What are IOCs?

An Indicator of Compromise (IOC) is an observable artefact — an IP address, a file hash, a domain, a URL — that suggests a system has been touched by an attacker.

If threat intelligence is the story, IOCs are the breadcrumbs. They're the most concrete, machine-readable layer of CTI: load them into a SIEM, push them to a firewall, drop them into a threat hunt, and you can detect or block known-bad activity automatically.

The common types

• Network — IPv4 / IPv6 addresses, domains, URLs.
• File — MD5, SHA-1, SHA-256 hashes of known-malicious binaries.
• Email — sender addresses, subject lines, attachment hashes.
• Host — registry keys, file paths, mutex names left behind by malware.
• Crypto — wallet addresses tied to ransomware payments.

Why "indicator" and not "proof"

An IOC is evidence that something happened, not proof of compromise. A known-malicious IP appearing in your logs could be:

• An attacker actively engaging your network.
• A scan from an opportunistic botnet.
• A false positive on a recycled address.
• Your own SOC running a controlled test.

So IOCs are leads. They tell an analyst where to look. Confirming compromise still needs investigation.

Confidence matters more than count

A feed of a million IOCs at low confidence is worse than a feed of a thousand at high confidence — the low-confidence feed buries the SOC in alerts. Modern CTI platforms validate IOCs (regex shape checks, allowlists for benign domains, known-good hashes filtered out) and attach a confidence score before publishing.

IOCs vs TTPs — the pyramid of pain

David Bianco's Pyramid of Pain ranks indicator types by how painful they are for an attacker to change. Hash values are the easiest to swap (recompile the binary). IP addresses are slightly harder. TTPs — the actor's actual tradecraft — are the hardest. CTI teams aim higher up the pyramid when they can, because indicators at that level give longer-lived detections.

Read about MITRE ATT&CK for the TTP layer.