eastbaycyber

What Is an IOC?

Glossary 6 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-13
Definition

An IOC is an observable artifact linked to a suspected or confirmed security incident. Common examples include malicious IP addresses, domains, file hashes, registry changes, unusual process names, or log entries associated with attacker activity.

An IOC, or indicator of compromise, is a piece of evidence that suggests a device, user account, application, or network may have been involved in malicious activity. An IOC is not always proof by itself, but it gives defenders something concrete to search for, monitor, block, or investigate. Common IOCs include malicious IP addresses, suspicious domains, known bad file hashes, unusual registry changes, and other artifacts linked to attacker activity.

How an IOC works

IOCs help defenders move from general suspicion to something they can actually search for. Instead of asking “Are we compromised?” in the abstract, a team can ask “Do we have this hash, domain, IP, filename, or persistence mechanism anywhere in the environment?”

That makes IOCs useful in three main areas:

  1. Detection
  2. Investigation
  3. Threat hunting

Detection

Security tools often use IOCs to trigger alerts. For example, an EDR platform may detect that an endpoint connected to a known malicious domain, or a firewall may flag outbound traffic to an IP address associated with command-and-control infrastructure.

Detection based on IOCs is common because it is relatively straightforward: if a known bad artifact appears, alert on it or block it.

Investigation

During incident response, IOCs help analysts scope the problem. If one compromised host contains a suspicious file hash or scheduled task, the team can search for the same artifact across other endpoints, user accounts, and logs.

This helps answer practical questions such as:

  • Is this isolated or widespread?
  • Which systems were affected?
  • When did the activity start?
  • Did the attacker use the same tools elsewhere?

Threat hunting

Threat hunters use IOCs to proactively search for signs of attacker activity that may not have triggered an obvious alert. For example, if threat intelligence identifies a malicious domain or a specific persistence key, hunters can query logs and endpoints to see whether it exists internally.

For a broader look at proactive searches, see what is threat hunting.

Common types of IOCs

IOCs come in many forms, but most fall into a few broad categories.

Network indicators

These are artifacts seen in network traffic, such as:

  • Malicious IP addresses
  • Suspicious domains
  • Known bad URLs
  • Unusual DNS requests
  • Traffic to command-and-control infrastructure

These indicators are often useful for perimeter controls, DNS monitoring, proxy logs, and network detection tools.

Host-based indicators

These are artifacts on endpoints or servers, including:

  • File hashes
  • Filenames and file paths
  • Registry keys
  • Scheduled tasks
  • Services
  • Process names and command lines
  • Persistence mechanisms

These are especially useful during endpoint triage and forensic review.

Account and identity indicators

Some IOCs relate to user behavior or identity events, such as:

  • Impossible travel logins
  • Repeated failed logins followed by success
  • MFA prompt abuse
  • Logins from unusual devices or geographies
  • Unexpected privilege changes

Not every security team labels these as classic IOCs, but in practice they often serve the same purpose: they are concrete signs that something may be wrong.

Why IOCs matter

IOCs matter because they turn threat intelligence and incident findings into operational checks. If a trusted source says a certain domain, hash, or registry key is associated with malicious behavior, defenders can search for that specific artifact in their own environment.

That makes IOCs valuable for:

  • Faster triage
  • Broader scoping
  • Blocking known bad infrastructure
  • Improving alert fidelity
  • Sharing findings between teams
  • Feeding SIEM, EDR, and SOAR workflows

They are especially useful early in an investigation, when teams need quick ways to confirm whether an issue is present elsewhere.

The limitation of IOC-based detection

The biggest weakness of IOC-based detection is that many indicators are easy for attackers to change.

An adversary can:

  • Register a new domain
  • Use a different IP address
  • Recompile malware to change its hash
  • Rename files and processes
  • Modify scripts and delivery methods

That is why mature teams do not rely only on IOCs. They combine them with behavioral detection, analytics, and context. A known malicious hash is helpful, but patterns like unusual parent-child process relationships, suspicious authentication behavior, or abnormal data movement often survive changes in attacker infrastructure.

This is where people often contrast IOCs with IOAs, or indicators of attack. IOCs focus on artifacts. IOAs focus more on behavior.

For related context, read what is mitre attck.

When you’ll encounter an IOC

You will run into IOCs in most operational security work.

In threat intelligence reports

Threat intel often includes lists of domains, IPs, hashes, filenames, and other artifacts associated with a campaign or malware family. These are usually meant to be searched, blocked, or used in detection content.

In SIEM, EDR, and firewall alerts

Many security products generate alerts based on known indicators. If an alert says a device reached out to a suspicious domain or executed a file matching a malicious hash, you are looking at an IOC-based detection.

During incident response

Analysts regularly extract IOCs from compromised systems and use them to find related activity elsewhere. This helps determine spread, persistence, and impact.

In threat hunting and retrospective searches

When new intelligence becomes available, defenders often run retrospective searches for related indicators across historical logs and endpoint data.

Practical tips for working with IOCs

Using IOCs well usually means more than just loading a list into a tool. Good operational practice often includes:

  • Validating the source and quality of the indicator
  • Adding context such as malware family, campaign, or confidence level
  • Checking whether the IOC is still active or relevant
  • Mapping hits to affected users, hosts, and timelines
  • Pairing IOC matches with behavioral evidence before escalating

If you are reviewing suspicious files on endpoints, an endpoint protection tool such as Malwarebytes can be one useful layer for identifying and removing known malicious artifacts. If the concern is stolen credentials discovered during IOC-driven investigations, a password manager like 1Password can help users move to unique passwords and reduce the impact of password reuse.

Bottom line

An IOC is a tangible clue that points to possible compromise. It helps defenders search, detect, and scope malicious activity using artifacts like IP addresses, hashes, domains, and system changes. Useful as they are, IOCs work best when paired with behavioral analysis and incident context rather than treated as the whole detection strategy.

Last verified: 2026-05-13

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.