® 
IOC (Indicator of Compromise)
Definition
An Indicator of Compromise (IOC) is a digital artifact indicating a possible cyberattack. Examples: suspicious IP addresses, malware hashes, or anomalous network traffic.
An Indicator of Compromise (IOC) is a digital trace or artefact that points to a possible or confirmed cyberattack. IOCs form the basis of reactive threat detection and are shared globally via threat intelligence platforms to help organisations identify known threats more quickly.
How do IOCs work?
IOCs are concrete, observable traces left behind after a cyberattack or indicating ongoing malicious activity. When a new malware variant is discovered, associated IOCs are extracted and shared with the security community. Security tools such as SIEM, EDR and firewalls continuously compare network activity against known IOCs. When a match occurs, an alert is generated for the SOC team. IOCs are distributed via threat intelligence feeds in standardised formats such as STIX and TAXII.
Types of IOCs
Network IOCs include suspicious IP addresses, domain names and URLs associated with command-and-control servers or phishing campaigns. Host-based IOCs include file hashes (MD5, SHA-256), suspicious registry keys, unusual processes or files in unexpected locations. Email IOCs involve sender addresses, subject lines and attachment hashes from known phishing campaigns. Behavioural indicators describe patterns such as unusual data transfers or login attempts at abnormal times.
IOC versus IOA
IOCs are reactive: they detect known threats based on previously identified traces. Indicators of Attack (IOAs) are proactive: they recognise attack behaviour regardless of the specific malware used. A mature security operation combines both: IOCs for rapid detection of known threats and IOAs for discovering new, unknown attacks.
Impact on organisations
Without IOC-based detection, organisations miss known threats already identified by other organisations. Sharing IOCs via Information Sharing and Analysis Centers (ISACs) and threat intelligence platforms is a core component of collective cyber resilience. NIS2 encourages information sharing about cyber threats between organisations. National cybersecurity centres regularly publish IOCs related to current threat campaigns.
Protection
Implement automated IOC matching in SIEM, EDR and firewalls. Subscribe to threat intelligence feeds from trusted sources. Automate blocking of high-confidence IOCs via SOAR. Keep IOC databases current and remove outdated indicators. Combine IOC detection with behavioural analysis for a complete detection picture.
How DEFION helps
DEFION provides Managed Threat Intelligence where current IOCs are continuously integrated into the monitoring environment. The SOC team correlates IOC matches with broader threat context to reduce false positives and quickly escalate actual incidents.