Recovery restores affected systems to normal operation — safely, verifying clean status, and monitoring for signs of reinfection before considering the incident closed.
Don't rush recovery — verify eradication is complete first. Reimage from known-good images when possible (don't trust cleaned systems for critical assets). Monitor closely for 30 days post-recovery. Validate controls that should have prevented the incident are now in place.