Indicator of Compromise (IOC)
An indicator of compromise (IOC) is a piece of forensic evidence — such as a malicious file hash, IP address, domain name, registry key, or file path — that signals a system may have been breached or is actively under attack, used by…
Definition
An indicator of compromise (IOC) is a piece of forensic evidence — such as a malicious file hash, IP address, domain name, registry key, or file path — that signals a system may have been breached or is actively under attack, used by security teams to detect and respond to intrusions.
Overview
Indicators of compromise are the artifacts left behind by an attack, functioning like digital fingerprints that security teams can search for across their environment or share with others to help detect the same threat elsewhere. IOCs span a wide range of technical types: network-based indicators like malicious IP addresses, domain names, or URLs associated with command-and-control infrastructure; file-based indicators like cryptographic hashes (MD5, SHA-256) uniquely identifying known malicious files; host-based indicators like specific registry keys, file paths, or process names created by malware; and behavioral indicators such as unusual login patterns or process execution chains that don't map to a single artifact but to a pattern of activity. IOCs are typically discovered during incident response investigations, malware analysis, or threat intelligence research, and are then codified into structured formats (such as STIX/TAXII) so they can be shared across organizations and ingested automatically by security tools like SIEMs, endpoint detection and response (EDR) platforms, and firewalls. This sharing is a cornerstone of collective defense: when one organization identifies IOCs from an attack, publishing them helps other organizations detect or block the same threat before it reaches them. A key limitation of IOCs is that they are inherently reactive and historical — they describe evidence of a specific, already-known attack, and sophisticated attackers can trivially change file hashes, rotate domains, or alter infrastructure to evade static IOC matching. This has driven the security industry toward complementary approaches like indicators of attack (IOAs), which focus on the sequence of attacker behavior and intent (such as the technique of dumping credentials) rather than the exact artifacts used, since behavioral patterns are much harder for attackers to change than a single file hash or IP address. Despite this limitation, IOCs remain a foundational and widely used tool in security operations because they are fast to search for, easy to automate, and effective against less sophisticated or reused attack infrastructure, especially when combined with behavioral detection for more advanced threats.
Key Concepts
- Forensic artifacts signaling a system has been or is being compromised
- Spans network, file, host, and behavioral indicator types
- Common examples include malicious file hashes, IPs, domains, and registry keys
- Codified in structured sharing formats like STIX/TAXII for automated ingestion
- Ingested by SIEM, EDR, and firewall tools to detect known threats
- Central to collective defense through cross-organization threat intelligence sharing
- Inherently reactive, describing evidence of already-known attacks
- Complemented by indicators of attack (IOAs) focused on behavior over artifacts