This talk addresses the challenges Critical National Infrastructures (CNIs) face during on-going adversarial campaigns as they could cause physical damaged and even threaten life. Defenders struggle to keep CNIs operational (albeit at reduced capacity) whilst they try to wipe attackers out of their systems. By monitoring network telemetry, we will explore how we can identify in near-real-time different ways a campaign could escalate to an unsafe state and place the minimum mitigations required to keep CNIs operational.