Welcome to Police CyberAlarm
Helping organisations monitor and report the malicious activity they face from the Internet

Helping organisations monitor and report the malicious activity they face from the Internet
Police CyberAlarm is a free tool to help members understand and monitor malicious cyber activity. This service is made up of two parts; monitoring and vulnerability scanning.
Police CyberAlarm acts as a “CCTV camera” monitoring the traffic seen by a member’s connection to the internet. It will detect and provide regular reports of suspected malicious activity, enabling organisations to minimise their vulnerabilities. The data collected by the system does not contain any content of the traffic. The system is designed to protect personal data, trade secrets and intellectual property.
Members of Police CyberAlarm will become part of the wider UK cyber defence network, sharing collected data with Police for analysis at local, regional and national levels to identify trends, react to emerging threats and identify, pursue and prosecute cyber criminals.
Vulnerability Scanning can be added and used to scan an organisations website and external IP addresses, providing regular reports of all known vulnerabilities.
Police CyberAlarm members install a CyberAlarm Virtual Server on their premises which will be used to collect and process traffic logs from their firewall/internet gateway. Police CyberAlarm Virtual Server is easy to install using the downloadable virtual appliance, offering one-click installation.
Once a CyberAlarm Virtual Server has been installed it will securely collect, analyse and feed data back to the Police CyberAlarm Server. The data sent only includes metadata (logs) from internet facing gateways and devices such as External Firewalls.
Data received by the Police CyberAlarm Server is then used to create regular reports on potential malicious activity seen by individual members as well as reports containing threat trends seen across the member network. Members can then use this reported intelligence to update their defences to better protect themselves from cyber threats.
Finally, this data is also used by the Police Cybercrime Units to enhance the UK cyber crime threat picture, enabling them to identify, pursue and prosecute cyber criminals.
Members of Police CyberAlarm receive weekly or monthly reports detailing activity discovered on their devices. This report provides details of potential attacks for further investigation and also enables member organisations to minimise their vulnerabilities.
Police CyberAlarm data is used to provide feeds detailing the latest threats discovered giving Member organisations the ability to update blacklists and other security measures to include new IP addresses and other relevant information to strengthen security.
Police CyberAlarm Vulnerability Scanning can be used to scan an organisations website and external IP addresses for known vulnerabilities. These regular reports can help increase an organisations cyber security, helping protect from known suspicious activity.
The report we receive from the Police CyberAlarm has been invaluable, not only are we able to block IP’s attempting malicious attacks, it also helps inform our Board of Directors of the scale of the problem in a non-technical way. This ensures that resources within the business can be directed proportionately and appropriately.
Police CyberAlarm was implemented with ease and provides essential proactive intelligence of external cyber security threats. With the regular reporting received from Police CyberAlarm, we are now equipped to secure against any new vulnerabilities as they are detected.
There are two options available for the installation of Police CyberAlarm;
Full instructions are provided once you receive your code to join Police CyberAlarm.
Police CyberAlarm collects metadata (logs) relating to the suspicious activity from internet facing gateways such as Firewalls. They are simply logs about how data was sent/received through your internet gateway (IP Addresses for external connections, amount of data transferred and the port used to process the data, date and time).
For full details on how data which is collected by the tool is handled, please see our CyberAlarm Tool Privacy Policy.
These messages do not contain any of your organisation’s data. The system is designed to protect personal data, trade secrets and intellectual property.
Police CyberAlarm identifies suspicious activity as network traffic which is blocked by the member organisations firewall or that is believed to be unwanted. This will include activity where the suspect is attempting to scan for vulnerable ports or making repeated attempts to gain access to an organisation’s system using known attack methods.
The data collected by Police CyberAlarm is viewable only by Police and may be shared with other law enforcement agencies including the NCA (National Crime Agency) and partners including the NCSC (National Cyber Security Centre).
Data received by the CyberAlarm sever is used to create regular reports on suspicious and potential malicious activity seen by individual members, as well as reports identifying threat trends seen across the member network. Members can use this reported intelligence to update their defences to better protect themselves from cyber threats.
For full details on how data which is collected by the tool is handled, please see our CyberAlarm Tool Privacy Policy.
This data is also used to evaluate and track trends in cybercrime. Helping Police to; Prepare and Protect Organisations, Pursue and Prosecute cyber criminals. Making the UK secure and resilient to cyber threats, prosperous and confident in the digital world.
Only communications data pertaining to suspicious activity will be collected and, to the extent that any data is mis-identified, this will not be stored and will be erased as soon as possible. Restrictions will be imposed in relation to the use of data collected to ensure compliance with legal obligations.
For full details on how data which is collected by the tool is handled, please see our CyberAlarm Tool Privacy Policy.
Police CyberAlarm reports summarise suspicious traffic and potential attacks, visible to your organisation, from the Internet. Details include the top sources of suspicious traffic and the ports that malicious users are trying to use for their attacks against your systems.
The data is split into two categories, suspicious activity originating from within the UK and suspicious activity from outside the UK.
Police CyberAlarm reports show member organisations how they are being attacked, and where from, so they can better protect themselves. We aim to work with member organisations to ensure they are making the most of the data collected.
Logs collected by Police CyberAlarm are analysed by the collector as they are received, to remove any obviously non-malicious logs, these events are not sent to the central server. Once logs arrive at the central server, they are analysed within minutes (even seconds) of the event being received by the collector to determine if these logs are malicious.
For example, a log which is a request to connect using port 3389 may be deemed as non-malicious. However, if the central server correlates that the same IP address made rejected requests to port 3388, 3387, 3386, etc. then this would become part of a potentially malicious port scan.
Any log which, following analysis, at both the CyberAlarm Virtual Server and the Central Server is still deemed to be non-malicious within a maximum of 24 hours (system up time) within arrival at the Central Server will be removed.
If a log file which has been deemed as suspicious has no further linked activity within a 9 month period the relevance of the data is reduced and its retention is no longer considered to be necessary or proportionate and as such is deleted.
For full details on how data which is collected by the tool is handled, please see our CyberAlarm Tool Privacy Policy.
The log messages from internet facing devices are not encrypted. To ensure security Police CyberAlarm system installs a small collector on your network. Typically this would be installed within your DMZ to gather the data from suspicious and /or malicious traffic. The data is then encrypted and compressed before being securely transmitted to the CyberAlarm central processing servers.
No, Police CyberAlarm is a stand-alone system which sits in its own server environment. The collector gathers and encrypts the suspicious data from your internet gateway before sending it back to the central Police CyberAlarm processing servers. No software need be installed on any other devices and multiple gateways can feed data to a single Police CyberAlarm collector.
As Police CyberAlarm does not collect the any of the transmitted data, encrypted data and VPN traffic has no impact on the ability of the Police CyberAlarm system to collect the Metadata of suspicious traffic.
Police CyberAlarm is a monitoring system and as such does not interfere with any of the traffic on your internet gateways.
Police CyberAlarm does not take any automated action against any identified suspicious activity. It is a reporting and alerting system only, which enables UK Police to identify and take action against cyber threats and allows member organisation to better inform their cyber security posture.
Responsibility for decisions on how to action any reported data is solely owned by the member organisation.
If you would like to become part of Police CyberAlarm and start recieving regular security updates and reports to help you and others gain a better understanding of current threats, then register here
This website stores data such as cookies to enable site functionality, more details can be found in our Privacy Policy and our Cookie Policy. By using this website, you agree to allow us to handle your data as set out in these policies.