Recovery validation
Definition
The verification process that confirms a restored system is clean, correctly configured, and free from residual attacker access. Distinct from eradication, which removes the threat, and from recovery, which restores system state.
Related terms
- Baseline comparison
- Comparison of a recovered system's current state, including running processes, network connections, scheduled tasks, and file hashes, against a known-good reference state...
- Extended monitoring window
- A defined period of heightened detection sensitivity following recovery, during which security operations maintain increased logging, alert thresholds, and analyst attention. Ends...
- Honeytoken
- A synthetic credential, document, or data record placed in a monitored location. Any attempt to use or access the honeytoken is an...
- Recurrence
- Re-establishment of attacker access or re-execution of the same attack vector after the prior incident has been eradicated. Recurrence triggers the incident...
- Tripwire
- A deliberately placed artefact or detection rule designed to fire only if an attacker returns or residual malware reactivates. Examples include canary...
Explained in
- Validating Recovery and Monitoring for RecurrenceThe verification process that confirms a restored system is clean, correctly configured, and free from residual attacker access. Distinct from eradication, whi...