Vulnerability scanners form the proactive component and draw the attention to the weak parts of the system that need extra attention before it is too late. They allow a security manager to make trade-offs between performance and residual risk. Apart from registering and interpreting activity on the protected systems in real-time -- its active behaviour -- the framework allows for the automatic invocation of appropriate countermeasures at the time of a perceived break-in attempt -- the system's reactive behaviour. It may even be able to learn from the actions that it takes to handle future attacks more effectively.