Why Mainstream Cyber Tools Miss PSAP Attacks

Sean Scott
SecuLore’s Chief Technology Officer

If you were trying to put out a kitchen fire, a standard fire extinguisher would get the job done.

But you wouldn’t count on a fire extinguisher to put out an entire house fire, or a raging forest fire. The extinguisher is a tool meant to put out fires, but it’s not going to get the job done at the scale and speed required by an escalated threat.

The same should be considered for cybersecurity in PSAPs, ECCs and 911 centers.

Your standard, traditional cybersecurity solutions will eventually recognize a cyber-attack and allow you to use tools and methods to stop it and recover.

In a 911 center, the “standard’ detection and response time is catastrophic FAILURE.

Traditional tools are built for “business hours.”

In a PSAP, an attack at 2:00 AM on a Sunday doesn’t just lose data. It stops the ability to dispatch life-saving help.

Put simply, initial access and reconnaissance in cyber attacks happen quickly, and quietly, then devastate all together.

If you can’t identify a cyber attack at minute 1, you can’t stop them by minute 10.

A large portion of mainstream tools use Endpoint Detection and Response (EDR). EDR is a cybersecurity solution that continuously monitors end-user devices to detect and respond to cyber threats. The solution records the activities that happen on these endpoints (devices).

The “Agent” Problem

While these devices can be monitored for unusual activity, EDR is an agent-based solution. That means these endpoints, or devices, all need an “agent” installed on each of them to report back to the central intelligence system to analyze the data and traffic to determine if there is a potential, legitimate threat.

This works for a fleet of corporate laptops, but PSAPs are different.

We can look back at the CrowdStrike endpoint agent on windows that caused a major crash in systems in July of 2024 due to an update pushed that couldn’t be updated remotely by the system and had to be addressed manually. Over 8.5 million devices were affected by the update including airports, finance, government agencies and more.

Why EDR is Blind to 911 Hardware

Your PSAP relies on specialized hardware—radio consoles, 911 call controllers, and legacy CAD workstations—where installing third-party agents often voids manufacturer warranties or risks system crashes.

That’s exactly why many of these manufacturers forbid the installation of third-party security agents.

Because mainstream tools can’t “see” what they can’t install an agent on, your most critical life-safety equipment becomes a massive blind spot.

If your security tool can’t “see” your radio console because it won’t take an agent, that device becomes a wide-open gateway for lateral movement.

Traditional tools monitor traffic volume. When they see a spike, they alert.

The issue with that is 911 centers are naturally spiky. A mass-casualty event or local disaster creates a surge in legitimate traffic.

Traditional tools either:

1. Trigger a false positive, causing “alert fatigue”.

62 % of security alerts are ignored by overwhelmed IT staff

2. Are tuned down so far that they miss actual TDoS (Telephony Denial of Service) attacks.

In addition to that, those attacks and threats may not start in the PSAP, so you’re also the details of those threats may be missed or in accurate.

For a City or County CIO, the risk isn’t just operational; it’s financial.

When an attack hits, it rarely stays in the “office” network.

Data from the Public Safety Threat Alliance (PSTA) shows that 83% of attacks that impacted CAD systems actually began on adjacent municipal or law enforcement networks. If your city’s general IT tools miss the “bleed over,” your dispatchers are forced to “go to paper”—a scenario that endangers lives and costs millions to remediate.

70% of breached organizations report “significant or very significant” disruption to operations.

A cyberattack at 3:00 AM on a Sunday is just as deadly as one at Noon.

911 is a 24/7/365 operation; your cybersecurity must be too.

Standard Managed Service Providers (MSPs) often have “on-call” rotations or general SOCs that don’t understand public safety protocols.

That means that standard MSPs and PSAPs are at odds. In order to serve their communities and mission, public safety and critical networks have technology and systems that are considered “always on.” That makes public safety technology more vulnerable to cyber attacks and any sort of outage or downtime is not only costly in terms of money, but also life saving services.

Traditional cybersecurity solutions aren’t “always on” the way public safety systems are and they aren’t watching your networks the way purpose built cybersecurity solutions are to handle that kind of demand and responsibility.

Two bytes of data being transmitted through an outdated domain on a client’s server might not seem like a big red flag. A request for a defunct domain should return an error when things are normal.

A standard MSP and cybersecurity solution might not flag this or escalate this to be investigated.

But when you have SOC analysts that are trained to understand the critical nature of public safety networks and utilize purpose built solutions for these networks, that intuition and experience makes all the difference.

This specific threat came from an advanced persistent threat (APT) group known to target county infrastructure.

The detection and response from a SecuLore SOC analyst in a very small, almost unassuming red flag, was the difference between a potential threat that could have traversed critical networks, and thwarting it quickly.

This case study illustrates the importance and value of purpose built cybersecurity solutions and tools, and human SOC analysts trained to recognize threats when monitoring public safety and critical networks.

Mainstream tools are built for offices. SecuLore is purpose built to protect the 911 community. Don’t wait until Minute 10 to realize your tools are blind.

Respond when every second makes the difference between devastating downtime, and serving the mission.

CyberSight™ uses non-agent-based, passive monitoring via deep packet inspection. It sees the “unmanaged” devices (IoT, Radio, CAD) that standard tools ignore.

Is Your 911 Center “Invisible” to Your Tools?

Source References & Fact Check

[1.1] KnowBe4/Sophos (2024): State/local government recovery costs doubled to $2.83M.

[1.2] Varonis (2025): Average ransomware breakout time and attack acceleration statistics.

[3.4] CISA/KY 911 Board: Guidance on why TDoS and CAD-specific threats require specialized monitoring.

[4.2/4.3] SentinelOne/DTEX: Technical trade-offs of agent vs. agentless security in critical infrastructure.

[5.3] IBM Cost of a Data Breach (2024): 70% of organizations suffer significant operational disruption.

[6.1] TotalAssure (2025): Global ransomware frequency data (every 3.2 seconds).