Eradication is the incident-response phase focused on removing the active cause of an incident and closing the foothold it used.
Eradication is the incident-response phase focused on removing the malicious presence or immediate cause of the incident. In plain language, it means the organization has moved past the first stop-the-bleeding phase and is now working to get the active problem out of the environment.
Eradication matters because containment does not mean the incident is gone. A compromised account may remain valid, malicious artifacts may still exist, or the same risky access path may still be available unless the organization removes the underlying cause.
It also matters because incomplete cleanup often leads to repeat incidents. If the active cause is not removed, the organization may restore service only to find the same problem returning.
Eradication appears after or alongside Containment in formal incident handling. Teams may remove malicious artifacts, rebuild affected systems, rotate compromised secrets, correct unsafe configurations, and close the access path that enabled the incident.
Security teams use evidence from Indicators of Compromise, Indicators of Attack, endpoint data, and audit records to decide what specifically must be removed or remediated.
| Action | Purpose |
|---|---|
| Remove malware or persistence | Eliminate active malicious presence |
| Rebuild affected systems | Return to a trusted state |
| Rotate credentials and secrets | Close attacker reuse of compromised access |
| Fix exploited weakness | Reduce recurrence through direct remediation |
A server was contained after suspicious activity was observed. During eradication, the organization rebuilds the host from a trusted baseline, rotates credentials that were exposed, removes unsafe access granted during the incident, and verifies that no related persistence remains.
Eradication is not the same as Containment. Containment limits ongoing damage. Eradication removes the active cause or presence.
It is also different from Recovery, which focuses on safely restoring normal operations after the environment is considered ready to return to service.