Threat Analysis

Indicator of Compromise (IOC)

An indicator of compromise is a forensic artifact or observable signal that suggests a system, account, or network may already have been compromised.

What Is an IOC?

IOCs are commonly derived from incident investigations, malware analysis, and threat intelligence reporting. Examples include malicious file hashes, domains, IP addresses, registry keys, mutexes, or unusual account activity that can be matched across environments.

Common IOC Sources

  • Incident Response: Evidence collected from a confirmed compromise
  • Threat Intelligence Feeds: Shared indicators associated with known campaigns
  • Malware Analysis: Artifacts extracted from payloads or infrastructure
  • Telemetry Review: Suspicious patterns surfaced by SIEM, EDR, or network tools

Why IOCs Matter

IOCs help defenders identify known malicious activity quickly and at scale. They are useful for enrichment, retrospective searches, and incident triage, although they are often less durable than behavioral detections because attackers can rotate infrastructure or payloads.

How FourCore ATTACK Relates

FourCore ATTACK helps teams test whether controls and detection pipelines surface the expected evidence during simulated activity. That validation supports stronger IOC handling and faster investigation workflows.

Related Terms

Related Reading