What is the difference between eradication and recovery?

Eradication removes the adversary's presence and persistence. Recovery restores systems and operations to normal. Skipping eradication and going straight to recovery is the most common reason for re-infection.

How is eradication validated?

Through confirmation that known persistence is removed, hunting for residual indicators, rebuild from known-good images, credential rotation across affected and dependent systems, and verification that detection content is in place to catch re-entry.

Why do programs skip eradication?

Pressure to restore operations quickly, lack of skilled responders, and the difficulty of scoping the full footprint. Skipping eradication is one of the most common reasons for repeated breach by the same actor: the original backdoors remain in place after recovery.

Eradication - NIST 800-61 Incident Response Phase

Q: What is the eradication phase in incident response?

Eradication is the NIST SP 800-61 phase in which the adversary's persistence mechanisms, malware, accounts, and access methods are removed from affected systems. It follows containment and precedes recovery.

Q: Can eradication be done in place?

Sometimes, for narrow-scope compromises with well-understood persistence. For most modern intrusions, full eradication on a compromised endpoint requires a rebuild from known-good images. Active Directory or identity compromise often requires forest-level remediation.

Eradication is the NIST SP 800-61 incident response phase in which the adversary's persistence mechanisms, malware, accounts, and access methods are removed from affected systems. Eradication follows containment and precedes recovery; it is distinct from both. Immature programs frequently skip directly from containment to recovery without proper eradication, which is one of the most common reasons for re-infection.

Source: NIST SP 800-61 Rev. 3, MITRE D3FEND Evict tactic.

What Eradication Removes

Malware and adversary tools on affected systems
Adversary-created accounts, including service accounts and OAuth applications
Modified credentials (passwords, keys, tokens, secrets)
Persistence mechanisms (scheduled tasks, services, registry keys, startup folders, BIOS or firmware implants)
Adversary network footholds (VPN sessions, RMM tools, reverse shells, backdoors)
Adversary-modified configurations (firewall rules, IAM policies, conditional access exceptions)

Eradication Strategies

For most modern intrusions, full eradication on a compromised endpoint requires a rebuild from known-good images rather than cleanup in place. Cleanup-in-place is acceptable only for narrow-scope compromises with well-understood persistence and verified removal. For Active Directory or identity-provider compromise, eradication often requires forest-level remediation or migration to a new tenant.

Eradication Validation

Eradication is not complete until validated. Validation includes:

Confirmation that all known persistence mechanisms have been removed
Hunting for residual indicators across the environment (not just the affected systems)
Re-imaging or rebuilding compromised systems from known-good images
Credential rotation across affected and dependent systems
Verification that detection content for the observed TTPs is in place to catch re-entry

Run eradication with full validation

IR-OS supports eradication workflows, validation checklists, and the defensible record that proves the adversary is gone.

Start free

Eradication - NIST 800-61 Incident Response Phase

What Eradication Removes

Eradication Strategies

Eradication Validation

Related Terms

Run eradication with full validation