IDS. determine incident, evaluate how to stop it, implement the
response.
automated = fast, so minimize damage
Going from known specific attacks to general class of attacks and devising effective automated responses for them remains a challenge.
Gather evidence of attacker's activities on your system: forensics
Legal status of counterattacking murky.
Difficult to be sure where remote attack is coming from.