Skip to main content

Home Indicator of compromise

Indicator of compromise

(also IoC)

Indicator of compromise definition

An indicator of compromise (IoC) is a piece of forensic data, such as a system log entry or a file hash, that identifies potentially malicious activity on a system or network. IoCs serve as evidence that a cybersecurity breach may have occurred or is actively taking place. They are used in incident response, forensics, and malware defense to understand the threat landscape better and enhance an organization's defenses.

See also: email spoofing, zero day, angler phishing, advanced persistent threat, network intrusion protection system

Indicator of compromise examples

  • File hash: A unique identifier of a file that has been flagged as malicious.
  • Suspicious IP addresses: Connections to or from a known malicious IP address may indicate a compromised system.
  • Anomalous login activity: Multiple failed login attempts or logins at odd hours could be indicators of compromise.

Pros and cons of indicator of compromise


  • Detection: IoCs are an integral part of an early warning system for potential threats.
  • Prevention: They aid in preventing further breaches by informing security measures and responses.


  • False positives: Not all IoCs indicate an actual compromise, leading to false positives.
  • Limited scope: IoCs can only provide information about known threats and may not be effective against novel attack methods.