Indicator of Compromise (IoC) - What it is and common types

Indicator Of Compromise (IoC)

What it is

An Indicator of Compromise (IoC) is a clue that something bad may be happening on a device or network - like a suspicious file hash, domain, IP address, process name, or a strange login. Think of IoCs as breadcrumbs investigators use to spot and stop attacks.

Why it matters

Catching an IoC early lets you isolate a system, block connections, and limit damage. Sharing IoCs with your team or tools raises the alarm faster the next time the same threat appears.

Common types

  • File hashes and filenames - match known malicious files

  • Domains and IPs - command-and-control or phishing hosts

  • Registry keys, services, tasks - persistence left by malware

  • Process and command lines - tools and switches attackers use

  • Email artifacts - sender, subject, URLs, attachment hashes

How to use IoCs - fast

  1. Search your logs and endpoints for the IoC.

  2. Block matching domains, IPs, and hashes at DNS, firewall, and EDR.

  3. Isolate affected hosts, collect evidence, and remediate.

  4. Update detections and share IoCs so the team catches repeats.

Limits to know

  • IoCs can be short lived - attackers rotate infrastructure.

  • Context matters - a single IoC does not prove a breach by itself.

    Glossary (A–Z)

    All A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

      • Related Articles

      • NDR (Network Detection And Response)

        What it is Network Detection and Response (NDR) watches live network traffic to spot and investigate suspicious behavior in real time. Instead of relying on signatures, it analyzes patterns and anomalies to catch threats moving across your ...

      • EDR (Endpoint Detection and Response)

        What it is EDR is your always-on security team for laptops and servers. It watches what’s happening on each device, spots attacks in progress, and helps you respond fast - quarantine, investigate, and clean up. For details on capabilities and use ...

      • APT (Advanced Persistent Threat)

        What it is An APT is a long-game, targeted attack. Skilled attackers quietly break in, move sideways through the network, and stay hidden for weeks or months to steal sensitive data—not to make noise. Think careful recon, staged break-ins, and ...

      • XDR (Extended Detection and Response)

        What it is XDR is a security system that watches your company’s devices, email, cloud, and network together and connects the dots. Instead of separate tools, XDR pulls all the signals into one place, spots attacks faster, and can auto-block bad ...

      • Blended Threat

        What it is A blended threat mixes several attack tricks at once—think phishing email + exploit link + worm-style spread—so one weak spot opens the door for the rest. It’s a combo hit designed to move fast, hide well, and do more damage than any ...