IOCs Explained: What an Indicator of Compromise Actually Tells You

Read any breach report or open a threat-intelligence feed and you'll find a list of IOCs: a column of IP addresses, domain names, and long hexadecimal hashes, each flagged as malicious. They're the closest thing security has to physical evidence — the fingerprints and tyre tracks of a digital intrusion. But unlike a fingerprint, they have a habit of going stale within days, and understanding why is most of what makes them useful.

An indicator of compromise is a specific, observable artifact that suggests a system has been breached or that malicious activity is under way. Concrete, matchable, and — crucially — disposable. Here's how they work.

What counts as an IOC

An IOC is anything you can observe and check against a list of known-bad. The common types fall into a few groups:

• Network indicators — IP addresses of command-and-control servers, malicious domain names, and full URLs used to host malware or run phishing pages.
• File indicators — the hash of a known malicious file (a SHA-256 that fingerprints one exact piece of malware), and sometimes filenames or file sizes.
• Host indicators — traces left on a machine: specific registry keys, mutexes, scheduled tasks, or process names a piece of malware creates.
• Email indicators — sender addresses, reply-to domains, or subject-line patterns tied to a phishing campaign.

The common thread is observability: each is something a security tool can spot in logs, in network traffic, or on disk, and match against a feed of indicators collected from past attacks.

IOC vs IOA: evidence versus behaviour

There's a closely related term worth separating out: the indicator of attack (IOA). The difference is the difference between what and how.

An IOC is reactive and forensic — it says "this exact hash is malware, this exact IP is a known command-and-control server." It only helps once that artifact is already known to be bad. An IOA is behavioural — it describes what an attacker is doing, regardless of the specific files or addresses involved: a process injecting code into another, a sudden burst of file encryption, a script disabling security tools. IOCs catch known threats by their signatures; IOAs catch novel ones by their conduct. Mature defences use both, because each covers the other's blind spot.

The Pyramid of Pain

This is the single most useful idea for thinking about IOCs, from a 2013 model by the analyst David Bianco. It ranks indicator types by how much pain you inflict on an attacker when you reliably detect and block them:

• Trivial — hash values. Block one and the attacker recompiles the malware; the behaviour is identical but the hash is brand-new, in minutes.
• Easy — IP addresses. Cycling to a new one is just a matter of spinning up another server.
• Simple — domain names. A little more effort than an IP, but still cheap and fast to replace.
• Harder — the specific tools and network artifacts an attacker relies on.
• Toughest — their TTPs: the tactics, techniques, and procedures that make up how they actually operate. Forcing an adversary to change those is genuinely expensive for them.

The lesson is a little deflating: the IOCs that are easiest to collect and block — hashes, IPs, domains — sit at the bottom, where they cost the attacker almost nothing to swap out. The indicators that really hurt are the hardest to pin down.

Why IOCs expire

That pyramid explains the shelf-life problem. Attackers rotate infrastructure constantly: registering fresh domains by the thousand, cycling through IP addresses, recompiling payloads so every build carries a different hash. An IP flagged as a command-and-control server today might be dead within a week — or worse, reassigned to a legitimate service, so that continuing to block it generates false positives against innocent traffic.

This is why threat-intelligence feeds need constant refreshing, and why no serious defender relies on indicator matching alone. A list of last month's IOCs is largely a list of the addresses the attacker has already abandoned.

Where IOCs come from, and how they travel

Indicators are gathered from incident investigations, malware analysis, honeypots, and vendor research, then shared so everyone can defend against a threat one organisation has already seen. Two standards do most of the heavy lifting: STIX and TAXII, a structured format and transport for exchanging threat intelligence, and MISP, a widely used open-source platform for sharing it. On the receiving end, security teams feed these indicators into their monitoring systems and firewalls to flag or block any match.

Enrichment: turning an indicator into intelligence

On its own, a raw IOC is just a string. The IP 198.51.100.20 tells you nothing until you give it context — and that step is called enrichment. Enriching an indicator means answering the questions around it: who owns this address (its registration and network), where it's hosted, what its reputation looks like, what services it's exposing, and whether it has shown up in known activity before. Enrichment is the difference between "block 198.51.100.20" and "this is a hosting IP in a network with a poor history, currently exposing a service worth a closer look" — between a number and a decision you can actually defend.

What IOCs can't do

For all their usefulness, IOCs come with hard limits, and it's worth being honest about them. They're reactive: by definition, an indicator exists because someone was already compromised by it. They're short-lived, as we've seen. And they're noisy — shared hosting, CDNs, and abused-but-legitimate services produce false positives constantly. A match should be treated as a lead to investigate, not a confession. The strongest programmes pair indicator matching with behavioural detection and good basic hygiene, rather than hoping a feed will catch everything.

The takeaway

An IOC is a piece of observable evidence — a malicious IP, domain, or file hash — that something may be compromised. Learn the types, keep the Pyramid of Pain in mind (the easy indicators are the disposable ones), and treat any single match as a starting point rather than a verdict. The real work usually begins with enriching the indicator: you can look up and enrich an IP or domain with our IOC enrichment tool.