What is IOC?
An Indicator of Compromise (IOC) is an observable artifact, such as a file hash, IP address, domain name, URL, registry key, or email address, that with high confidence indicates a system or network has been compromised or targeted by a known threat.
Definition
- IOC
- An Indicator of Compromise (IOC) is an observable artifact, such as a file hash, IP address, domain name, URL, registry key, or email address, that with high confidence indicates a system or network has been compromised or targeted by a known threat.
How IOC Works
IOCs are forensic breadcrumbs left by malicious activity. They are primarily reactive: extracted from a known-bad sample or post-incident investigation, then used to search for the same artifact across other systems. Common IOC types include cryptographic file hashes (MD5, SHA-256) of malware, IP addresses of C2 servers, domain names used for phishing or C2, mutexes created by malware, and specific registry keys used for persistence.
IOCs are shared through threat intelligence platforms (MISP, OpenCTI), commercial feeds, and government programs (US-CERT, ISACs). SIEM platforms ingest IOC feeds and automatically match them against incoming log data.
The limitation: IOCs are brittle. Attackers recompile malware to change hashes, rotate IP addresses, and register new domains daily. IOC-based detection is a cat-and-mouse game. This is why security teams increasingly complement IOC matching with behavioral detection using TTPs, which attackers cannot trivially change.
IOC in SOC Operations
IOC matching is one of the most common alert types in your queue. You receive alerts when a system communicates with a known-bad IP or downloads a file with a known-malicious hash. Investigation involves confirming the match, assessing whether the connection succeeded or was blocked, identifying what process initiated the connection, and determining whether lateral movement or data access occurred after the initial indicator triggered.
Practice IOC in a Real SOC
SOCSimulator provides hands-on training with realistic SIEM, XDR, and Firewall interfaces. Build real analyst skills investigating ioc scenarios with zero consequences — free forever.
Related Terms
An Indicator of Attack (IOA) is a behavioral signal that identifies adversary intent and technique i...
Tactics, Techniques, and Procedures (TTPs) describe the behavioral patterns, methods, and operationa...
Threat intelligence is analyzed, contextualized information about current and emerging cyber threats...
Alert triage is the structured process of reviewing, prioritizing, and investigating security alerts...
Security Information and Event Management (SIEM) is a platform that aggregates, normalizes, and corr...
More Concepts Terms
Related SOC Training Resources
SOC Analyst (Tier 1) Career Guide — Salary & Skills
Tier 1 SOC Analysts are the front line. You monitor alert queues, triage incoming detections, classify them as true or f…
Read more Career PathDetection Engineer Career Guide — Salary & Skills
Detection Engineers build the rules, analytics, and automated workflows that determine what the SOC can see. You transla…
Read more Career PathSecurity Engineer Career Guide — Salary & Skills
Security Engineers build and maintain the infrastructure that SOC analysts depend on. You deploy SIEMs, configure firewa…
Read more ComparisonSOCSimulator vs LetsDefend — Comparison
SOCSimulator wins on operational realism. You get multi-tool shift simulation with SLA pressure, noise injection, and al…
Read more ComparisonSOCSimulator vs CyberDefenders — Comparison
SOCSimulator trains the operational workflow: alert triage, correlation, and response under pressure. CyberDefenders tra…
Read more ToolSIEM Training Console — SOCSimulator
The SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…
Read more ToolXDR Training Console — SOCSimulator
The XDR console in SOCSimulator replicates the investigation workflow of platforms like CrowdStrike Falcon, Microsoft De…
Read more ToolFirewall Training Console — SOCSimulator
The Firewall console in SOCSimulator replicates the log analysis experience of enterprise platforms like Palo Alto Netwo…
Read more TechniqueMITRE ATT&CK Techniques — Detection Training Library
Browse all MITRE ATT&CK techniques with detection strategies and example alerts.
Read more Career PathCybersecurity Career Paths — 2026 Guide
Explore SOC analyst career paths with salary data, required skills, and certification roadmaps.
Read more PlaybookSOC Investigation Playbooks — Step-by-Step Guides
Practitioner investigation playbooks with decision trees and real SIEM queries.
Read more FeatureShift Mode — Real-Time SOC Simulation
Practice alert triage under realistic time pressure with SLA timers and noise injection.
Read more