← Home

Analyst Field Guide · Revision 1

Root Cause
Analysis

How to drive an incident or recurring failure back to the condition that allowed it — and prove you got there. Built for security analysts; the methods apply to any high-impact problem.

Use for incidents · repeat alerts · near-misses Goal stop recurrence, not silence the alert Output evidenced root cause + owned actions

A root cause is the origin that, if corrected, stops the problem recurring. Not the symptom you saw. Not the first plausible answer. In security, that almost always means the control failure or access path that let an event happen — never the malware or the alert itself. You are not finished when the problem is fixed; you are finished when you can name what allowed it and have closed that.

01

The Cause Taxonomy

Every RCA failure traces to confusing these four layers. Learn to name which one you are looking at.

SYMPTOM What you observe — alert, outage, ransom note PROXIMATE CAUSE The immediate trigger — service exploited, disk filled CONTRIBUTING FACTOR Helped it happen — no MFA, no alerting ROOT CAUSE The origin — no policy/control requiring it. Fix here = prevention. DIG DOWN
Stopping above the bottom band fixes this instance only; the problem returns.
The cardinal error

Eradicating the symptom (the malware, the alert) while leaving the root cause (the access vector) open — so the intrusion returns next week with a new payload.

02

When to Run RCA

RCA has a real time cost. Spend it where recurrence or impact justifies it; run a normal fix everywhere else.

Problem resolved or open High-impact, recurring, or an incident? Would a quick fix just mask it? Standard fix — no RCA RUN RCA use this guide YES NO YES NO
Run it for incidents, repeat alerts, near-misses, control failures. Skip it for one-off trivial tickets.
03

The RCA Lifecycle

Seven phases, with a loop: new evidence sends you back, never forward on a guess.

Defineproblem Collect+preserve Identifyfactors Sequence& map Findroot ActCAPA Verify& hold if unresolved → return to evidence, never guess forward
Phases 1–4 are diagnosis · 5 is the root · 6–7 are closure.
04

Phase 1 · The Problem Statement

The methods only work on good inputs. A vague statement produces a vague cause. Write one or two factual sentences — no cause guessed yet — covering what, where, when, scope, and impact.

WeakField-ready
"The server keeps going down.""WEB-03 returned HTTP 503 for 40 min, 2 Jun 14:10–14:50 UTC; ~2,000 sessions affected."
"We got hacked.""An external IP authenticated to the VPN with a valid employee credential at 14:10 UTC and queried the customer DB; scope under investigation."
Template

[What] occurred on [system] during [timeframe], affecting [scope]. Impact: [measurable effect]. Detected by [source].

Sharpen it · IS / IS-NOT (Kepner-Tregoe)

Pin the problem down four ways, and state what it is not. The boundary between IS and IS-NOT exposes the distinguishing factor — usually a change.

DimensionISIS-NOTPoints to
What503s on WEB-03WEB-01 / WEB-02something specific to WEB-03
WhereEU regionUS regiona region-scoped change
Whensince 14:10, 2 Junbefore the 14:00 deploythe deploy as a suspect
Extent~2,000 sessionsnot 100% of traffica partial / conditional cause

Illustrative values.

05

Phase 2 · Evidence & Timeline

Before reasoning about why, establish what happened, in order, from evidence: logs, metrics, change records, access records, alerts. Tag every entry by confidence.

confirmed observed here, evidence attached   suspected consistent, unproven — state what would confirm   theoretical possible, not tied to this case

Security — preserve before you probe

Logging in, rebooting, or re-imaging alters state. Capture volatile and forensic evidence before remediation, and record exactly what you ran and when. A help-desk cleanup can destroy the evidence the analysis depends on.

The event chain

For incidents the timeline is much of the analysis. At each event ask two things: what caused it, and what control should have caught it and didn't. Each gap is a candidate root cause.

14:02phishingemail lands 14:05user enterscredential 14:10attackerlogs in 14:25DB queried 14:50data exfil ✕ email filtermissed it ✕ no MFAto block login ✕ no egressmonitoring each ✕ = a control that should have broken the chain — a candidate root cause
Illustrative chain. Trace to the earliest point a control would have stopped everything downstream.
06

Modes of Reasoning

Every method below is one of three reasoning modes in disguise. Knowing which mode you're in tells you what a step can and cannot prove — and most RCA failures are a guess (abduction) that never got tested (deduction).

Abductive effect → best cause surprising observation leap best hypothesis GENERATE first Why · fishbone Deductive cause → necessary effect if cause is X… …we must see Y TEST · falsify forward-logic · removal test Inductive cases → general rule case case case general pattern PATTERN Pareto · trends
RCA in motion: abduce candidates → deduce what each predicts → check evidence → induce patterns across incidents.

Abductive · inference to the best explanation

From a surprising observation, propose the cause that would best explain it. This is hypothesis generation — the first "why", every bone on a fishbone. Fast, but the "best" explanation is often merely the most familiar; hand its output to deduction.

Deductive · from a rule to a necessary consequence

"If the root cause is X, then we must observe Y." You derive a prediction the evidence has to satisfy, then check it. This is hypothesis testing — the forward-logic and removal tests. It can falsify a wrong candidate outright.

Inductive · from cases to a pattern

Generalize across many incidents: "these 40 all involved an unpatched internet-facing service." This is what Pareto and trend analysis do. A pattern is not proof of cause — correlation isn't causation, and one new case can break the rule. Confirm with deduction.

Also useful · analogical

Reasoning from a similar past incident is fast but carries the solution-context fallacy: the prior context may differ. Treat the analogy as a source of hypotheses, not an answer.

07

Method · The 5 Whys

The workhorse for drilling a single thread. Take a confirmed fact and ask "why" repeatedly, each answer becoming the next question, until you reach a systemic, controllable cause. "Five" is a guide, not a quota.

How to run it

  1. Start from a confirmed symptom or proximate cause, not a guess.
  2. Ask why it happened; answer from evidence. Can't evidence it? Mark suspected and verify before continuing.
  3. Make the next "why" interrogate that answer.
  4. Branch when a "why" has more than one valid answer — pursue each. Real failures rarely run on one thread.
  5. Stop when the cause is systemic, within your control, and its correction prevents recurrence.
Unauthorized access to customer data Attacker used a valid employee login Credential phished; no second factor Phishing email reached the inboxfilter rule gap MFA not enforced on the portalleft optional ROOT · no maintainedinbound-filter baseline ROOT · no policy/controlrequiring MFA on internet-facing svc WHY branches
Illustrative. The chain does not stop at "the user clicked" — a click is a contributing factor; the missing controls are the roots.

Rules that keep it honest

Where it fails

Interacting or parallel causes (it is single-thread by nature) and chains that are plausible but unevidenced. Switch to a fishbone or fault tree when the cause isn't a single line.

08

Method · Fishbone (Ishikawa)

Use when you don't yet know which direction to drill. It surfaces candidates across categories so you don't tunnel on the first idea.

Unauthorized DB access People Process Technology Configuration Data External phishing click no MFA policy filter gap portal misconfig no DB egress logs attacker campaign
IT/security category set: People · Process · Technology · Configuration · Data · External (adapts the classic 6 M's).
  1. Write the effect at the head; draw the spine.
  2. Add a branch per category; brainstorm candidate causes onto each, adding sub-bones with "why".
  3. Mark which candidates have evidence and which are speculative.
Critical caveat

A fishbone produces hypotheses, not conclusions. After building it you must test each surviving candidate against the timeline and discard what the facts don't support. "It's on the diagram" is not "it's a cause." Then drill the survivors with 5 Whys or a fault tree.

09

Method · Fault Tree Analysis

Use when the failure required several conditions to coincide — common in security. Top-down and logic-based; it makes AND vs OR explicit, which is what reveals your highest-leverage fix.

TOP EVENTDB data exfiltrated AND Service reachablefrom internet Auth bypassed No egress controldata leaves freely OR phished cred · no MFA unpatched CVE
Circles = basic events (candidate roots). Under an AND gate, breaking any one input stops the top event — that's where leverage is highest.
  1. Put the undesired outcome (the "top event") at the top.
  2. Work down: connect contributing events with OR (any one suffices) or AND (all required) gates.
  3. Decompose to basic events you can't or needn't break further — your candidate roots.
  4. Read the minimal cut sets: the smallest sets of basic events that together cause the top event. A single basic event under chained ORs is a single point of failure — fix first.
10

Method · Pareto

Use when you have many incidents and must decide which cause to attack first. It tells you which root to pursue, not what it is — pair it with a 5 Whys on the top bars.

80% no MFA unpatched misconfig phishing insider other the few red bars left of the 80% line drive most incidents — start there
Illustrative. Categorize incidents by cause, sort descending, plot cumulative %, fix the vital few.
11

Method · Change & Barrier Analysis

Two focused techniques worth keeping in the kit.

Change Analysis

When something worked yesterday and failed today, the cause is usually a change. Compare the failure state against a known-good baseline and list every difference — deployments, config edits, patches, new accounts, network changes. Each difference is a suspect. This is the fastest route for "it was fine until…" problems and pairs directly with change/version records.

Barrier Analysis

Model the defenses (barriers) that should have stopped the harm and identify which were missing, bypassed, or failed. In security terms: each control between the threat and the asset is a barrier; the analysis maps which ones the event passed through untouched. The failed/absent barriers are candidate roots — and the list of barriers that held is your honest statement of residual defense.

12

Models · Swiss Cheese & Bowtie

Two models for reasoning about layered defenses — they explain why incidents need several failures at once, and where each control sits.

The Swiss Cheese Model (Reason)

Each defensive layer has holes — latent weaknesses and active failures. Defense-in-depth works because the holes rarely line up. An incident is the moment they do, letting a hazard pass clean through every layer.

threat incident filter MFA EDR egress holes (control gaps) momentarily aligned — the threat passes through every layer
Implication: an incident means every layer was holed — look for a contributing factor at each layer, not one cause. Each slice is a barrier (pairs with Barrier Analysis).

Bowtie Analysis

A fault tree and an event tree joined at a central top event. Left: threats pass through preventive controls toward the event. Right: from the event, mitigative controls limit the consequences. It shows, for one hazard, both how it happens and how its impact is contained — and exactly which control sits where.

TOP EVENT data breach Phishing Exploit Stolen credential Data loss Regulatory fine PREVENTIVE controls MITIGATIVE controls
Each barrier is testable: present? effective? The bowtie is the clearest way to show control coverage to non-analysts.
13

Choosing a Method

SituationReach forWhy
Cause is a clear single thread5 WhysFast linear drill
Direction unclear, need breadthFishboneGenerates candidates without tunneling
Several conditions had to coincideFault TreeMakes AND/OR and cut sets explicit
Many recurring incidentsParetoPrioritizes the vital few
"Worked yesterday, broke today"Change AnalysisIsolates the introduced difference
Asking which defense failedBarrier AnalysisMaps missing/bypassed controls
Any incidentTimeline firstOrder and control-gaps carry the meaning

They chain, they aren't alternatives: statement + timeline → fishbone to enumerate → narrow to evidenced candidates → 5 Whys / fault tree to drill → validate → act.

The proactive sibling · FMEA

RCA is reactive: it analyzes a failure that already happened. FMEA (Failure Mode & Effects Analysis) is its forward-looking counterpart — enumerate how a system could fail, score each mode by severity × occurrence × detectability (the RPN), and fix the high scorers before they bite. Use FMEA in design and hardening; use RCA after an event.

14

Confirming the Root Cause

Run every candidate through these five tests. Fail one and you stopped too early.

TestQuestionFail means
RemovalIf corrected, would the problem recur?Still recurs → not the root
ControlCan you actually influence it?"Human nature", "it rained" → go up to the controllable factor
Forward-logicDoes the chain read "X, therefore Y" without leaps?A leap → chain is wrong
SubstitutionWould a different competent person in the same system hit it?Yes → systemic, not the individual
Multiple-rootConfirmed there isn't a parallel cause?Unchecked → likely incomplete
Root cause confirmed when

It survives all five tests, is evidenced, and is within your power to fix. The substitution test is also what keeps the analysis blameless.

Caution · "the" root cause is sometimes a fiction

Simple, linear failures usually have a findable root. Complex system failures often do not — they emerge from many interacting contributing factors, and naming a single "root cause" can be a hindsight simplification that ends the analysis too early. This is contested: the systems-safety view (Reason, Dekker, Cook) holds that complex failures rarely have one cause. Practical rule: for a linear fault, find and fix the root; for a complex incident, enumerate the contributing factors and fix the set — report them honestly rather than forcing a single root.

15

From Cause to Action (CAPA)

Each confirmed root cause earns two actions:

Every action carries an owner, a date, the resources needed, and the risk of the action itself. For preventive/hardening actions, state the threat model they assume — a defense is only evaluable against a defined adversary.

Closure rule

A root cause with no owned, dated, verified action is documentation, not analysis. RCA is done when recurrence stops — confirmed in monitoring — not when the report ships.

16

Writing the Report

SectionContents
Problem statementOne precise paragraph: what, scope, impact, timeframe.
TimelineKey events in order with evidence refs; for incidents, the attack/event chain.
Root cause(s)Stated plainly, distinguished from contributing factors. For a breach, name the control failure.
Contributing factorsConditions that made it possible or worse.
Corrective actionsImmediate fixes / eradication — owner, date.
Preventive actionsSystemic changes — owner, date, assumed threat model.
Residual / out-of-scope riskWhat remains after the actions.
VerificationHow each action will be confirmed effective.
17

Running the Session & Measuring the Program

Running the session

Measuring the program

So RCA doesn't become write-only:

MetricWhat it tells you
Recurrence rateSame root cause reappearing — the primary signal RCA is working.
% incidents with verified actionsWhether findings become closed, confirmed fixes — not just identified ones.
Action closure timeWhether fixes ship before the next occurrence.
Read these honestly

They measure process health, not security. A low recurrence rate is not evidence the environment is secure.

18

Security-Specific Discipline

Just Culture · making "blameless" actionable

Blameless does not mean no accountability; it means the response fits the behaviour. Distinguish three:

BehaviourExampleResponse
Human errorslipped, misread, fat-fingeredconsole; fix the system that made the error easy and consequential
At-risktook an unsafe shortcut, risk not perceivedcoach; remove the incentive that made the shortcut look reasonable
Recklessconscious disregard of a substantial known riskaccountability / discipline

Only conscious recklessness warrants discipline; treating ordinary error punitively destroys the honest reporting RCA depends on. These are management responses — keep them separate from the technical cause analysis.

19

Anti-Patterns

20

Quick-Reference Card

RCA in one screen

The flow

Statement → preserve evidence + timeline → enumerate (fishbone) → narrow to evidenced → drill (5 Whys / fault tree) → validate (5 tests) → CAPA → verify it holds.


Pick a method

  • Single thread → 5 Whys
  • Unclear, need breadth → Fishbone
  • Conditions combine → Fault Tree (AND/OR, cut sets)
  • Many incidents → Pareto
  • "Broke today" → Change Analysis
  • Which defense failed → Barrier Analysis

The five confirmation tests

Removal · Control · Forward-logic · Substitution · Multiple-root.


Security non-negotiables

  • Root = control/access failure, not the malware.
  • Preserve evidence before you remediate.
  • Blameless: fix the process, not the person.
  • Tier evidence; never promote suspected to confirmed.
  • Never say "secure now" — state residual risk + threat model.

Reasoning modes

Abduce (generate) → Deduce (test/falsify) → Induce (find patterns). A guess you never tested isn't a root cause.


Defense models

Swiss Cheese — holes align across layers; find a factor at each. Bowtie — preventive controls left of the event, mitigative right.

Methods shown — 5 Whys, Ishikawa/fishbone, Fault Tree Analysis, Pareto, timeline/event sequencing, Change Analysis, Barrier Analysis — are established, widely documented techniques; the process here is synthesized from them and from the source notes (Root Cause Analysis — ProjectManager / Peter Landau). All worked examples and chart values are illustrative, not real incidents or measured data. Framework- and compliance-specific identifiers (e.g. ATT&CK technique IDs, control numbers) are intentionally omitted — verify and cite your organization's currently adopted revision before mapping findings to one, as identifiers change between revisions.