Critical Infrastructure Protection (CIP) against potential threats has become a major issue in modern society. CIP involves a set of multidisciplinary activities and requires the adoption of proper protection mechanisms, usually supervised by centralized monitoring systems. This paper presents the motivation, the working principles and the software architecture of DETECT (DEcision Triggering Event Composer & Tracker), a new framework aimed at the automatic and early detection of threats against critical infrastructures. The framework is based on the fact that non trivial attack scenarios are made up by a set of basic steps which have to be executed in a predictable sequence (with possible variants). Such scenarios are identified during Vulnerability Assessment which is a fundamental phase of the Risk Analysis for critical infrastructures. DETECT operates by performing a model-based logical, spatial and temporal correlation of basic events detected by the sensorial subsystem (possibly including intelligent video-surveillance, wireless sensor networks, etc.). In order to achieve this aim, DETECT is based on a detection engine which is able to reason about heterogeneous data, implementing a centralized application of "data fusion". The framework can be interfaced with or integrated in existing monitoring systems as a decision support tool or even to automatically trigger adequate countermeasures.