In incident response, which action is used to remove the root cause of an incident?

Remediation focuses on removing the underlying weakness that allowed the incident to occur, so the issue won’t happen again. This involves fixing the actual vulnerability or misconfiguration, applying patches, changing insecure configurations, updating access controls, revoking or strengthening credentials, and implementing new processes or controls to prevent recurrence. Containment stops the incident from spreading by isolating affected systems, but it doesn’t fix the underlying flaw. Recovery aims to bring operations back to normal after containment, often by restoring systems and data, yet it doesn’t eliminate the root cause itself. Reimaging cleans a compromised machine, removing visible malware from that host, but it may skip broader fixes needed to prevent a repeat across the environment.