Root Cause Analysis
RCA is the structured investigation done after an incident to identify the underlying cause, not just the visible symptoms. IR teams conduct RCA during post-incident review to answer why the breach was possible and what systemic fix prevents a repeat. It matters because patching one compromised server without fixing the root cause invites the same attack next month.