The objective of an incident detector is the determination (as early as possible) of all those events and activities that pose a risk to the environment to be protected. The work and experience of NESG in this line refers to the analysis and modeling of the "normal" behavior of an environment / system / service, in order to determine possible deviations with respect to it (anomalies) to, from there, give rise to alarms that allow the adoption of countermeasures to solve such eventualities.Detection based on anomalies is highly promising since, at least from a theoretical point of view, it allows the determination of "intrusive" events (where we have to include malfunctions) not previously observed.On the other hand, and directly related to the aforementioned detection process, and a complement to it, NESG is also working on the study and development of response mechanisms. These pursue the automatic adoption of countermeasures that provide a solution to the events causing the alarms by the detection subsystems. Said countermeasures will take into account various aspects of the detected eventualities in order to adequately scale the interaction procedures with the environment to be protected, in order to adapt it to solve, or where appropriate tolerate, the reported eventualities.