TI News Feed · Threat Intelligence Guides
View live threat intel feed →
TI News FeedThreat Intelligence Guides & ResourcesView Live Feed →
Detection

IOC vs IOA: What's the Difference?

IOCs and IOAs are both detection signals, but they work very differently. Learn the difference between indicators of compromise and indicators of attack, with examples.

6 min readUpdated

Two of the most important — and most confused — terms in threat detection are IOC (indicator of compromise) and IOA (indicator of attack). They're both signals defenders use to catch malicious activity, but they work in fundamentally different ways: an IOC tells you an attack already happened, while an IOA tells you an attack is happening. Understanding the distinction is key to building detection that's both fast and resilient.

The short version: IOCs are reactive and artifact-based; IOAs are proactive and behavior-based. Strong programs use both.

What is an IOC?

An indicator of compromise is a piece of forensic evidence that a system has been breached — a known-bad IP address, domain, URL, file hash, or registry key. IOCs are typically extracted from past attacks: when researchers analyze malware, they publish the IOCs so everyone can check their own environment for the same artifacts.

Strengths: IOCs are concrete, machine-readable and easy to act on. You can feed a list of malicious hashes into your tools and block them instantly. Weaknesses: they are reactive (they describe something already seen) and perishable (attackers rotate infrastructure constantly), and they can't catch a brand-new attack the world hasn't documented yet.

What is an IOA?

An indicator of attack focuses on the behavior and intent of an attack as it unfolds, regardless of the specific tools used. Rather than asking "have I seen this exact file before?", an IOA asks "is this sequence of actions what an attacker would do?"

For example, the behavior of "a Word document spawning PowerShell, which downloads and runs a payload, which then attempts to access credential stores" is an IOA. It describes a malicious pattern — and it triggers even if the attacker uses a brand-new file with a hash no one has ever seen. IOAs map closely to adversary TTPs and the MITRE ATT&CK framework.

Strengths: IOAs are proactive, catch novel and fileless attacks, and are far harder for attackers to evade. Weaknesses: they're more complex to develop and tune, and can generate more false positives if not done well.

A concrete comparison

Imagine a ransomware attack:

  • IOC view: "The ransomware binary has this SHA-256 hash, and it contacts these three C2 domains." — useful for blocking this variant, but the next build will have a different hash.
  • IOA view: "A process is rapidly enumerating and encrypting files across many directories while deleting shadow copies." — catches the behavior of ransomware regardless of which family or build it is.

The IOC catches the known; the IOA catches the unknown.

Why IOAs sit higher on the Pyramid of Pain

The Pyramid of Pain ranks indicators by how much it hurts the adversary when you deny them. Hashes and IPs (the stuff of IOCs) sit at the bottom — trivial for attackers to change. TTPs and behaviors (the stuff of IOAs) sit at the top — painful and expensive to alter. Detecting at the IOA/TTP level imposes real cost on attackers and stays effective far longer than chasing perishable artifacts.

Use both, in layers

This isn't an either/or choice. A mature detection strategy uses both:

  • IOCs for fast, cheap, automated blocking and retroactive hunting — when new indicators are published, search your history for them.
  • IOAs for resilient, behavior-based detection that catches novel attacks and forces adversaries to work harder.

Modern EDR and detection platforms increasingly emphasize IOAs precisely because attackers have become so adept at evading static indicators.

Building IOA-based detection

Shifting from indicator-based to behavior-based detection is one of the most valuable evolutions a security team can make, but it requires a different mindset and toolset. Here's how teams move up the maturity curve toward IOAs:

  1. Start from adversary behavior. Instead of asking "what bad files exist?", ask "what does an attacker actually do?" Use the MITRE ATT&CK framework to enumerate the techniques relevant to your threat model.
  2. Translate techniques into observable activity. For each technique, identify the telemetry that would reveal it — a process spawning another suspicious process, a script reaching out to the internet, an account accessing resources it never normally touches.
  3. Write behavioral detections. Encode those patterns as detection logic in your EDR or SIEM, focusing on sequences and context rather than single static values.
  4. Tune for precision. Behavioral detections can be noisier than exact-match indicators, so invest in tuning to your environment's normal baseline to keep false positives manageable.
  5. Validate with emulation. Run controlled tests that reproduce the technique to confirm your IOA actually fires.

A helpful way to picture the difference: an IOC detection is like a wanted poster for a specific criminal, while an IOA detection is like recognizing the behavior of someone casing a building — it works even for a criminal whose face you've never seen. Both have their place. The wanted poster is instantly actionable when you have it; the behavioral awareness catches the newcomers.

The most resilient programs deliberately invest in climbing toward IOA- and TTP-level detection over time, because that's where they impose lasting cost on adversaries. Indicators remain the fast, cheap first layer, but behavior is what catches the attacker who has changed everything except how they fundamentally operate. Feeding both layers with current intelligence — fresh indicators for blocking and fresh technique reporting for behavioral hypotheses — keeps the whole system sharp.

Quick recap:

  • An IOC (indicator of compromise) is evidence an attack already happened — a static artifact like a hash, IP or domain.
  • An IOA (indicator of attack) detects an attack in progress by its behavior and intent, catching novel and fileless threats.
  • IOCs are fast, cheap and easy to automate but perishable; IOAs are resilient and harder to evade but take more effort to build.
  • The strongest programs use both — IOCs for known-threat blocking, IOAs for behavior-based detection — and climb toward the TTP level.

The bottom line

IOCs detect what has already happened using static artifacts; IOAs detect what is happening using behavior and intent. IOCs are fast and easy but perishable; IOAs are resilient and catch novel attacks but take more effort to build. The best programs combine both — blocking known threats with IOCs while catching the unknown with IOAs. To keep your IOC feeds fresh and your IOA hypotheses sharp, our live threat intelligence feed surfaces breaking research and indicators from dozens of authoritative sources, ranked by priority.

Frequently asked questions

What is the difference between an IOC and an IOA?

An indicator of compromise (IOC) is forensic evidence that an attack already happened, like a known-bad IP or file hash. An indicator of attack (IOA) focuses on the behavior and intent of an attack in progress, so it can catch novel techniques even when the specific files or infrastructure are brand new.

Are IOAs better than IOCs?

Neither is strictly better — they serve different purposes. IOCs are fast, concrete and easy to automate but perishable. IOAs are resilient and catch novel attacks but take more effort to build and tune. Strong detection programs use both together.

What is an example of an indicator of attack?

A common IOA is a document spawning a scripting tool like PowerShell, which downloads and executes a payload that then tries to access credentials. This malicious behavior pattern triggers detection even if the specific file is unknown, because it matches how attackers operate.

Why are IOAs harder for attackers to evade?

Because they detect behavior rather than static artifacts. Attackers can trivially change a file hash or rotate an IP address, but changing how they fundamentally operate — their tactics, techniques and procedures — is expensive and risky, which is why behavior-based detection stays effective longer.

Related threat intel guides

DetectionIndicators of Compromise (IOCs): The Complete GuideFundamentalsWhat Are TTPs? Tactics, Techniques & Procedures ExplainedDetectionThe Pyramid of Pain, ExplainedOperationsWhat Is EDR? Endpoint Detection and Response Explained