Eradication is the incident-response phase focused on removing malicious presence, closing the immediate cause, and preventing the same active issue from persisting.
Eradication is the incident-response phase focused on removing the malicious presence or immediate cause of the incident. In plain language, it means the organization has moved past the first stop-the-bleeding phase and is now working to get the active problem out of the environment.
Eradication matters because containing an incident does not mean it is gone. A compromised account may remain valid, malicious artifacts may still exist, or the same risky access path may remain available unless the organization removes the root issue.
It also matters because incomplete cleanup often leads to repeat incidents. If the active cause is not removed, the organization may restore service only to find the same problem returning.
Eradication appears after or alongside Containment in formal incident handling. Teams may remove malicious artifacts, rebuild affected systems, rotate compromised secrets, correct unsafe configurations, and close the immediate access path that enabled the incident.
Security teams use evidence from Indicators of Compromise, Indicators of Attack, endpoint data, and audit records to decide what specifically must be removed or remediated.
A server was contained after suspicious activity was observed. During eradication, the organization rebuilds the host from a trusted baseline, rotates credentials that were exposed, removes unsafe access granted during the incident, and verifies that no related persistence remains.
Eradication is not the same as Containment. Containment limits ongoing damage. Eradication removes the active cause or presence.
It is also different from Recovery, which focuses on safely restoring normal operations after the environment is considered ready to return to service.