Skip to main content
Skip to article content

What Ṣọ Actually Does: Two Engines, One Inbox, Zero Retention

By SO Email Security5 min read estimated reading time

A complete breakdown of what Ṣọ does today. Engine 01 reads every email for invoice fraud, document fraud, phishing, identity attacks, and breach alerts. Engine 02 (pilot) watches calls for voice and face deepfakes on Zoom and Teams. Available on mobile, browser, desktop, and API. Plus Ṣọ Shield as the enterprise add-on for surface scanning, credential watching, API security, and KYC monitoring.

Ṣọ Email Securityproduct overviewemail security featuresinvoice fraud detectionphishing detectionvoice deepfake detectionface deepfake detectioncall guardbusiness email compromise protectionSMB cybersecurityemail security AI

What Ṣọ Actually Does: Two Engines, One Inbox, Zero Retention

Why This Post Exists

Most security tools list dozens of features and let you sort out what matters. Ṣọ does the opposite. There are two engines, four surfaces (mobile, browser, desktop, API), and one optional enterprise add-on. This post walks through what each one does, what's live in production today, and what's in pilot.

If you've heard the name Ṣọ and weren't sure what it actually catches, this is the answer.

Engine 01: Content: Reads Every Email

Engine 01 is the core of Ṣọ. It runs in production today. Every email that passes through your inbox gets analyzed for five specific threat categories before you see it.

Invoice fraud. Changed bank details. Vendor email addresses that don't match prior correspondence. New payment instructions on existing invoices. The pattern of a real vendor relationship suddenly going wrong because someone in the middle is redirecting payments. Engine 01 detects the patterns that human reviewers miss when they're processing 50 invoices an hour.

Document fraud. Altered signatures. Tampered PDFs. Modified contract terms. Documents that look right but have been subtly changed in ways that benefit whoever sent them. This is the second-most-common variant of BEC after wire fraud, and it's the variant that escapes most email filters because there's nothing wrong with the email itself, just the attachment.

Phishing. Bad links. Untrusted senders. URL patterns that resolve to credential-harvesting pages. This is the bread-and-butter detection layer, but Ṣọ's approach goes deeper than blocklists. The engine reads context: who normally emails you, what they normally ask, and flags anything that doesn't fit the pattern.

Identity. Fake email addresses that look real. Lookalike domains (paypa1.com instead of paypal.com). Display name spoofing where the visible name matches a known contact but the underlying address is fraudulent. The kind of impersonation that exploits how email clients render names instead of full addresses.

Breach alerts. Leaked passwords on the dark web. If your email address shows up in a credential dump, Engine 01 surfaces the alert so you can rotate passwords before attackers use them. This is the protective layer that operates outside your inbox itself, watching the places attackers shop for credentials.

The five detection categories share one architecture. Email content is sent to Ṣọ servers via HTTPS/TLS, processed in seconds, and deleted immediately. No logs. No human access. Nothing retained beyond the moment of analysis. We earn revenue from subscriptions, never from your data.

Engine 02: Call Guard: Watches Every Call (Pilot)

Engine 02 is in pilot, not yet generally available. It addresses a threat that's been escalating fast since 2024: AI-generated voice and face deepfakes on live business calls.

The pattern works like this. A finance manager joins a Zoom call with someone they believe is their CFO. The face looks right. The voice sounds right. The CFO asks for an urgent wire transfer, references a real deal, and provides plausible context. The money goes out. The next day, the real CFO doesn't know what happened.

This has happened to real companies. Arup, the engineering firm, lost $25 million to a deepfake video call BEC in 2024. The pattern is now industrialized: voice cloning tools that need 30 seconds of source audio, face-swap tools that work in real time on consumer hardware. The cost of building a convincing deepfake is approaching zero.

Engine 02 detects three patterns:

Voice deepfakes. AI-cloned voices on live calls. The engine analyzes audio for artifacts that human ears miss but that ML models can identify reliably.

Face deepfakes. Synthetic video on Zoom and Teams. The engine looks for the visual signatures of face-swap technology: subtle lighting inconsistencies, micro-expression mismatches, blink-rate anomalies.

Meeting bot. A Ṣọ participant joins your calls as a passive listener, alerts in real time if deepfake signals are detected, and provides a private notification to the meeting host. The bot doesn't record audio or video. It analyzes signal patterns and discards the data immediately.

The pilot is open for early-access organizations. If you're handling high-value financial decisions over video calls and want to evaluate Engine 02, reach out at hi@soemailsecurity.com.

Where Ṣọ Lives: Four Surfaces

Engine 01 runs on every surface you use email on. The detection is the same across all of them.

Mobile (iOS and Android). Invoice fraud check on your phone, plus QR code safety scanning for codes you encounter in the physical world. The mobile app catches invoice fraud at the moment of review, before money moves.

Browser (Chrome extension). Blocks scam links in Gmail and across the web. Sits in your browser and inspects URLs before you click them, including links that pass through URL shorteners or redirects.

Desktop (Mac and Windows). Daily protection where you actually work. Integrates with your existing email client and runs Engine 01 analysis on every message that arrives.

API (for AI agents and fintechs). Programmatic access to the Engine 01 detection layer. If you're building an AI agent that handles email on behalf of users, or a fintech that needs to verify incoming payment requests, the API gives you the same detection layer Ṣọ runs internally.

The four surfaces share one detection engine. Whether you check an email on your phone, your browser, or your desktop, the analysis is consistent.

Privacy Architecture

The architecture is straightforward and verifiable:

  • Zero data retention. Email content is processed in seconds and discarded immediately. No logs.
  • Email content never leaked. Nothing leaves Ṣọ servers except the verdict (safe, suspicious, dangerous, unknown) that gets returned to your client.
  • No admin access, no logs. No human at Ṣọ can read your email. There are no admin tools that expose customer content, and no logs are kept that could be subpoenaed or breached.

If you've used email security tools that scan your mailbox for "improvement insights" or train models on customer data, Ṣọ is the architectural opposite. We earn revenue from subscriptions, never from your data.

Ṣọ Shield: The Enterprise Add-On

For organizations that need security coverage beyond email, Ṣọ Shield is the enterprise add-on available now. Four modules:

Surface Scanner. Maps your external attack surface: exposed servers, outdated software, weak spots an attacker would discover during reconnaissance. Tells you what an attacker would find before they look.

Credential Watch. Leaked passwords on the dark web, but at the organizational level. Alerts you before attackers strike based on credential exposures across your domain.

API Sentinel. Scans your APIs for common security flaws (broken authentication, excessive data exposure, injection vulnerabilities). Catches the kind of API weaknesses that get exploited in credential-stuffing and supply-chain attacks.

KYC Guardian. Watches the dark web and Telegram channels for leaked customer ID documents. If your KYC pipeline has been compromised: passport scans, driver's licenses, utility bills: KYC Guardian surfaces the leak before it becomes a regulatory issue.

Shield is for financial services, fintechs, healthcare, legal firms, and any organization with customer data sensitivity beyond email. Reach out at hi@soemailsecurity.com if Shield is relevant.

What's NOT Listed Above

To be honest about scope: Ṣọ is not a SOC. It's not a full XDR platform. It doesn't replace your IT team or your incident response retainer. What it does is cover the inbox layer (Engine 01) and the call layer (Engine 02 pilot) with the same architectural commitment to zero retention and no human access.

If you need network monitoring, endpoint detection, or threat hunting, Ṣọ isn't the right product. If you handle email-based financial decisions and want the inbox layer covered, it is.

How to Start

If you're a freelancer, nonprofit, or small business: install Ṣọ from soemailsecurity.com. Free tier covers core threat detection across mobile, browser, and desktop. No credit card.

If you're evaluating Engine 02 (Call Guard) for executive protection or high-value financial workflows: email hi@soemailsecurity.com to discuss pilot access.

If you need Ṣọ Shield for enterprise-level surface scanning, credential monitoring, API security, or KYC monitoring: email hi@soemailsecurity.com to discuss requirements.

Bottom Line

Two engines. Five Engine 01 detection categories live in production. Three Engine 02 detection categories in pilot. Four surfaces (mobile, browser, desktop, API). One architectural commitment: zero retention, no human access, email content never leaked.

For automated detection at the email layer, install Ṣọ in 2 minutes at soemailsecurity.com.

Encrypted in transit. Processed in seconds. Deleted immediately.