavy lifting.&lt;/p&gt;

&lt;h3&gt;
  
  
  Does AI do the grading, or does a teacher?
&lt;/h3&gt;

&lt;p&gt;Both, in that order. In ICT Exam, AI grading is live and produces a first pass against your rubric. A teacher then reviews and can override any score. The educator holds the final decision, so you get speed without giving up judgment.&lt;/p&gt;

&lt;h3&gt;
  
  
  How does the platform help with AI cheating?
&lt;/h3&gt;

&lt;p&gt;By shifting what you ask and how you check it. Process-focused questions and recorded responses are hard to outsource to a chatbot, and authenticity signals during the attempt flag responses that deserve a closer human look. You design assessments that reward understanding over a polished final answer.&lt;/p&gt;

&lt;h3&gt;
  
  
  Does ICT Exam work with our existing LMS?
&lt;/h3&gt;

&lt;p&gt;Yes. It runs standalone, as hosted Moodle with the ICT Exam plugin, or connects to Moodle, Canvas, and other systems through LTI 1.3. Students launch exams from the LMS they already use, and grades flow back.&lt;/p&gt;

&lt;h3&gt;
  
  
  What question types does it support?
&lt;/h3&gt;

&lt;p&gt;All of them, from multiple choice and short answer to longer written and recorded responses. That range is what lets you build process-focused and viva-style tasks rather than being boxed into quiz formats that AI can breeze through.&lt;/p&gt;

&lt;p&gt;If your team is rethinking assessment for the AI era, you don't have to choose between rigor and scale. Take a look at ICT Exam and see how AI-assisted grading and recorded responses let you run credible, process-focused exams online.&lt;/p&gt;

</description>
    </item>
    <item>
      <title>Connect Any AI Agent to Your CRM: Why MCP Makes Open Source the Natural Home for Agentic Sales</title>
      <dc:creator>Tahir Almas</dc:creator>
      <pubDate>Sat, 04 Jul 2026 07:32:27 +0000</pubDate>
      <link>https://dev.to/tahiralmas/connect-any-ai-agent-to-your-crm-why-mcp-makes-open-source-the-natural-home-for-agentic-sales-4448</link>
      <guid>https://dev.to/tahiralmas/connect-any-ai-agent-to-your-crm-why-mcp-makes-open-source-the-natural-home-for-agentic-sales-4448</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;Originally published at &lt;a href="https://www.ictcrm.com/mcp-ai-agent-open-source-crm-agentic-sales/" rel="noopener noreferrer"&gt;ictcrm.com&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;The Model Context Protocol (MCP) is an open standard that lets AI agents like Claude or GPT safely read and act on outside systems through a server you run. For sales teams, that means an agent can create leads, update deals, and log calls in your CRM. When that CRM is open source and self-hosted, you own the server, the permissions, and the data.&lt;/p&gt;

&lt;h2&gt;
  
  
  What MCP Actually Is
&lt;/h2&gt;

&lt;p&gt;Think of MCP as a common plug. Before it, every AI tool needed a custom integration for every app, and each one broke on its own schedule. MCP fixes that with one protocol: an AI agent talks to an MCP server, and that server exposes safe, named actions the agent can call. The agent doesn't get raw database access. It gets a menu of operations you approve.&lt;/p&gt;

&lt;p&gt;This isn't a niche experiment. MCP has grown into a widely backed standard, with tens of millions of monthly SDK downloads and support spanning Anthropic, OpenAI, Google, Microsoft, and AWS. When that many players agree on a plug shape, the plug tends to stick around.&lt;br&gt;
 AI AgentClaude or GPTMCP Serveryou controlYour CRMself-hosted datarequestapproved actionThe server sits between the agent and your records, exposing only the actions you allow.How an AI agent reaches CRM data through an MCP server you run. &lt;/p&gt;

&lt;h2&gt;
  
  
  Why Agentic Sales Needs a Safe Path In
&lt;/h2&gt;

&lt;p&gt;Agentic sales is the shift from AI that suggests to AI that acts. Instead of a rep copying an email summary into the CRM, the agent logs the call, updates the stage, and drafts the follow-up. That saves real hours, but it also means an autonomous system is writing to your customer records. You want a gate, not an open door.&lt;/p&gt;

&lt;p&gt;MCP is that gate. A well built CRM MCP server can expose actions such as:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Create a lead from an inbound message or web form.&lt;/li&gt;
&lt;li&gt;Update a deal stage and value after a call.&lt;/li&gt;
&lt;li&gt;Log call notes, tasks, and next steps against the right contact.&lt;/li&gt;
&lt;li&gt;Pull account history so the agent answers with context, not guesses.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Each action carries permissions. The agent can update deals but not delete accounts, or it can read contacts but only write to a specific pipeline. You decide, and you can change your mind without begging a vendor.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why Open Source Is the Natural Home
&lt;/h2&gt;

&lt;p&gt;Here's the part closed SaaS can't match. In a hosted, proprietary CRM, the vendor runs the MCP server, sets the permission model, and holds your customer data on their infrastructure. You rent access to your own sales history. If they change the terms, throttle the API, or feed your data into a model you never approved, your options are thin.&lt;/p&gt;

&lt;p&gt;With self-hosted open source CRM software, the MCP server runs where you run the CRM. The data stays on your servers. You audit the code, you set the permission scopes, and you decide which AI provider the agent uses. For teams in regulated fields or anyone who treats their pipeline as a trade secret, that control is the whole point. Our write-up on data sovereignty in self-hosted open source CRM digs into why that ownership matters as AI gets more hands-on.&lt;br&gt;
 Closed SaaS CRMOpen Source, Self-HostedVendor runs the MCP serverData on vendor infrastructurePermissions set by vendorYou run the MCP serverData on your serversYou set every permissionSame protocol, very different control over your customer data.The data-control gap between closed SaaS and self-hosted open source. &lt;/p&gt;

&lt;h2&gt;
  
  
  Where ICTCRM Fits
&lt;/h2&gt;

&lt;p&gt;ICTCRM is an open source CRM with a built-in contact center, built on the heritage of SuiteCRM and ICTContact. It's self-hostable, multi-tenant, white-label, and driven by REST APIs today. Those APIs are exactly the foundation an MCP server needs, since MCP actions are structured calls into your system. An open, API-first, self-hosted CRM is well positioned as MCP moves from early standard to expected feature. You can see the current capabilities on the ICTCRM features page.&lt;/p&gt;

&lt;p&gt;To be clear about today versus tomorrow: ICTCRM ships REST APIs now, and richer AI-agent workflows are emerging rather than fully shipped. The direction is set. If you want a sense of what AI-driven CRM automates across sales and support, our guide on what AI CRM software automates lays out the practical wins.&lt;/p&gt;

&lt;h2&gt;
  
  
  Frequently Asked Questions
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Do I need MCP to use AI with my CRM?
&lt;/h3&gt;

&lt;p&gt;No, but it helps a lot. You can wire an AI tool to a CRM through custom API code. MCP just standardizes that connection so one server works with many agents, and so permissions and actions are consistent instead of hand-rolled for each integration.&lt;/p&gt;

&lt;h3&gt;
  
  
  Is it safe to let an AI agent write to my CRM?
&lt;/h3&gt;

&lt;p&gt;It's as safe as the permissions you set. Through an MCP server, the agent only calls actions you approve, scoped to specific fields or pipelines. Keep destructive actions off the menu, log every call, and require human review on high-value deals until you trust the flow.&lt;/p&gt;

&lt;h3&gt;
  
  
  Does ICTCRM have a live MCP server today?
&lt;/h3&gt;

&lt;p&gt;ICTCRM offers REST APIs today, which are the groundwork MCP builds on. Full AI-agent and MCP workflows are an emerging direction for the product, not a shipped feature yet. The open, self-hosted design means you're well positioned when it lands.&lt;/p&gt;

&lt;h3&gt;
  
  
  Why does open source matter for agentic sales specifically?
&lt;/h3&gt;

&lt;p&gt;Because agentic AI acts on your data, not just reads it. With open source and self-hosting, you keep the server, the permission model, and the customer records on your own infrastructure, so an autonomous agent never sends your pipeline somewhere you can't see.&lt;/p&gt;

&lt;h3&gt;
  
  
  Which AI models can connect through MCP?
&lt;/h3&gt;

&lt;p&gt;MCP is model-agnostic. Agents built on Claude, GPT, and others can call an MCP server, since the standard has backing across Anthropic, OpenAI, Google, Microsoft, and AWS. You pick the provider that fits your needs and budget.&lt;/p&gt;

&lt;p&gt;Agentic sales is coming fast, and the teams that win will own their data path from day one. If you want a CRM that keeps you in control as AI gets more hands-on, take a closer look at ICTCRM and see how a self-hosted, open source foundation sets you up for what's next.&lt;/p&gt;

</description>
    </item>
    <item>
      <title>No App, No Desk Phone: Making Calls in the Browser With the ICTPBX WebRTC Softphone</title>
      <dc:creator>Tahir Almas</dc:creator>
      <pubDate>Sat, 04 Jul 2026 07:29:52 +0000</pubDate>
      <link>https://dev.to/tahiralmas/no-app-no-desk-phone-making-calls-in-the-browser-with-the-ictpbx-webrtc-softphone-51i7</link>
      <guid>https://dev.to/tahiralmas/no-app-no-desk-phone-making-calls-in-the-browser-with-the-ictpbx-webrtc-softphone-51i7</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;Originally published at &lt;a href="https://ictpbx.com/webrtc-softphone-browser-calling-ictpbx/" rel="noopener noreferrer"&gt;ictpbx.com&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;You don't need a desk phone or a desktop app to make a call on ICTPBX. Open a browser tab, log in, and you get a full softphone: dial pad, hold, transfer, mute, DTMF, and pop-ups for incoming calls. It runs on WebRTC, so the browser is the phone. For hosted PBX users in 2026, that's exactly what they expect, and it's a live feature today.&lt;/p&gt;

&lt;h2&gt;
  
  
  What browser calling means for your PBX software
&lt;/h2&gt;

&lt;p&gt;For years, softphones meant installing something: a desktop client, drivers, sometimes a plugin. Every install was a support ticket waiting to happen. WebRTC removed that. Modern browsers can capture the mic, negotiate media, and carry real-time audio natively, so a well-built PBX can put a working phone inside a tab.&lt;/p&gt;

&lt;p&gt;ICTPBX is multi-tenant, white-label IP PBX software, and the WebRTC softphone is a first-class part of it. New users don't download anything. An admin creates the extension, the user signs in, and they're taking calls. That single change removes the biggest friction point in rolling out hosted PBX to a distributed team.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Dial pad&lt;/strong&gt; for outbound calls, no handset required.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Hold and transfer&lt;/strong&gt; so users manage calls like they would on a desk phone.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Mute and DTMF&lt;/strong&gt; for muting audio and navigating IVR menus.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Incoming call pop-ups&lt;/strong&gt; that surface the call right in the browser.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  How the WebRTC softphone works under the hood
&lt;/h2&gt;

&lt;p&gt;The softphone uses JsSIP, a SIP library that runs in the browser, talking over a secure WebSocket (WSS) to FreeSWITCH. SIP signaling, the messages that set up, ring, and tear down a call, travels over that encrypted WebSocket. The audio itself flows as an encrypted media stream between the browser and the media server.&lt;/p&gt;

&lt;p&gt;ICTPBX runs on ICTCore plus FreeSWITCH with an Angular portal, and the softphone lives inside that portal. When you sign in, JsSIP registers your extension with FreeSWITCH just like a hardware phone would. From there, FreeSWITCH handles routing, so a browser call and a desk-phone call behave identically inside the same PBX.&lt;br&gt;
 Browser to FreeSWITCH over WSSBrowser tabJsSIP softphone(Angular portal)FreeSWITCHmedia and routing(ICTCore)SIP signaling over secure WebSocketEncrypted audio media streamRegisters like anySIP extensionJsSIP carries SIP over WSS to FreeSWITCH, with an encrypted audio stream alongside it. &lt;/p&gt;

&lt;h2&gt;
  
  
  Why this matters for multi-tenant onboarding
&lt;/h2&gt;

&lt;p&gt;In a multi-tenant deployment, you're onboarding many separate organizations, each with their own users. If every user has to install and configure a client, onboarding drags and support load climbs with every new tenant. Browser calling collapses that. A tenant admin provisions extensions, users open a URL, and the tenant is live.&lt;/p&gt;

&lt;p&gt;ICTPBX pairs the softphone with zero touch provisioning, so the path from new account to first call is short. And because ICTPBX is designed so one platform hosts many customers, that low-friction onboarding scales across every tenant without a separate rollout each time.&lt;br&gt;
 Onboarding: install path vs browser pathTraditional softphoneDownload clientInstall and configureEnter SIP credentialsFirst callICTPBX WebRTC softphoneOpen browser tabSign inFirst callFewer steps, no support ticketBrowser calling cuts the steps between a new user and their first call. &lt;/p&gt;

&lt;h2&gt;
  
  
  Install it as a PWA, and what's still rolling out
&lt;/h2&gt;

&lt;p&gt;If your users want the softphone to feel like a native app, ICTPBX installs as a Progressive Web App. That gives them an icon on the desktop or home screen and a standalone window, while still running the same browser engine underneath. No app store, no separate build, just an install prompt from the browser.&lt;/p&gt;

&lt;p&gt;One thing to be clear about: the AI Voice Agent is an optional Enterprise add-on that's still rolling out. It isn't part of the standard softphone, so don't plan around it as a default. The WebRTC softphone itself is live and shipping now, which is what makes browser calling something you can deploy today.&lt;/p&gt;

&lt;h2&gt;
  
  
  Frequently Asked Questions
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Do users need to install anything to use the ICTPBX softphone?
&lt;/h3&gt;

&lt;p&gt;No. The softphone runs in a standard browser tab. Users sign in to the Angular portal and start calling. If they prefer an app-like experience, they can install it as a PWA, but that's optional.&lt;/p&gt;

&lt;h3&gt;
  
  
  Which browsers support the WebRTC softphone?
&lt;/h3&gt;

&lt;p&gt;Any modern browser with WebRTC support handles it, which covers current versions of the mainstream browsers. The user grants microphone permission once, and the softphone registers with the PBX from there.&lt;/p&gt;

&lt;h3&gt;
  
  
  Is the call audio encrypted?
&lt;/h3&gt;

&lt;p&gt;Yes. SIP signaling runs over a secure WebSocket (WSS), and the media stream between the browser and FreeSWITCH is encrypted. Browser calls get the same protection you'd expect from a properly configured SIP endpoint.&lt;/p&gt;

&lt;h3&gt;
  
  
  Can browser calls transfer to desk phones or other extensions?
&lt;/h3&gt;

&lt;p&gt;Yes. Because the softphone registers as a normal SIP extension on FreeSWITCH, it can hold, transfer, and route to any other extension in the tenant, whether that's another browser user or a hardware phone.&lt;/p&gt;

&lt;h3&gt;
  
  
  Does the softphone include the AI Voice Agent?
&lt;/h3&gt;

&lt;p&gt;No. The AI Voice Agent is an optional Enterprise add-on that's still rolling out. The WebRTC softphone is a separate, live feature. Treat the AI add-on as something to evaluate later, not a standard part of the softphone.&lt;/p&gt;

&lt;p&gt;If you're evaluating PBX software and want your users calling from day one without installs, take the ICTPBX WebRTC softphone for a spin and see how quickly a new tenant gets on the phone.&lt;/p&gt;

</description>
    </item>
    <item>
      <title>CMS Wants to Phase Out the Fax by 2027. Here's Why Your Fax Server Isn't Going Anywhere</title>
      <dc:creator>Tahir Almas</dc:creator>
      <pubDate>Sat, 04 Jul 2026 07:27:10 +0000</pubDate>
      <link>https://dev.to/tahiralmas/cms-wants-to-phase-out-the-fax-by-2027-heres-why-your-fax-server-isnt-going-anywhere-n2l</link>
      <guid>https://dev.to/tahiralmas/cms-wants-to-phase-out-the-fax-by-2027-heres-why-your-fax-server-isnt-going-anywhere-n2l</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;Originally published at &lt;a href="https://www.ictfax.com/cms-phase-out-fax-2027-fax-server/" rel="noopener noreferrer"&gt;ictfax.com&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;CMS wants to move parts of healthcare off the fax machine and onto FHIR-based APIs, with targets pointed at around October 1, 2027. That's real, and it's worth planning for. But roughly 75% of medical communication still travels by fax today, and CMS itself keeps fax as a controlled backup channel. Your fax server software isn't going anywhere for years.&lt;/p&gt;

&lt;h2&gt;
  
  
  What CMS actually proposed
&lt;/h2&gt;

&lt;p&gt;The signal here is the prior authorization push, including the CMS-0062-P proposed rule covering prior authorization for drugs. The comment window on that proposal closed on June 15, 2026, and the implementation targets land around October 1, 2027. The direction is clear: CMS wants payers and providers to exchange certain data through standardized FHIR APIs instead of faxes and portals.&lt;/p&gt;

&lt;p&gt;Read carefully, though, and this is a phased shift for specific workflows, not a switch that turns fax off across healthcare. Prior authorization is one slice of clinical communication. Referrals, records requests, lab orders, pharmacy exchanges, and a long tail of partner-to-partner documents still ride on fax, and nothing in the proposal makes those disappear on a deadline.&lt;br&gt;
 The transition is a slope, not a cliff202620272028+Fax volumeFHIR API adoptionCMS targetBoth run side by sideFax and FHIR overlap for years; adoption ramps while fax volume declines slowly. &lt;/p&gt;

&lt;h2&gt;
  
  
  Why 75% of healthcare still faxes
&lt;/h2&gt;

&lt;p&gt;Fax persists in medicine for boring, durable reasons. It's a legal record. It works between any two organizations without shared software. It doesn't depend on both sides having modernized their systems. And it's trusted by staff who've relied on it for decades. Those aren't nostalgic habits, they're the reasons fax survived every prior attempt to kill it.&lt;/p&gt;

&lt;p&gt;FHIR adoption also isn't uniform. A large hospital network may stand up API exchange quickly, while a small specialty clinic, a rural provider, or a records vendor takes years. Until both ends of every exchange are on FHIR, fax is the interoperability fallback that actually reaches everyone. You can't API to a partner who isn't there yet.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Legal and records value:&lt;/strong&gt; faxes create a defensible paper trail for audits and disputes.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Universal reach:&lt;/strong&gt; any provider with a fax number can receive a document, no integration required.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Partner readiness gaps:&lt;/strong&gt; many organizations won't have FHIR endpoints ready by 2027.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Regulatory backup:&lt;/strong&gt; CMS keeps fax as a controlled secondary channel even as APIs roll out.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Modern fax server software is not the old machine
&lt;/h2&gt;

&lt;p&gt;The fax that's dying is the standalone machine and the analog line. What replaces it isn't FHIR alone, it's server-based faxing that lives on your network and inside your workflows. Modern fax server software handles transmission digitally, keeps audit logs, and connects to email and clinical systems, so it fits a HIPAA program instead of fighting it.&lt;/p&gt;

&lt;p&gt;ICTFax is fax server software built for that reality, running on the same FreeSWITCH and ICTCore engine with HIPAA-capable features: secure transmission, audit logs, and access controls. It supports email-to-fax, T.38 for clean IP transport, and multi-tenant separation for groups that need it. In practice, choosing HIPAA compliant fax software is less about the fax standard and more about how the server is configured and operated. If you want the specifics on what makes server faxing meet the standard, see the guide on what makes a fax server HIPAA compliant.&lt;br&gt;
 Your fax server bridges both worldsFHIR-readypartnerFax-onlyclinicRecordsvendorYour fax serversecure and loggedYour EHRand inboxThe server keeps fax-only partners connected while the rest of the system modernizes. &lt;/p&gt;

&lt;h2&gt;
  
  
  How to plan for the transition without panic
&lt;/h2&gt;

&lt;p&gt;Treat 2027 as a milestone, not a deadline to abandon fax. The smart move is to run both channels in parallel: build FHIR exchange for the partners and workflows that support it, and keep a modern fax server for everyone else. As adoption climbs, your fax volume drifts down on its own, and you retire lines only when the traffic genuinely dries up.&lt;/p&gt;

&lt;p&gt;A capable fax server makes that graceful. Digital transmission, email integration, and clean audit logs mean fax stops being a liability and becomes a controlled fallback you can defend in an audit. If you're still framing your policies, the primer on what HIPAA fax means is a useful starting point.&lt;/p&gt;

&lt;h2&gt;
  
  
  Frequently Asked Questions
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Is CMS actually banning fax in 2027?
&lt;/h3&gt;

&lt;p&gt;No. CMS is steering specific workflows like prior authorization toward FHIR APIs, with targets around October 1, 2027. It isn't banning fax across healthcare, and it keeps fax as a controlled secondary channel. Most clinical communication will still involve fax well past that date.&lt;/p&gt;

&lt;h3&gt;
  
  
  Should we stop investing in fax server software now?
&lt;/h3&gt;

&lt;p&gt;No. With roughly 75% of medical communication still on fax and uneven FHIR adoption, you'll need reliable faxing for years. A modern fax server is a bridge during the transition, not a sunk cost. Retire it when the traffic disappears, not before.&lt;/p&gt;

&lt;h3&gt;
  
  
  What makes ICTFax suitable during this shift?
&lt;/h3&gt;

&lt;p&gt;ICTFax offers HIPAA-capable features like secure transmission, audit logs, and access controls, plus email-to-fax, T.38, and multi-tenant support. That lets you keep serving fax-only partners while your FHIR capability grows alongside it.&lt;/p&gt;

&lt;h3&gt;
  
  
  Will FHIR and fax have to coexist?
&lt;/h3&gt;

&lt;p&gt;Yes, for a long stretch. Not every partner will have FHIR endpoints ready by 2027, and legal and records use cases keep fax relevant. Running both channels side by side is the realistic operating model through the late 2020s.&lt;/p&gt;

&lt;h3&gt;
  
  
  Does fax still count as a compliant channel?
&lt;/h3&gt;

&lt;p&gt;It can, when it runs on properly configured fax server software with encryption, access controls, and audit logging. The compliance comes from how you deploy and operate the system, not from the fax standard itself.&lt;/p&gt;

&lt;p&gt;If you want fax that stays dependable while the rest of healthcare shifts to APIs, take a look at ICTFax fax server software and plan a transition that keeps every partner reachable.&lt;/p&gt;

</description>
    </item>
    <item>
      <title>Self-Hosting Fax in 2026: How Open Source Keeps PHI Out of a Third Party's BAA</title>
      <dc:creator>Tahir Almas</dc:creator>
      <pubDate>Sat, 04 Jul 2026 07:24:31 +0000</pubDate>
      <link>https://dev.to/tahiralmas/self-hosting-fax-in-2026-how-open-source-keeps-phi-out-of-a-third-partys-baa-h54</link>
      <guid>https://dev.to/tahiralmas/self-hosting-fax-in-2026-how-open-source-keeps-phi-out-of-a-third-partys-baa-h54</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;Originally published at &lt;a href="https://www.ictfax.org/self-hosting-fax-open-source-phi-baa/" rel="noopener noreferrer"&gt;ictfax.org&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;When you send a patient record through a hosted fax service, that PHI passes through someone else's servers, and your only real protection is a Business Associate Agreement. Self-hosting open source fax server software changes the math: the data never leaves your control, so there's no third party to sign a BAA with in the first place. You trade convenience for ownership.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why the third-party BAA is a real exposure
&lt;/h2&gt;

&lt;p&gt;The 2026 breach numbers for healthcare are ugly. Regulators have logged hundreds of large reported breaches, records exposed run into the hundreds of millions, and the average breach cost sits in the millions of dollars per incident. Fax still moves a huge share of clinical documents, so it lands squarely in that risk pool.&lt;/p&gt;

&lt;p&gt;A BAA is a contract. It says your fax vendor promises to safeguard PHI and take on liability if they slip. What it does not do is stop the data from touching their infrastructure. Every fax you send crosses their network, sits in their storage, and depends on their patching schedule and their staff. If they get breached, your patients are in the report, and you're the covered entity explaining it.&lt;br&gt;
 Where does the PHI go?Your clinicHosted fax vendor(PHI stored here)RecipientBAA covers this hop, but PHI still leaves your controlYour clinicSelf-hosted fax server(inside your network)RecipientNo third party in the middle, no extra BAA to trustHosted fax puts PHI in a vendor's storage; self-hosting keeps it in yours. &lt;/p&gt;

&lt;h2&gt;
  
  
  What open source fax server software actually gives you when you self-host
&lt;/h2&gt;

&lt;p&gt;The alternative is to run the fax server yourself. With open source fax software, the code runs on your hardware, in your data center or private cloud, behind your firewall. PHI is generated, converted, transmitted, and logged inside a boundary you already control and already audit for HIPAA.&lt;/p&gt;

&lt;p&gt;ICTFax is built for exactly this. It's open source, white-label, and multi-tenant fax server software running on FreeSWITCH and ICTCore with an Angular portal. The feature set covers what a healthcare team needs day to day:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Email-to-fax and fax-to-email so staff work from their inbox, not a machine in the hallway.&lt;/li&gt;
&lt;li&gt;T.38 and FoIP transport for clean transmission over IP.&lt;/li&gt;
&lt;li&gt;Detailed fax logs for audit trails and delivery proof.&lt;/li&gt;
&lt;li&gt;Multi-tenant isolation so departments or client organizations stay separated.&lt;/li&gt;
&lt;li&gt;REST APIs to wire faxing into your EHR or intake workflow.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Because you host it, none of that traffic crosses a vendor's systems. You can read more about the underlying technologies behind ICTFax if you want to see how the pieces fit together.&lt;/p&gt;

&lt;h2&gt;
  
  
  The trade-offs you're signing up for
&lt;/h2&gt;

&lt;p&gt;Self-hosting isn't free of responsibility, it just moves the responsibility to you. When you own the box, you own the patching. You own uptime. You own the security hardening, the backups, and the access controls. A hosted vendor absorbs some of that operational load, and for a small practice without IT staff, that can matter.&lt;/p&gt;

&lt;p&gt;So the honest question isn't which option is safer in the abstract. It's whether your team can run infrastructure to a HIPAA standard. If you already manage servers, apply security updates on a schedule, and control network access, self-hosting removes an entire class of third-party exposure with little added burden. If you don't have that capability yet, a hosted service with a solid BAA may be the pragmatic starting point.&lt;br&gt;
 Who owns whatHosted fax serviceSelf-hosted open sourceVendor patches serversVendor handles uptimePHI on vendor systemsYou rely on a BAAYou patch the serverYou own uptimePHI stays in your networkNo third-party BAA neededChoose based on your IT capacity, not on marketing claims.Control and responsibility move together.Ownership shifts responsibility: self-hosting cuts exposure but hands you the operations. &lt;/p&gt;

&lt;h2&gt;
  
  
  Fitting a self-hosted fax server into a HIPAA program
&lt;/h2&gt;

&lt;p&gt;If you go the self-hosted route, treat the fax server like any other system that touches PHI. Encrypt transport, restrict portal access by role, keep the fax logs for your retention window, and put the box on your normal patch and vulnerability-scan cadence. Open source helps here because you can inspect the code, run your own security review, and avoid opaque data flows you can't audit. For a deeper look at the controls that matter, see the guide on a HIPAA compliant fax server.&lt;/p&gt;

&lt;p&gt;The point of self-hosting isn't that it's magically compliant. It's that it removes one whole party from your PHI's path. Fewer parties means fewer contracts to trust, fewer systems that can be breached on your behalf, and a smaller attack surface you don't directly manage.&lt;/p&gt;

&lt;h2&gt;
  
  
  Frequently Asked Questions
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Does self-hosting fax mean I don't need a BAA at all?
&lt;/h3&gt;

&lt;p&gt;You still need BAAs with any vendor that touches PHI, like a SIP or FoIP carrier if you use one. What self-hosting removes is the fax application vendor from that list, since the software runs on your own infrastructure and the PHI never sits in their storage.&lt;/p&gt;

&lt;h3&gt;
  
  
  Is open source fax software actually HIPAA capable?
&lt;/h3&gt;

&lt;p&gt;HIPAA compliance is about how you deploy and operate a system, not a checkbox on a product. Open source fax software like ICTFax gives you the transport security, access controls, and audit logs you need. You supply the hardening, encryption at rest, and access policies around it.&lt;/p&gt;

&lt;h3&gt;
  
  
  What if my team can't run servers reliably?
&lt;/h3&gt;

&lt;p&gt;Then a hosted service with a strong BAA is a reasonable choice, and there's no shame in it. Self-hosting only reduces risk if you can actually meet the operational bar. Be honest about your IT capacity before you commit to owning the stack.&lt;/p&gt;

&lt;h3&gt;
  
  
  How does ICTFax keep tenants separated?
&lt;/h3&gt;

&lt;p&gt;ICTFax is multi-tenant by design, so each department or client organization gets isolated fax handling, logs, and access. That lets a single self-hosted deployment serve several groups without their data mixing together.&lt;/p&gt;

&lt;h3&gt;
  
  
  Can I connect a self-hosted fax server to our EHR?
&lt;/h3&gt;

&lt;p&gt;Yes. ICTFax exposes REST APIs, so you can trigger faxes, pull status, and route inbound documents straight into an intake or EHR workflow. Email-to-fax and fax-to-email cover the simpler cases without any custom integration.&lt;/p&gt;

&lt;p&gt;If keeping PHI inside your own walls matters to your organization, take a closer look at ICTFax open source fax server software and see whether self-hosting fits your team. You own the infrastructure, and you own the peace of mind that comes with it.&lt;/p&gt;

</description>
    </item>
    <item>
      <title>The STIR/SHAKEN Attestation Gap: Why Open Source Auto Dialers on Small Carriers Get Flagged (and How to Fix It in 2026)</title>
      <dc:creator>Tahir Almas</dc:creator>
      <pubDate>Sat, 04 Jul 2026 07:21:54 +0000</pubDate>
      <link>https://dev.to/tahiralmas/the-stirshaken-attestation-gap-why-open-source-auto-dialers-on-small-carriers-get-flagged-and-4ld5</link>
      <guid>https://dev.to/tahiralmas/the-stirshaken-attestation-gap-why-open-source-auto-dialers-on-small-carriers-get-flagged-and-4ld5</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;Originally published at &lt;a href="https://www.ictdialer.com/stir-shaken-attestation-gap-open-source-auto-dialer/" rel="noopener noreferrer"&gt;ictdialer.com&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;If your open-source auto dialer keeps showing up as 'Spam Likely' even on clean, consented calls, the culprit is usually attestation. STIR/SHAKEN signs each call A, B, or C, and calls routed through smaller carriers tend to get B or C. That lower grade drags down your reputation and your answer rate. Here's what the levels mean and how to pull your traffic back up to A.&lt;/p&gt;

&lt;h2&gt;
  
  
  What STIR/SHAKEN Attestation Levels Mean
&lt;/h2&gt;

&lt;p&gt;STIR/SHAKEN is the framework carriers use to cryptographically sign calls so the receiving network can trust the caller ID. The signing carrier assigns one of three attestation levels:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;A (Full):&lt;/strong&gt; the carrier knows the customer and confirms they have the right to use the calling number. This is the grade you want.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;B (Partial):&lt;/strong&gt; the carrier knows the customer but can't confirm the number is theirs.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;C (Gateway):&lt;/strong&gt; the carrier is just passing the call through and can't vouch for the source at all.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Analytics engines that decide whether to show 'Spam Likely' weigh attestation heavily. A calls sail through. B and C calls get scrutinized, and if your number has any negative signals, they get labeled fast.&lt;/p&gt;

&lt;h2&gt;
  
  
  The 2026 Attestation Gap Between Big and Small Carriers
&lt;/h2&gt;

&lt;p&gt;Here's the uncomfortable math. In 2026, Tier-1 carriers sign roughly 85% of their traffic, and about 93% of what they sign gets full A-level attestation. Smaller and regional carriers lag badly, with signing rates near 17.5%. So the same consented call that would earn an A on a Tier-1 network often earns a B or C when it originates through a small carrier.&lt;/p&gt;

&lt;p&gt;That gap is the whole problem for self-hosted dialer operators. You did everything right on your end, but the originating carrier can't or won't fully attest, and the terminating network treats your call as suspect. Understanding this is the first step, and our primer on what auto dialer software is covers the call-flow basics that make the attestation handoff clearer.&lt;br&gt;
   The 2026 Attestation Gap  Tier-1 carriers Small carriers  85% signed  93% A-level  17.5% signed  mostly B/C Same call, different grade, depending on who originates it. Tier-1 networks sign far more traffic at A-level than smaller carriers do. &lt;/p&gt;

&lt;h2&gt;
  
  
  Why Open-Source and Self-Hosted Dialers Hit This
&lt;/h2&gt;

&lt;p&gt;When you run your own dialer, you pick your own SIP trunk provider, often a smaller, cheaper wholesaler. That's great for cost and control, but those providers are exactly the ones with low signing rates. Your open-source stack isn't the problem; the origination path is. You're routing legitimate campaigns through a carrier that can't hand you an A.&lt;/p&gt;

&lt;p&gt;The trap is assuming better software fixes it. It doesn't. Your dialer can be flawless and still land as 'Spam Likely' if the number and route don't earn full attestation. If you're weighing platforms, our roundup of open source predictive dialers is honest that carrier choice matters as much as the software.&lt;/p&gt;

&lt;h2&gt;
  
  
  How to Fix the Attestation Gap in 2026
&lt;/h2&gt;

&lt;p&gt;You can close most of the gap with a handful of concrete moves. None of them require abandoning self-hosting:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Choose an A-level-capable originating carrier.&lt;/strong&gt; Ask any prospective SIP provider directly what attestation level they assign to your numbers and how they verify ownership. If they can't give you A, keep looking.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Register your numbers with the RMD.&lt;/strong&gt; Getting into the industry's registration and reputation systems helps carriers and analytics engines recognize your traffic as legitimate.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Use branded caller ID and rich call data.&lt;/strong&gt; Showing your business name and call reason gives recipients a reason to answer and gives analytics engines positive signals.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Monitor your reputation.&lt;/strong&gt; Check your numbers across the major analytics platforms regularly and rotate or remediate any that get tagged.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Keep clean consent records.&lt;/strong&gt; Documented consent and low complaint rates are what keep your reputation high once attestation gets you in the door.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;ICTDialer is auto-dialer and call-center software with predictive, power, and progressive dialing, a WebRTC agent panel, bulk fax, and REST APIs. Those APIs make it straightforward to pull disposition and complaint data into your reputation monitoring so you catch a slipping number before it tanks a campaign. AI-driven reputation scoring is coming soon; for now the monitoring workflow is yours to wire up, and the REST endpoints make that easy.&lt;br&gt;
   From Flagged to Delivered  B/C attest Spam Likely   A-level carrier  RMD register  branded caller ID     A attest trusted   rings  Three fixes move a flagged call up to A-level and back into the recipient's ringer. &lt;/p&gt;

&lt;h2&gt;
  
  
  Putting It Into a Campaign
&lt;/h2&gt;

&lt;p&gt;Attestation work pays off only when it feeds your day-to-day dialing. Warm up new numbers gradually, keep dial ratios sane so complaints stay low, and pull your reputation data into your pre-flight checks. If you want a step-by-step frame for running the campaign around these controls, our guide on how to run a predictive dialer campaign lays out the sequence.&lt;/p&gt;

&lt;h2&gt;
  
  
  Frequently Asked Questions
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Why does my legitimate call show as 'Spam Likely'?
&lt;/h3&gt;

&lt;p&gt;Usually because it earned B or C attestation on origination, not because your content is bad. Analytics engines weigh attestation heavily, so a call routed through a small carrier that can't fully attest gets extra scrutiny and often a spam label even when the campaign is fully consented.&lt;/p&gt;

&lt;h3&gt;
  
  
  Can an open-source dialer earn A-level attestation?
&lt;/h3&gt;

&lt;p&gt;Yes. Attestation is assigned by your originating carrier, not your software. If you route through a SIP provider that verifies number ownership and signs at A, your open-source or self-hosted dialer gets the same grade as any hosted platform.&lt;/p&gt;

&lt;h3&gt;
  
  
  What is the RMD and why register?
&lt;/h3&gt;

&lt;p&gt;The RMD is the industry registration and reputation infrastructure that helps carriers and analytics engines recognize legitimate callers. Registering your numbers gives your traffic positive standing, which supports better delivery and fewer false spam labels.&lt;/p&gt;

&lt;h3&gt;
  
  
  Does branded caller ID actually improve answer rates?
&lt;/h3&gt;

&lt;p&gt;It helps in two ways. Recipients are more likely to pick up when they see your verified business name and call reason, and analytics engines read branded, data-rich calls as a positive signal, which supports your overall reputation over time.&lt;/p&gt;

&lt;h3&gt;
  
  
  How often should I check my number reputation?
&lt;/h3&gt;

&lt;p&gt;Check regularly, at least weekly for active campaigns, across the major analytics platforms. A number can pick up a spam tag quickly, so early detection lets you rotate or remediate it before it drags down a whole campaign's answer rate.&lt;/p&gt;

&lt;p&gt;You don't have to give up self-hosting to beat the spam label, you just have to fix the origination path. If you want to see how ICTDialer's dialing modes and REST APIs fit a reputation-first workflow, give it a try and wire your monitoring in.&lt;/p&gt;

</description>
    </item>
    <item>
      <title>Synthetic-Voice Fraud Hits the Contact Center: How Voice Biometrics and CRM Context Stop AI-Powered Callers in 2026</title>
      <dc:creator>Tahir Almas</dc:creator>
      <pubDate>Sat, 04 Jul 2026 07:19:12 +0000</pubDate>
      <link>https://dev.to/tahiralmas/synthetic-voice-fraud-hits-the-contact-center-how-voice-biometrics-and-crm-context-stop-ai-powered-3l0k</link>
      <guid>https://dev.to/tahiralmas/synthetic-voice-fraud-hits-the-contact-center-how-voice-biometrics-and-crm-context-stop-ai-powered-3l0k</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;Originally published at &lt;a href="https://www.ictcontact.com/synthetic-voice-fraud-contact-center-voice-biometrics-crm/" rel="noopener noreferrer"&gt;ictcontact.com&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Synthetic-voice fraud has crossed from lab demo into everyday attacks, and about one in three US consumers now report encountering a cloned or AI-generated voice used to deceive. Your best defense isn't one tool. It's a layered stack: voice biometrics to flag the audio, CRM context to check the story, and step-up verification when the two disagree. Here's how the pieces fit.&lt;/p&gt;

&lt;h2&gt;
  
  
  How Attackers Use Cloned Voices Against You
&lt;/h2&gt;

&lt;p&gt;The attack is simpler than it used to be. A fraudster grabs a few seconds of a target's voice from a video, a voicemail, or a webinar, feeds it to a cloning model, and calls your support line sounding like the real account holder. They ask to reset a password, add a payee, or reroute a shipment. If your agent trusts the voice, the account is gone.&lt;/p&gt;

&lt;p&gt;What makes 2026 different is scale. Cloning that once took an expert now runs from a phone app, so the volume of believable fakes hitting your queue keeps climbing. Agents can't hear the difference, and honestly, neither can most people. That's why the defense has to live in your systems, not your agents' ears.&lt;br&gt;
   Synthetic-Voice Attack Path  Scrape voice clip video, VM, webinar  Clone voice AI model  Call the line as account holder  Your queue defense layers    The account holder never made the call.   biometrics + CRM + step-up check  The fraud path ends at your queue, where layered checks catch what the ear can't. &lt;/p&gt;

&lt;h2&gt;
  
  
  Voice Biometrics: The First Screen
&lt;/h2&gt;

&lt;p&gt;Voice biometrics compares the caller's audio against a stored voiceprint and, increasingly, against telltale signs of synthetic generation. It's an industry technique, not a silver bullet: a good clone can sometimes fool a weak model, and background noise can trip a strong one. Treat the biometric result as a signal, not a verdict. A low match score or a synthetic flag should raise the bar for what comes next, not automatically block or approve.&lt;/p&gt;

&lt;h2&gt;
  
  
  Where CRM Context Beats a Convincing Voice
&lt;/h2&gt;

&lt;p&gt;This is where contact center software earns its keep. A cloned voice can sound perfect and still fail the facts. When the caller's request lands in front of your agent alongside the full customer record, the story either checks out or it doesn't. Is the request coming from a known device? Does the ask match recent interaction history? Did this account just change its email an hour ago from a new IP?&lt;/p&gt;

&lt;p&gt;ICTContact is omnichannel contact center software with a built-in CRM, a drag-and-drop IVR designer, a WebRTC agent panel, and multi-tenant white-label support. Because the CRM and the call flow live in one system, your agent sees identity context the moment the call connects. Our overview of CRM software with call center features shows how that record surfaces automatically. A voice can be faked. A three-year interaction history, tied to devices and timestamps, is a lot harder to fake in real time.&lt;/p&gt;

&lt;h2&gt;
  
  
  Step-Up Verification and Smart Routing
&lt;/h2&gt;

&lt;p&gt;When biometrics and CRM context disagree, you escalate instead of guessing. Step-up verification asks for something the caller must actively prove: a one-time passcode to a registered device, a knowledge check the CRM can validate, or a callback to the number on file. The key is routing: your IVR should send high-risk requests down a stricter path automatically.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Low risk:&lt;/strong&gt; voiceprint matches, request matches history, proceed normally.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Medium risk:&lt;/strong&gt; one signal is off, trigger a one-time passcode before any change.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;High risk:&lt;/strong&gt; synthetic flag plus a recent account change, route to a fraud-trained agent and require callback to the number on record.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;With a drag-and-drop IVR designer, you can build these branches without code and adjust thresholds as attack patterns shift. ICTContact's AI Voice Agent, shipped in v6.5 and built into the Service Provider Edition, can front-line these flows: it collects intent, runs the first checks, and hands genuine high-risk calls to a person with context already gathered. You can read more about how that works on our AI Voice Agent page.&lt;br&gt;
   Risk-Tiered Routing  call in     Low risk proceed normally  Medium risk one-time passcode  High risk callback + fraud agent Biometric score and CRM signals decide the branch.  Each risk tier sends the caller down a stricter verification path. &lt;/p&gt;

&lt;h2&gt;
  
  
  Close the Loop: Disposition and DNC Controls
&lt;/h2&gt;

&lt;p&gt;Detection only helps if it feeds back into your data. When an agent flags a call as suspected fraud, that disposition should tag the record, feed your reporting, and, where appropriate, update DNC or block lists so the same number can't keep probing. Over weeks, those tags become a pattern library that sharpens your routing rules. If you're newer to the category, our primer on what contact center software is covers how dispositions and reporting connect the whole operation.&lt;/p&gt;

&lt;h2&gt;
  
  
  Frequently Asked Questions
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Can voice biometrics alone stop synthetic-voice fraud?
&lt;/h3&gt;

&lt;p&gt;No, and treating it that way is risky. Biometrics is a strong first screen, but a high-quality clone can sometimes pass it and noisy audio can fail a real caller. Pair it with CRM context and step-up verification so no single check makes the final call.&lt;/p&gt;

&lt;h3&gt;
  
  
  How does CRM context help if the voice sounds perfect?
&lt;/h3&gt;

&lt;p&gt;A voice can be cloned, but a full interaction history is hard to fake in real time. When the request contradicts recent activity, comes from an unknown device, or follows a suspicious account change, the CRM record exposes the mismatch even when the audio sounds flawless.&lt;/p&gt;

&lt;h3&gt;
  
  
  Is ICTContact's AI Voice Agent actually available now?
&lt;/h3&gt;

&lt;p&gt;Yes. The AI Voice Agent shipped in v6.5 and is built into the Service Provider Edition. It can run first-line intent capture and verification steps, then hand high-risk calls to a human agent with context already collected.&lt;/p&gt;

&lt;h3&gt;
  
  
  What is step-up verification?
&lt;/h3&gt;

&lt;p&gt;Step-up verification adds a stronger proof of identity only when a call looks risky, rather than burdening every caller. Common forms include a one-time passcode to a registered device, a knowledge check the CRM can validate, or a callback to the number on file.&lt;/p&gt;

&lt;h3&gt;
  
  
  Does adding these checks slow down legitimate callers?
&lt;/h3&gt;

&lt;p&gt;Not much, if you tier them. Low-risk calls proceed normally, and only medium or high-risk calls hit extra steps. Risk-based routing in your IVR keeps friction where it belongs, which is on the small share of calls that actually look suspicious.&lt;/p&gt;

&lt;p&gt;Synthetic voices will keep getting better, so build the layers now while you have room to test them. If you want to see how CRM context and IVR routing come together against these attacks, take a look at ICTContact and map your own risk tiers.&lt;/p&gt;

</description>
    </item>
  </channel>
</rss>
