General FAQs

  • Police CyberAlarm identifies suspicious activity as network traffic which is blocked by the member organisation’s firewall or that is believed to be unwanted, and related activity. This will include activity where the suspect is attempting to scan for vulnerable ports or making repeated attempts to gain access to an organisation’s system using known attack methods.

  • Police CyberAlarm is a monitoring system and as such does not interfere with any of the traffic on your internet gateways.

    Police CyberAlarm does not take any automated action against any identified suspicious activity. It is a reporting and alerting system only, which enables UK Police to identify and take action against cyber threats and allows member organisations to better inform their cyber security posture.

    Responsibility for decisions on how to action any reported data is solely owned by the member organisation.

  • Police CyberAlarm reports summarise suspicious traffic and potential attacks, visible to your organisation, from the Internet. Details include the top sources of suspicious traffic and the ports that malicious users are trying to use for their attacks against your systems.

    The data is split into two categories, suspicious activity originating from within the UK and suspicious activity from outside the UK.

    Police CyberAlarm reports show member organisations how they are being attacked, and where from, so they can better protect themselves. We aim to work with member organisations to ensure they are making the most of the data collected.

  • PCA Supports cloud-based firewalls.

  • As Police CyberAlarm does not collect the body of the transmitted data, encrypted data and VPN traffic has no impact on the ability of the Police CyberAlarm system to collect the log data of suspicious traffic.

  • Every organisation or sole trader who processes personal information needs to pay a data protection fee to the Information Commissioner’s Office (ICO), unless they are exempt, and is allocated a registration number. Due to the data sharing arrangements involved in utilising Police CyberAlarm, member organisations will be required to register with the Information Commissioner. To confirm that this has been undertaken, we request the ICO registration number of all Police CyberAlarm Members. To find out more about the Information Commissioner’s Office and sign up for an ICO number please visit the ICO Website.

    For more information on why Police CyberAlarm requires a ICO registration number, please contact

Collector FAQs

  • When the Police CyberAlarm collector connects to the Police CyberAlarm servers the software updates itself automatically.

    If updates are required to the operating system of the device the Police CyberAlarm collector runs on, an email is sent to the Member administrator with full instructions.

  • Police CyberAlarm does not require access to any internal networks, it simply needs to be able to receive syslog data and to then transmit the filtered suspicious activity data to the PCA servers for analysis. The Data Collector does not require any inbound connection from the internet, it is an outbound only system, on port 443 and to 1 URL.

Installation FAQs

  • Most recent business PCs are more than capable of independently running a Police CyberAlarm data collector. The most frequently used method is to install the Police CyberAlarm Data collector using a VMWare virtual appliance.

    (Hardware spec for the appliance - 2 CPU Cores, 2GB RAM and 25GB Disk space)

  • There are two options available for the installation of Police CyberAlarm;

    • VMWare Virtual Appliance - simply copy and paste the provided URL into VMWare's management console.
    • As a software installation on a Linux device - requires Alma Linux 9.4 Minimal on either a physical or virtual device.

    Full instructions are provided once you receive your code to join Police CyberAlarm.

  • No, Police CyberAlarm is a stand-alone system which sits in its own server environment. The collector gathers log data and encrypts the suspicious activity data from your internet gateway before sending it back to the central Police CyberAlarm processing servers. No software need be installed on any other devices and multiple gateways can feed data to a single Police CyberAlarm collector.

  • The log messages from internet facing devices are not encrypted. To ensure security Police CyberAlarm system installs a small collector on your network. Typically this would be installed within your DMZ to gather log data to identify suspicious and /or malicious traffic. The data is then encrypted and compressed before being securely transmitted to the CyberAlarm central processing servers.

  • Member organisations do NOT require a static IP address. There is no requirement for communication from the Police CyberAlarm server to the Police CyberAlarm Collector and therefore no static IP address is required.

  • Police CyberAlarm can monitor multiple firewall devices via one collector providing they all belong to the registered organisation named in the member organisation agreement. If you have large volumes of traffic, it may be advised to increase the disk space capacity to accommodate for the additional logs. If you have any questions regarding forwarding to one collector from multiple devices, please contact

Vulnerability FAQs

  • When you fill in your registration form you will be able to add any external IP addresses and website URLs, which your organisation owns, for vulnerability scanning. You will then need to select the tick box at the bottom of the registration form to confirm that you would like the scanning. If you are an existing member and have not added any IPs or URLs you will be able to update this by logging into your collector and entering the IP addresses and website URL in the appropriate fields. These are then manually checked for compliance and ownership before being added to the regular monthly scans. Scans are only carried out once a Member Organisation has completed their registration form and are sending suspicious activity logs to the Police CyberAlarm server.

  • Simply log into your collector and enter the revised IP addresses and website URL in the appropriate fields. These will be checked for compliance and ownership before being updated. If you have not yet installed your collector, you can update your information by contacting


Data FAQs

  • Police CyberAlarm collects log data from the existing security systems installed by member organisations, such as Firewalls, that you authorise it to collect. These logs contain details of the nature and source of the attempt to transmit data, such as IP address, device, port sought to be accessed etc, and in relation to email traffic will also include details of the intended recipient, subject and attachment name.

    For full details on how data which is collected by the tool is handled, please see ourCyberAlarm Tool Privacy Policy.

    The system is designed to protect personal data, trade secrets and intellectual property.

  • Data on the Police CyberAlarm data collector is compressed and encrypted on the collector (256bit AES), then uploaded to the Police CyberAlarm servers over HTTPS, an encrypted web connection.

  • Logs collected by Police CyberAlarm are analysed by the collector as they are received, to remove any obviously non-malicious logs to ensure that these events are not sent to the central server. Once logs arrive at the central server, they are analysed within minutes (even seconds) of the event being received by the collector to verify that the logs are malicious.

    For example, a log which is a request to connect using port 3389 may be deemed as non-malicious. However, if the data collector correlates that the same IP address made rejected requests to port 3388, 3387, 3386, etc. then this would become part of a potentially malicious port scan.

    Any suspicious activity log which following further analysis by the central server is deemed not to be suspicious within a maximum of 24 hours will be removed.

    If a log file which has been deemed as suspicious has no further linked activity within a maximum 6 month period, the relevance of the data is reduced and its retention is no longer considered to be necessary or proportionate and as such is deleted.

    For full details on how data which is collected by the tool is handled, please see our CyberAlarm Tool Privacy Policy.

  • The data collected by Police CyberAlarm is viewable only by Police. For the purposes of law enforcement, data may be shared with agencies including the National Crime Agency (NCA) and the National Cyber Security Centre (NCSC).

  • Data received by the CyberAlarm server is used to create regular reports on suspicious and potential malicious activity seen by individual members, as well as reporting on threat trends seen across the member network. Members can use this reported intelligence to update their defences to better protect themselves from cyber threats.

    For full details on how data which is collected by the tool is handled, please see our CyberAlarm Tool Privacy Policy.

    This data is also used to evaluate and track trends in cybercrime, helping Police to: Prepare and Protect Organisations, Pursue and Prosecute cyber criminals. Making the UK secure and resilient to cyber threats, prosperous and confident in the digital world.

  • Once filtered by the Police CyberAlarm collector, only communications data pertaining to suspicious activity will be further analysed and retained and, to the extent that any data is mis-identified, this will not be stored and will be erased as soon as possible. Restrictions will be imposed in relation to the use of data collected to ensure compliance with legal obligations.

    For full details on how data which is collected by the tool is handled, please see our CyberAlarm Tool Privacy Policy.