Skip to content
FortaRisks
Back to the glossaryThreat intelligence

IOC (Indicator of Compromise)

An IOC (Indicator of Compromise) is an observable technical artifact that betrays the likely presence of an attack: a malicious file hash, a suspicious IP or domain, a URL, a registry key. IOCs feed detection and incident response, but remain volatile signals that attackers change easily.

Updated on July 2, 2026

What is an IOC?

An IOC, or Indicator of Compromise, is an observable technical element indicating that a system has probably been compromised. Typical examples include the cryptographic hash of a malicious file, an IP address or domain contacted by malware, a delivery URL, or a registry key created by an intrusion.

IOCs are the raw material of detection: they are continuously compared against what happens on the network and endpoints to spot known malicious activity.

Why it matters for your organization

IOCs let you quickly detect threats already identified elsewhere and speed up incident response: once an IOC is confirmed, you can search for its presence across the estate to gauge the extent of a compromise.

Their limit lies in their nature: they are reactive, volatile signals. An attacker changes IP address or recompiles their malware in minutes, making the IOC obsolete. That is why they complement, without replacing, behavior-based approaches.

How to use IOCs

  • Automate ingestion via feeds and standardized formats such as STIX/TAXII.
  • Correlate IOCs with network and system logs continuously.
  • Prioritize by freshness and reliability: a stale or poorly qualified IOC generates noise.
  • Combine with TTPs from MITRE ATT&CK for more durable detection.

Where organizations most often fall short

A common mistake is betting everything on IOCs, piling up massive lists without qualifying or expiring them. This saturates detection tools and drowns real signals. A mature approach ranks indicators and also invests in behavioral detection, which is harder for the attacker to evade.

Frequently asked questions

What is the difference between an IOC and a TTP?

An IOC is a point-in-time, changeable artifact (a hash, an IP address). A TTP describes attacker behavior, more durable, as documented by MITRE ATT&CK. Blocking an IOC barely inconveniences an attacker who just switches address; detecting a TTP constrains them far more. This is the idea behind the pyramid of pain.

Where do IOCs come from?

From incident analysis, malware investigation, threat-intelligence feeds and sharing between organizations, often via standardized formats such as STIX. Their value depends on freshness: an old IOC quickly becomes obsolete.

See your real risk in a 30-minute demo.

A member of our team walks you through FortaRisks on threats relevant to your sector. No chatbot.