Identify the incident response step in which an incident handler removes the root cause of a security incident.

The phase of incident response where the incident handler removes the root cause of a security incident is known as eradication. This step is crucial because simply containing an incident does not eliminate the underlying threat that caused it. During the eradication phase, the incident handler identifies and eliminates any vulnerabilities, malware, or threats associated with the incident. This might involve actions such as patching software, removing malicious files, and adjusting configurations to prevent the same incident from happening again. The focus is on taking comprehensive measures to ensure that the root cause is addressed, mitigating the risk of recurrence and restoring the integrity of the affected systems.

In contrast, containment focuses on limiting the impact of the incident and preventing its spread, while detection involves identifying and recognizing that an incident has occurred. The recovery phase follows eradication and involves restoring systems to normal operations and ensuring they are functioning securely. Each of these phases serves a distinct purpose, but eradication is specifically dedicated to addressing and eliminating the root cause.