Indicators of compromise are observable signs that suggest a system or account may already have been compromised.
Indicators of compromise, often shortened to IOCs, are observable signs that a compromise may already have occurred. In plain language, they are clues defenders use to recognize that a system, account, or environment may have been affected by malicious activity.
IOCs matter because defenders need ways to identify and scope incidents. Suspicious domains, unusual file artifacts, unexpected processes, or abnormal authentication records can help analysts determine whether they are dealing with a real compromise rather than a false alarm.
They also matter because incident response depends on evidence. Observable indicators help teams search for affected systems, understand impact, and decide which containment or remediation actions are necessary.
IOCs appear in threat intelligence, detection engineering, SOC investigations, endpoint analysis, and incident scoping. Teams use them in Security Information and Event Management, EDR platforms, network investigations, and hunt workflows to locate related activity across the environment.
| IOC type | Example |
|---|---|
| File or process artifact | Suspicious binary, hash, or unexpected executable path |
| Network artifact | Repeated connections to an unusual host or domain |
| Identity artifact | Unexpected authentication from a suspicious source |
| Host or system change | New service, registry change, or suspicious scheduled task |
A responder investigating suspicious activity finds repeated connections from several endpoints to the same unusual external host, along with a matching file artifact on those systems. Those observable signs can serve as indicators of compromise and help the team identify which devices to investigate and contain.
IOCs are not proof that every system with one matching indicator is fully compromised. They are investigative signals that need context and validation.
They are also different from Indicators of Attack, which focus more on the behavior or technique being used rather than only on artifacts left behind or observed after the fact.