Indicators of Compromise (IOC)

Security Operations 🛡️ • Threats ⚠️ • Sec+ Glossary 📖 • Security+ 02 • Difficulty: premium

What is Indicators of Compromise (IOC)?

Indicators of Compromise, or IOCs, are pieces of observable evidence that suggest a system, account, application, or network may have been breached or used in malicious activity.

Examples

A workstation begins contacting a known malicious domain that has been associated with that has been associated with command-and-control activity.
A server shows the unexpected creation of a suspicious scheduled task and a new unknown administrative account.

Discover 🔎

When an attacker compromises a system, the intrusion often leaves traces behind. Those traces may appear in logs, files, network traffic, processes, registry changes, account activity, or other system behavior. Security teams look for those traces because they can reveal that something harmful has already happened.

That is the role of indicators of compromise. An IOC is not the attack itself. It is the evidence the attack leaves behind. The clue may be small, but if it is recognized and connected properly, it can help defenders find malicious activity, scope an incident, and respond before the damage spreads further.

Remember: An IOC is evidence of suspicious or malicious activity that may already have occurred, not merely a general weakness or risk.

Summary 📝

Indicators of Compromise are observable clues that malicious activity may have taken place. They help defenders identify infected systems, connect related events, and understand the scope of an incident by turning compromise into something searchable and actionable. Their value is high in incident response and threat hunting, but they work best when supported by strong visibility, current intelligence, and good contextual analysis.

Open the interactive lesson Browse more topics

Tip: The interactive version includes progress tracking, decks, and premium deep dives.