Reflectra Sentinel — Communications Security

Your calls are
under attack.

AI voice cloning, deepfake video calls, and vishing scams are indistinguishable from real conversations. Sentinel detects them — in real time, on your hardware, with zero cloud exposure.

All AI screening runs locally on your Mac Mini M4. No call audio is ever sent to any third-party cloud.

Request early accessSee how it works

$0

Per-call cost

Any tier, always

Local

AI inference

No cloud models

0 ports

Exposed inbound

Outbound tunnel only

What Sentinel protects against

🎭

AI voice cloning

Scammers impersonating family members, executives, and government officials using cloned voices

📹

Deepfake video

Real-time video manipulation making anyone appear as someone else on a call

📞

Vishing attacks

Voice phishing designed to extract credentials, financial data, or personal information

💬

SMS phishing

Malicious links and social engineering via text messages analyzed by Sentinel

🌐

Web meeting threats

Fake meeting rooms and compromised browser sessions detected by the extension

The screening process

Every unknown call gets screened.

Before you pick up, Sentinel has already analyzed the audio — on your device, in milliseconds.

01

Call arrives

Sentinel intercepts inbound call before your phone rings. Unknown callers trigger AI screening automatically.

02

Local AI analysis

Whisper transcribes. Deepfake model checks voice patterns. Voiceprint compared against your trusted list.

03

Verdict rendered

"Clean", "Suspicious deepfake signal", or "Known scammer voiceprint" — decided on your hardware in under 2 seconds.

04

You decide

Answer with full context, send to voicemail, or challenge the caller — your rules, always enforced.

Trust tiers

Three tiers. One consistent answer: $0/call.

Sentinel handles calls from your own devices, trusted contacts on any network, and fully unknown PSTN callers — each with the right security posture.

Tier 1Owner network

Your devices

Your 5 Tailscale-connected devices communicate over WireGuard tunnels. Direct SIP over your private tailnet — no internet exposure, no TURN relay.

  • SIP over WireGuard (Tailscale)
  • Tailnet-only binding — ACL rejects all other IPs
  • Full AI screening active
  • $0 / call
Tier 2Sentinel-to-Sentinel

Trusted contacts

Family and friends with their own Sentinel accounts connect via WebRTC P2P. Cloudflare only handles signaling — audio is end-to-end encrypted between devices.

  • WebRTC DTLS-SRTP (end-to-end)
  • Identity verified via Cloudflare Access
  • Voiceprint confirmation available
  • $0 / call
Tier 3Public callers

PSTN / unknown

Any phone number can call your Sentinel DID. Unknown callers are screened, challenged, or blocked. Scammers hear: "Please deposit 15¢ to connect."

  • AI voice + intent screening
  • Scammer challenge gate
  • Voicemail to R2 when offline
  • $0 / call

Capabilities

Built for the threat landscape of 2025+

On-device AI screening

Whisper transcribes in real time. A custom deepfake model checks voice patterns. ECAPA-TDNN compares voiceprints against enrolled trusted contacts. All on your Mac Mini M4.

Zero cloud audio exposure

Call audio never leaves your network. Tier 1 stays on your Tailscale tailnet. Tier 2 is direct P2P WebRTC (DTLS-SRTP). Cloudflare sees only signaling metadata.

No public ports

FreeSWITCH binds only to your tailnet IP (100.64.0.0/10 ACL). External callers reach you via an outbound-only Cloudflare Tunnel — no firewall rules to poke, no attack surface.

Caller whitelist & rules

Auto-accept trusted contacts, ring-with-screening for unknowns, voicemail or block for flagged numbers. Quiet hours defer rings to voicemail. Your rules, enforced at the edge.

Works while Mac sleeps

Cloudflare Durable Objects maintain presence and ring state when your Mac is off. Voicemails record to R2. In the morning, your Mac processes them: deepfake analysis, intent scoring, Reflectra digest.

Cross-platform

Native apps for iOS, Android, Mac, and Windows. Browser extension for phishing detection on web pages and video meetings. SIP softphone embedded in your existing desktop.

Security model

Designed to fail safely.

Every architectural decision in Sentinel assumes the worst-case. The default is deny.

🔐

No public SIP exposure

FreeSWITCH binds only to your private Tailscale IP. ACL rejects every packet from outside the Tailscale CGNAT range (100.64.0.0/10). The internet cannot reach your PBX.

🛡️

Outbound tunnel only

Your Mac never opens an inbound port to the internet. All external connectivity is via a Cloudflare Tunnel initiated from your Mac — a one-way pipe that cannot be traversed inbound.

🧠

No PII to cloud LLMs

All screening — voice transcription, deepfake scoring, voiceprint matching — uses local Whisper, Ollama, and custom models running on your M4 hardware. No audio or transcript is sent to any cloud AI.

🔑

Secrets never in code

SIP passwords are generated at install time and written to local config files with chmod 600. The repository ships only placeholder templates. No credentials are committed.

Identity at the edge

External callers must authenticate via Cloudflare Access (Google/Apple/email OAuth) before any ring signal reaches your devices. Anonymous internet callers never get past the gate.

💾

Auto-unload of models

The 1.5 GB deepfake detection model is loaded on demand and automatically unloaded 60 seconds after the last call. Your Mac stays at ~230 MB idle overhead.

No cloud audio·Local-first AI·Zero inbound ports·DTLS-SRTP encrypted

Part of the Reflectra platform

Reflectra PersonasReflectra CareReflectra LifeReflectra.ai →
Early access — individuals and families only

Stop the next scam call
before it starts.

Sentinel is in active development. Request early access or ask Sarah — our AI guide — to walk you through the security model.

Request early accessExplore Reflectra