• Glossary
  • What are indicators of compromise (IOCs)? | ExpressVPN Glossary

Expressvpn Glossary

Indicators of compromise (IOCs)

Indicators of compromise (IOCs)

What are indicators of compromise (IOCs)?

Indicators of compromise (IOCs) are digital evidence left by attackers that indicate malicious activity within a system, network, or account. In cybersecurity, IOCs are used to identify known signs of intrusion and support detection and incident response.

Organizations share IOCs via threat intelligence feeds that distribute structured data to security tools. A single IOC usually suggests a possible compromise rather than confirming a breach, so it should be evaluated alongside other evidence.

How do IOCs work?Infographic showing the IOC lifecycle in incident response, from telemetry collection and IOC extraction to detection and response.

IOCs are collected from logs, endpoints, network monitoring tools, and cloud platforms. Security teams or automated systems analyze incidents and generate indicators that can be shared and monitored.

Security tools compare activity against known IOCs using signature matching, correlation rules, or threat intelligence platforms. Matches may trigger alerts, block traffic, isolate devices, or start investigations. Attackers frequently change infrastructure, so IOCs must be updated regularly.

IOCs are most effective when combined with other signals, such as user activity and system behavior, to confirm whether a threat is real.

Types of IOCs

IOCs appear across different parts of an IT environment, including:

  • Network IOCs: Malicious IP addresses, domains, URLs, unusual traffic patterns, or unexpected outbound connections.
  • Host IOCs: Suspicious file hashes, unauthorized files, modified registry keys, or unexpected system processes.
  • Email IOCs: Malicious sender addresses, unusual headers, deceptive subject lines, or known phishing patterns.
  • Behavioral IOCs: Abnormal login attempts, privilege escalation, lateral movement, or unusual account activity. These are sometimes categorized as indicators of attack (IOAs) rather than traditional IOCs.
  • Cloud IOCs: API misuse, unexpected configuration changes, or access attempts from unusual locations.

Why are IOCs important?

IOCs can help organizations detect security threats more quickly by matching activity against threat data.

Security tools such as endpoint detection and response (EDR), security information and event management (SIEM), and firewalls use IOCs to detect and flag suspicious activity and may automatically block connections or isolate devices.

IOCs primarily support detection and response rather than prevention. They are also used in threat hunting to identify hidden threats, assess exposure, and track recurring activity across systems.

IOCs vs. indicators of attack (IOA)

IOCs point to evidence that an intrusion has already occurred. IOAs focus on behaviors that suggest an attack is in progress, even if no known threat indicator exists.

IOCs IOAs
Show signs that malicious activity has already occurred Show signs that an attack may be in progress
Based on known threat data Based on behavioral patterns
Often rely on matching known IPs, domains, or file hashes Focus on actions such as unusual privilege escalation or lateral movement
Help investigate and confirm incidents Help detect new or unknown attacks earlier

Risks and privacy concerns of IOCs

IOCs can introduce operational and privacy risks if they’re outdated or poorly managed. These can include:

  • Stale indicators: Outdated IOCs may block legitimate activity, miss new threats, or lead to increased false positives.
  • Exposure through sharing: Sharing IOCs between organizations may unintentionally reveal details about affected systems or victims.
  • Telemetry collection: Monitoring systems that gather indicators may collect user data, raising privacy and data retention concerns.
  • Poisoned feeds: Attackers can attempt to insert false indicators into threat intelligence feeds, particularly in open or automated ingestion systems, thereby reducing trust and effectiveness.

Further reading

FAQ

What’s the difference between an IOC and a TTP?

An indicator of compromise (IOC) identifies signs of malicious activity, such as a known malicious domain or file hash. A tactic, technique, and procedure (TTP) describes how an attacker operates, including the methods used to gain access, move within a network, or exfiltrate data. IOCs show evidence of activity, while TTPs describe the behavior of attackers.

How do organizations share and validate IOCs?

Organizations share indicators of compromise (IOCs) through threat intelligence platforms, industry groups, and security vendors. Before using shared indicators, teams often validate them by reviewing context, checking reputation data, and correlating them with internal logs to reduce false positives.

Can a VPN stop threats identified by IOCs?

A virtual private network (VPN) encrypts traffic and masks IP addresses, but it doesn’t replace threat detection systems. Security monitoring tools use indicators of compromise (IOCs) to identify malicious activity. A VPN can add privacy and protect data in transit, but it doesn’t block threats in the same way as endpoint or network security controls. It also doesn’t perform threat detection or IOC matching.
Get Started