Skip to content
Log in

Eradication

Definition

The phase in which the root cause of an incident is removed from the environment: deleting malware, patching exploited vulnerabilities, revoking compromised credentials, and removing unauthorised accounts or persistence mechanisms. Eradication follows containment and precedes recovery.

Related terms

Containment strategy
A deliberate decision about how to limit an incident's spread, balancing the need to stop harm immediately against the risk of alerting...
After-Action Report (AAR)
The formal document produced during Lessons Learned that records the incident timeline, decisions made, outcomes, and recommended improvements. The AAR drives updates...
Incident declaration
The formal decision, made during the Identification stage, that a detected event meets the organisation's criteria for a security incident. Declaration triggers...
Incident response lifecycle
The structured sequence of phases NIST SP 800-61 defines for handling computer security incidents: Preparation, Detection and Analysis, Containment/Eradication/Recovery, and Post-Incident Activity....
Incident response plan
A formal document that defines an organisation's approach to incident handling: roles and responsibilities, escalation paths, communication procedures, legal and regulatory obligations,...
Indicators of compromise (IoCs)
Artefacts observed on a network or system that suggest an intrusion or malicious activity has occurred, such as unusual outbound connections, known-malicious...
Lessons-learned meeting
A structured post-incident review, recommended by NIST within approximately two weeks of incident resolution, that examines what happened, what the response did...
NIST SP 800-61
The US National Institute of Standards and Technology's Computer Security Incident Handling Guide. It defines a four-phase IR lifecycle: Preparation; Detection and...
PICERL
Acronym for the six SANS IR stages: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. The model is cyclical: the final stage...

Explained in these topics

  • The NIST SP 800-61 Incident Response LifecycleThe phase in which the root cause of an incident is removed from the environment: deleting malware, patching exploited vulnerabilities, revoking compromised cr...
  • The SANS PICERL ModelThe stage in which the root cause of the incident, including malware, backdoors, and the initial access vector, is removed from every affected system. Eradicat...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account