A threat assessment expert system is written provides textual explanation of its conclusion, allows the user to modify--at run-time--the threat assessment tasks performed, and captures these user modifications for knowledge acquisition. The run-time method used to define the constituent elements of a threat situation is outlined in depth. The computer program compares the components of a threat event defined by a knowledgeable user with the dynamic track data base. IF the threat event occurs, a warning is issued to the user. This definition of a threat event is added to the program and thus acts as run-time knowledge acquisition. The matching between the user defined attributes and the corresponding track data is displayed for explanation.