Balancing the coverage benefits of deploying multiple types of intrusion detection systems against their performance and false alarm costs is an important problem with practical ramifications for runtime security policy. In this position paper, we present an approach to "on-demand" deployment of intrusion detection systems by balancing detection coverage against cost and deploying an IDS only when it is needed. The proposed approach relies on often easy to detect symptoms of attacks, e.g., participation in a botnet or DDoS, and works backwards by iteratively deploying increasingly more localized and powerful detectors closer to the initial attack vector. We accomplish this by characterizing multiple IDS systems in a uniform framework based on their costs and detection capabilities and integrating them, for the first time, into an online system-wide forensics framework. We develop the basic elements of the framework and give an example of its envisioned operation.