Indicators of Compromise (IOCs): What They Are and How to Use Them

A complete guide to indicators of compromise (IOCs) — the major types, the IOC vs IOA distinction, the Pyramid of Pain, and how IOCs are shared via STIX/TAXII.

Share
Editorial science-poster illustration of indicator-of-compromise symbols — a hash string, an IP tag, a domain tag, a file icon, a registry key, a sealed envelope, and a magnifying lens.

Every attacker leaves traces. Some are subtle — a single suspicious DNS query, an unusual login at 3 a.m. — and some are loud. The fragments of evidence attackers leave behind, whether on disk, in memory, in logs, or on the wire, are called indicators of compromise. They are the most common form of operational threat intelligence and the lifeblood of automated detection.

Indicators of compromise are powerful, but they are not magic. They tell defenders that a specific known threat is present. They do not, on their own, reveal a previously unknown attack or a sophisticated adversary using new infrastructure. Understanding what IOCs are good for — and what they are not — is the difference between a useful detection program and a noisy one.

This guide explains what IOCs are, the major types, how they fit into a broader detection strategy alongside indicators of attack, how they are shared between organizations, and where their natural limits lie.

What Is an Indicator of Compromise?

An indicator of compromise (IOC) is a forensic artifact, observable in a system or on a network, that suggests a host or environment has been targeted or compromised. IOCs are the digital equivalent of fingerprints — concrete pieces of evidence linked to a specific attack, tool, or actor.

The point of an IOC is to be searchable. A defender who knows the IP address used by a particular ransomware operation can query their firewall logs for that IP, and if it appears, knows immediately that the operation has touched their environment. Multiply that across thousands of indicators and you have the foundation of automated threat detection.

Editorial lineup of the nine common indicator-of-compromise artifact types — IP, domain, URL, hash, file, registry, email, network, and mutex.
Common types of IOCs - IP · Domain · URL · Hash · File · Registry · Email · Network · Mutex

Common Types of IOCs

IOCs span every layer of the technology stack. The most common types include:

  • IP addresses — addresses associated with command-and-control servers, attacker infrastructure, or known malicious sources.
  • Domain names — domains used for phishing, malware delivery, or C2 communications.
  • URLs — full URLs to malicious pages, payloads, or callbacks.
  • File hashes — cryptographic hashes (MD5, SHA-1, SHA-256) of malicious files. Hashes are exact-match identifiers for known malware samples.
  • File names and paths — file names or directory paths characteristic of a particular tool or actor.
  • Registry keys — Windows registry locations used for persistence, configuration, or attacker artifacts.
  • Email artifacts — sender addresses, subject lines, attachment hashes, or distinctive phrases from phishing campaigns.
  • Network signatures — patterns in network traffic, such as a distinctive user agent or a specific protocol behavior, that identify malicious activity.
  • Mutex names — Windows mutex strings created by particular malware families to prevent multiple infections.

Atomic, Computed, and Behavioral IOCs

Beyond the type of artifact, IOCs can be categorized by how they are generated. The taxonomy commonly attributed to Mandiant divides them into three classes.

Atomic indicators are observable directly — an IP address, a domain, a file name. They cannot be broken down further.

Computed indicators are derived from data through some calculation — a file hash, a regular expression that matches a string, a YARA rule. They are still pointing at specific artifacts, just expressed at a higher level of abstraction.

Behavioral indicators describe combinations and sequences of activity — "a process creates a file in this location, then opens a network connection to a host that does not match the expected pattern." Behavioral indicators sit closest to indicators of attack and are the hardest for adversaries to evade.

IOCs vs IOAs

A common point of confusion is the difference between an indicator of compromise and an indicator of attack.

An indicator of compromise is a specific artifact left behind by a known threat — a hash, an IP, a domain. It identifies that threat. If the attacker changes infrastructure or recompiles their malware, the IOC stops matching.

An indicator of attack (IOA) describes the behavior of an attacker rather than the artifact they leave behind. "A Microsoft Office process spawning PowerShell, which then makes an outbound network connection," is an IOA. It catches the pattern regardless of which specific phishing document or which specific server is involved.

IOCs are reactive — they catch known threats. IOAs are more proactive — they catch unknown threats that fit a behavioral pattern. Mature defenses use both.

How IOCs Are Shared

IOCs are most valuable when many organizations apply them, because that is how detections built from one organization's incident protect everyone else from the same threat. Several standards exist to share IOCs at scale.

STIX (Structured Threat Information Expression) is the most widely used standard for describing threat intelligence in a structured, machine-readable format. STIX objects can represent indicators, actors, campaigns, malware, attack patterns, and the relationships between them.

TAXII (Trusted Automated Exchange of Intelligence Information) is the transport protocol used to share STIX content between organizations and intelligence platforms.

ISACs and ISAOs — Information Sharing and Analysis Centers and Organizations — are sector-specific communities where members share IOCs and other intelligence with each other and with government partners.

Commercial threat intelligence platforms aggregate, normalize, and distribute IOCs from many sources, often with enrichment and confidence scoring.

Government advisories from agencies such as CISA and the FBI include IOCs from specific campaigns and incidents, often before any commercial reporting becomes available.

The Pyramid of Pain

One of the most important conceptual tools for thinking about IOC value is David Bianco's Pyramid of Pain. The pyramid ranks indicators by how painful they are for an attacker to change.

Editorial stepped-pyramid diagram of the Pyramid of Pain, ranking indicators by how difficult they are for attackers to change.
Pyramid of Pain - Hash values · IP addresses · Domain names · Network artifacts · Host artifacts · Tools / TTPs

At the bottom — easiest to change — are hash values. An attacker can recompile a file and produce a new hash in seconds. IP addresses are slightly harder, but still trivial to rotate. Domain names are harder, but only marginally. Network artifacts and host artifacts are progressively harder. At the top of the pyramid are tools and TTPs, which require an attacker to fundamentally change how they operate to evade.

The lesson is that detections built on low-pyramid IOCs are cheap and fragile. Detections built on high-pyramid behavior are expensive but durable. A mature program builds across the pyramid, not just at the bottom.

Limitations of IOC-Based Detection

For all their utility, IOCs have well-known limits.

Indicators expire quickly. Attackers rotate infrastructure constantly. A list of malicious IPs that was current last month may be largely useless this month.

IOCs are reactive by nature. They describe known threats. A novel attack with new infrastructure produces no matches in an IOC-only detection system.

Volume matters. A defender ingesting hundreds of thousands of low-quality indicators will see false positives swamp the real signal. Curation and confidence scoring are essential.

Context is often missing. An IOC list without context — which actor, which campaign, what to do if it hits — is less useful than a smaller, contextualized one.

Conclusion

Indicators of compromise are foundational to threat detection, and they will remain so. The fastest way to catch known threats is still to apply known indicators across an organization's telemetry. But IOCs alone are not a complete strategy. They need to be paired with behavioral detection, threat hunting, and high-quality intelligence to catch the threats that have not been seen before.

The organizations that get the most out of IOCs do three things consistently: they curate the indicators they ingest rather than firehosing every feed available, they pair indicator-based detection with behavior-based detection, and they treat indicators as ammunition for a broader hunting practice rather than the practice itself.


Frequently Asked Questions (FAQ)

What is an indicator of compromise (IOC)?

An indicator of compromise is a forensic artifact — such as an IP address, file hash, domain name, or registry key — that suggests a system or environment has been targeted or compromised by a known threat.

What is the difference between an IOC and an IOA?

An IOC identifies a specific artifact left behind by a known threat. An IOA (indicator of attack) describes attacker behavior rather than artifacts, so it can detect threats even when the specific infrastructure has changed.

What are the most common types of IOCs?

IP addresses, domain names, URLs, file hashes, file names, registry keys, email artifacts, network signatures, and mutex names are among the most common.

What are STIX and TAXII?

STIX is a structured language for describing threat intelligence, including IOCs. TAXII is the transport protocol used to exchange STIX content between organizations and platforms.

Why do IOCs expire?

Attackers rotate infrastructure constantly. The IP addresses, domains, and file hashes used in this month's campaigns are routinely replaced by next month, which is why low-pyramid IOCs have a short shelf life.

What is the Pyramid of Pain?

The Pyramid of Pain ranks indicators by how difficult they are for an attacker to change — from trivial (hashes, IPs) at the bottom to fundamental (tools, TTPs) at the top. Detections built higher on the pyramid are more durable.