Skip to content
FortaRisks
Back to blogThreat Intelligence

IOC security and monitoring: turning indicators of compromise into action

June 23, 2026 · 6 min read

Every security team subscribes to at least one IOC feed. Very few extract real value from it. The gap is not in the indicators themselves: it is in what happens (or does not happen) after they arrive. This article covers what IOCs are, why raw feeds disappoint, and how to run an IOC monitoring practice that produces prioritized actions instead of noise.

What an IOC is, and the main types

An IOC (Indicator of Compromise) is an observable technical artifact that betrays the likely presence of an attack. In practice, most indicators fall into a handful of families:

  • File hashes (MD5, SHA-1, SHA-256): fingerprints of known malicious binaries or documents.
  • IP addresses: command-and-control servers, scanning infrastructure, exfiltration endpoints.
  • Domains: C2 domains, typosquats of your brand, domains generated by DGA malware.
  • URLs: phishing pages, malware delivery links, exploit kit landing pages.
  • Email artifacts: sender addresses, subject lines, attachment names, header anomalies tied to a campaign.
  • Host artifacts: registry keys, mutexes, file paths, scheduled task names created by an intrusion.
  • TTP-adjacent artifacts: named pipes, user-agent strings, JA3/JA4 fingerprints, certificate hashes. These sit halfway between a point-in-time indicator and a description of attacker behavior in the sense of MITRE ATT&CK.

Why raw IOC feeds disappoint

Three structural problems explain why most IOC programs stall.

Volume. Aggregate a few open feeds and you receive hundreds of thousands of indicators per month. No SIEM, firewall or analyst team absorbs that raw. Blocklists overflow, rules slow down, and the team starts ignoring the pipeline it built.

Decay. IOCs age fast, and unevenly. A phishing URL may be dead within 48 hours. A C2 IP rotates in days. A malware hash stays technically valid but stops being seen once the campaign moves on. An indicator without a timestamp and an expiry policy is a liability, not an asset.

False positives. Shared infrastructure is the classic trap: a "malicious" IP that belongs to a CDN or a cloud provider will match thousands of legitimate connections. Block it and you break production; alert on it and you bury your analysts.

The pyramid of pain summarizes the deeper issue. Hashes sit at the bottom: an attacker recompiles a payload in seconds and every hash you know becomes worthless. IPs and domains cost a little more to rotate, but only a little. Tools and behaviors sit at the top: forcing an attacker to change how they operate genuinely hurts them. IOCs remain useful, but only as the fast, disposable layer of a detection strategy that also invests in behavior.

IOC security vs IOC monitoring

The two search queries hide two distinct practices, and mature teams run both.

IOC security is the blocking side: pushing qualified indicators into your firewall, DNS filter, email gateway, proxy and EDR so that known-bad infrastructure is stopped before it does damage. It is preventive, cheap per indicator, and only as good as the quality of what you push. Feed it stale or noisy indicators and you either block legitimate traffic or accumulate dead rules.

IOC monitoring is the continuous matching side: comparing indicators against your telemetry (DNS queries, egress connections, EDR events, email logs) and against your external attack surface, both retroactively and in real time. Monitoring answers a different question: not "can we block this?" but "have we already seen it, and are we seeing it now?" A retroactive match against last month's DNS logs is often the first sign of a compromise that prevention missed.

Blocking without monitoring gives you a false sense of coverage. Monitoring without blocking turns every match into an incident that prevention could have absorbed. You need the loop between the two.

Where IOCs come from

Good indicators come from many places, and no single source is enough:

  • Open communities and feeds: MISP sharing communities, AlienVault OTX, Abuse.ch projects such as ThreatFox (multi-type IOCs) and URLhaus (malware URLs), plus abuse and blocklist feeds.
  • ISACs and sector sharing groups: indicators contextualized for your industry, often earlier and more relevant than generic feeds.
  • Commercial providers: curated, scored indicators with attribution and context, at a price.
  • Your own incidents: the most relevant IOCs you will ever have, because they were observed on your perimeter.

Interoperability runs on standards: STIX/TAXII structures indicators with context (confidence, validity window, related campaign) and transports them between platforms. If a source cannot express when an indicator was first and last seen, treat it with suspicion.

How to operationalize: from feed to action

A working pipeline looks like this:

  1. Aggregate and deduplicate. The same C2 IP will arrive from five sources. Merge duplicates and keep the union of their context; the number of independent sources reporting an indicator is itself a confidence signal.
  2. Score and age out. Rate each indicator by source reliability, corroboration and freshness. Define expiry by type: days for URLs, weeks for IPs and domains, longer for hashes. Expired indicators leave the active set automatically.
  3. Match against your telemetry. Run the active set against egress logs, DNS resolutions, proxy logs, email metadata and EDR events. Include a retroactive sweep when a high-confidence indicator arrives: has anything in the last 90 days touched it?
  4. Match against your attack surface. IOCs are not only about inbound detection. A typosquat domain of your brand, a certificate mimicking yours, or your own IP appearing in a botnet feed are indicators about you, discovered outside.
  5. Escalate matches into prioritized actions. A match is not an alert to file; it is a decision to make. High-confidence, fresh indicator plus sensitive asset means immediate containment. Low-confidence match on shared infrastructure means enrichment first. Every match should exit the pipeline as an action with an owner and a deadline.

Measuring whether it works

Three metrics tell you if your IOC practice creates value:

  • Match rate: what fraction of ingested indicators ever match your environment? Near zero may mean irrelevant feeds; unexpectedly high may mean false positives.
  • Time to action: the delay between an indicator arriving and a confirmed match being contained or dismissed. This is the metric that actually reduces risk.
  • False-positive rate: the share of matches dismissed as benign. Above roughly 30 to 40 percent, your scoring or your sources need work before your analysts burn out.

Common failure modes

The same mistakes appear in most struggling programs: ingesting everything and qualifying nothing; never expiring indicators, so the blocklist becomes an archaeology site; matching only in real time and never retroactively; treating a match as a ticket rather than a decision; and betting the whole detection strategy on IOCs while ignoring the behavioral layer that the pyramid of pain says matters most. Each one is fixable, and none requires more feeds. They require a pipeline.

Making the pipeline someone else's problem

Building this pipeline in-house is possible, but it is real engineering: connectors, dedup logic, scoring, expiry, correlation. The FortaRisks CTI module does this out of the box: it aggregates and deduplicates more than 50 sources (including MISP, AlienVault OTX, ThreatFox and URLhaus) and correlates the resulting indicators with your actual attack surface, so that a match arrives as a prioritized action tied to a real asset, not as one more line in a feed. See how it fits your stack on the CTI platform page.

See your real risk in a 30-minute demo.

A member of our team walks you through FortaRisks on threats relevant to your sector. No chatbot.