What Is an Indicator of Compromise?
Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.
An indicator of compromise, or IOC, is a piece of evidence that suggests a system, user account, email, or network may have been involved in malicious activity. In practice, an indicator of compromise helps defenders recognize known signs of intrusion, malware, phishing, credential abuse, or attacker presence so they can investigate and respond faster.
If you are learning the basics of detection and response, it also helps to compare IOCs with what is siem and what is incident response, since IOCs are often used inside both workflows.
IOC definition
An IOC is not the breach itself. It is a trace, artifact, or observable that points to something suspicious or confirmed malicious.
Security teams collect IOCs from:
- Incident investigations
- Threat intelligence reporting
- Malware analysis
- Phishing reports
- Endpoint alerts
- Network telemetry
- Forensic review
They then use those indicators to search for related activity elsewhere in the environment.
Common examples of IOCs
Common IOC types include:
- Malicious IP addresses
- Known phishing or malware domains
- File hashes tied to malware samples
- Suspicious URLs
- Registry keys or persistence locations
- Process names and command-line patterns
- Email sender addresses or subjects linked to attacks
- Unusual user-agent strings
- Scheduled tasks, services, or startup items created by malware
Some IOCs are very specific, like the hash of a known malicious executable. Others are weaker and need additional context before they are useful.
How IOCs work in practice
A practical IOC workflow usually follows a few steps.
Evidence is found during an event or investigation
A user reports a phishing email, an endpoint tool detects malware, or a responder analyzes a compromised host. During that work, the team identifies concrete details tied to the activity, such as:
- A domain used to host a fake login page
- A hash of a malicious file
- An IP address contacted by infected systems
- A filename dropped into a temp folder
- A persistence method used after compromise
Those details become candidate IOCs.
The IOC is validated
Not every suspicious artifact is worth operationalizing. Analysts usually ask:
- Is this actually tied to malicious activity?
- Could it create too many false positives?
- Is it specific enough to search or block safely?
- Does it represent a one-off artifact or a broader pattern?
For example, a confirmed malware file hash is often a strong IOC. A common process name on its own usually is not.
The IOC is used for detection, blocking, or hunting
Once validated, the IOC can be used in several ways:
- Added to endpoint or email security tools
- Queried in a SIEM or log platform
- Used in threat hunts across hosts, proxies, DNS, or identity logs
- Shared with incident response teams
- Added to blocklists or detection rules
If one workstation contacted a known malicious domain, defenders will usually check whether other devices reached the same domain, resolved it via DNS, or downloaded related payloads.
The IOC helps scope the incident
IOCs are especially useful during response because they help answer questions like:
- How many systems were affected?
- Which users interacted with the threat?
- When did the activity begin?
- Did the attacker reuse the same infrastructure elsewhere?
- Is the threat contained or still active?
That makes IOCs valuable not just for alerting, but also for incident scoping and follow-up investigation.
Why IOCs matter
IOCs matter because they are concrete and actionable. A malicious hash, domain, or IP address can often be searched quickly and acted on fast.
That makes IOC-based workflows useful for:
- Rapid triage
- Early containment
- Retrospective searching
- Threat hunting
- Detection improvement
- Sharing threat information between teams
For many teams, IOCs are one of the fastest ways to move from “something looks wrong” to “here is what to search for now.”
Limits of IOC-based detection
IOC-based detection is useful, but it has real limits.
- Attackers can rotate domains and IPs quickly
- Malware can be recompiled to produce new hashes
- Some artifacts are too generic to be reliable
- A clean IOC search does not prove no compromise occurred
- Advanced intrusions may leave fewer stable indicators
That is why mature detection programs do not rely on IOCs alone. They combine them with behavior-based detections, context, and analyst review.
When you will encounter IOCs
You will most often encounter the term IOC in detection, response, and threat intelligence work.
Incident response
During an active investigation, responders extract IOCs from compromised systems and use them to find related activity across the environment. This is one of the fastest ways to expand or narrow incident scope.
Threat intelligence reporting
Security teams often receive intelligence bulletins that list malicious domains, IPs, hashes, filenames, or email patterns associated with a threat actor or campaign. These are commonly delivered as IOCs for defenders to operationalize.
Threat hunting
Threat hunters use IOCs as starting points to search historical logs and endpoint data. If a newly identified phishing domain appears in reporting, the team may query DNS, proxy, email, and browser logs to see whether anyone in the environment touched it.
Security monitoring and alerting
SIEM, EDR, email security, firewall, DNS, and proxy tools frequently alert when they match known IOCs. These alerts are often high-value, especially when combined with local context like asset criticality or user privilege.
Post-incident lessons learned
After an incident, organizations often preserve and share IOCs internally so teams can improve detections, tune controls, and watch for recurring patterns.
IOC vs related terms
Indicator of attack
An indicator of attack, or IOA, focuses on behavior or technique rather than a specific artifact. Where an IOC might be a malicious file hash, an IOA might be suspicious credential dumping behavior.
TTPs
Tactics, techniques, and procedures describe how an attacker operates. TTPs are usually more durable than individual IOCs because attackers can swap infrastructure more easily than they can completely change how they work.
Forensic artifact
A forensic artifact is a technical trace left on a system or in logs. Some forensic artifacts become IOCs when they are tied to confirmed malicious activity.
Detection rule
A detection rule in a SIEM, EDR, IDS, or other platform looks for suspicious conditions. Some rules rely on IOCs, while others use behavioral logic or a mix of both.
YARA and Sigma
YARA is often used for malware and file matching. Sigma is used to describe log-based detection logic. Both can include IOC-like elements depending on the use case.
Practical advice for smaller teams
For smaller organizations, IOCs are often consumed through managed services, security tooling, or incident response support rather than built entirely in-house. That is normal. What matters is having enough visibility to search and act on them.
Basic security hygiene also reduces the chance that IOC-driven investigations start with preventable issues. Using a password manager like 1Password can reduce account reuse risk, and endpoint protection such as Malwarebytes can help detect malware activity that later produces useful IOCs.
Bottom line
An indicator of compromise is evidence that something malicious may have touched your environment. IOCs are useful for detection, hunting, and incident scoping because they give defenders concrete things to search, block, and investigate. But they are only one part of the picture. Strong security teams use IOCs to move quickly, then add behavior, context, and deeper analysis to understand what really happened.