What is an IOC?
An IOC, or Indicator of Compromise, is an observable technical element indicating that a system has probably been compromised. Typical examples include the cryptographic hash of a malicious file, an IP address or domain contacted by malware, a delivery URL, or a registry key created by an intrusion.
IOCs are the raw material of detection: they are continuously compared against what happens on the network and endpoints to spot known malicious activity.
Why it matters for your organization
IOCs let you quickly detect threats already identified elsewhere and speed up incident response: once an IOC is confirmed, you can search for its presence across the estate to gauge the extent of a compromise.
Their limit lies in their nature: they are reactive, volatile signals. An attacker changes IP address or recompiles their malware in minutes, making the IOC obsolete. That is why they complement, without replacing, behavior-based approaches.
How to use IOCs
- Automate ingestion via feeds and standardized formats such as STIX/TAXII.
- Correlate IOCs with network and system logs continuously.
- Prioritize by freshness and reliability: a stale or poorly qualified IOC generates noise.
- Combine with TTPs from MITRE ATT&CK for more durable detection.
Where organizations most often fall short
A common mistake is betting everything on IOCs, piling up massive lists without qualifying or expiring them. This saturates detection tools and drowns real signals. A mature approach ranks indicators and also invests in behavioral detection, which is harder for the attacker to evade.