An indicator of compromise, or IoC, is a piece of evidence that suggests a system, account, or environment may already have been involved in malicious activity. It matters because defenders use IoCs to detect suspicious events, investigate incidents, and hunt for related signs of compromise.
What is an Indicator of Compromise (IoC)?
IoCs are observable artifacts linked to known or suspected attacks. Common examples include malicious IP addresses, domains, file hashes, registry changes, suspicious processes, unusual authentication patterns, or command-and-control infrastructure.
By themselves, IoCs are not always conclusive proof of compromise, but they can help investigators narrow down likely malicious activity quickly.
Common Indicator of Compromise Examples
Examples include a known malware hash on an endpoint, repeated communication with a malicious domain, a newly created suspicious admin account, or evidence that ransomware tooling executed on a server.
IoC vs. Indicator of Attack
IoCs often point to activity that has already happened or is strongly associated with compromise. Indicators of attack focus more on suspicious behavior patterns that may reveal attacker actions earlier in the chain.
Frequently Asked Questions
Are IoCs enough on their own?
Not always. IoCs are more useful when combined with context, telemetry, and analyst judgment so teams can separate real threats from noise.
Why do IoCs age quickly?
Attack infrastructure changes fast. Domains, IPs, file hashes, and delivery methods can be rotated, which means old IoCs may lose value if they are not refreshed.
Related Cybersecurity Terms
- Threat Intelligence
- Security Information and Event Management (SIEM)
- Digital Forensics
- Incident Response
