Eradication

Eradication removes the threat and the attacker’s foothold after containment. It must address root cause and every persistence mechanism — backdoors, scheduled tasks, new accounts, web shells, modified services — not just the obvious malware. Skip it and the attacker simply returns through the same door, which is why rebuilding from known-good images often beats trying to clean a compromised host.