Indicators of Compromise (IOC)

Security+ 🏆 • Security Operations 🛡️ • Threats ⚠️ • Difficulty: free

Definition

Indicators of Compromise are observable clues that suggest a system or network may have been breached. IOCs can include suspicious files, hashes, domains, IP addresses, registry changes, log patterns, or other evidence that points to malicious activity.

Examples

A SOC blocks a domain after threat intel reports it is used for malware command and control, then searches endpoint logs for connections to it.
An analyst finds a suspicious scheduled task and an unknown executable in a temp folder, both matching known ransomware behavior.

Discover 🔎

Security teams rarely catch every attack at the exact moment it begins. More often, they notice evidence that something is wrong and then work backwards and outwards to understand scope. Indicators of Compromise are that evidence. They are the breadcrumbs attackers leave behind, sometimes accidentally, sometimes because a system records it. Knowing how to use IOCs helps you move from suspicion to confirmed detection and containment.

Remember: An IOC is a clue, not proof on its own. The goal is to use IOCs to guide investigation and find the underlying attacker activity.

Open the interactive lesson Browse more topics

Tip: The interactive version includes progress tracking, decks, and premium deep dives.