Comprehensive and Detailed Explanation From Exact Extract:
Root cause analysis (RCA) is a post-incident activity focused on identifying the underlying cause of an incident/problem so the organization can fix the real cause (not just symptoms) and prevent recurrence. That matches Option B, which describes tracing the origin and eliminating it permanently.
The Sybex CySA+ Study Guide defines RCA in exactly this way:
Exact extract (Sybex Study Guide):
“The process of root cause analysis (RCA) is used to identify why a problem, incident, or issue occurred. Root cause analysis is performed to allow organizations to understand what they need to focus on to prevent future problems…”
The Secbay Press guide also defines RCA as uncovering underlying causes to prevent recurrence:
Exact extract (Secbay Press):
“Root Cause Analysis (RCA)… is a systematic investigation process aimed at identifying the fundamental factors that led to a security incident. It goes beyond addressing symptoms and seeks to uncover the underlying causes to prevent recurrence.”
Why the other options are wrong
A (TTPs): That describes attacker behavior frameworks (e.g., MITRE ATT&CK), not RCA.
C (who/what/when/where/why): That’s an incident reporting structure, not the RCA process.
D (ongoing activities report): That resembles status reporting/incident updates, not root cause determination.
References (CompTIA CySA+ CS0-003 documents / study guides used):
Mike Chapple & David Seidl, CompTIA CySA+ Study Guide (CS0-003): RCA identifies why an incident occurred and helps prevent recurrence
Secbay Press, CompTIA CySA+ Exam Prep Guide (CS0-003): RCA goes beyond symptoms to uncover underlying causes and prevent recurrence
Secbay Press, CompTIA CySA+ Exam Prep Guide (CS0-003): “who/what/when/where/why” belongs to incident reporting context
