Root cause analysis (RCA) identifies the fundamental reason for a security incident — going beyond symptoms to fix the underlying vulnerability or process failure.
"5 Whys" technique: ask why five times to reach root cause. RCA prevents recurrence. Incident = patch one system. RCA = fix the class of vulnerabilities. Post-incident review should always include RCA.