loading
Loading content
loading
Also known as IOC
An indicator of compromise (IOC) is a concrete artifact that suggests a system has been attacked or breached. Typical IOCs include a file hash for known malware, a malicious domain or IP address, a registry key a backdoor creates, or a URL that delivers a payload. Each one is something a defender can search for across logs and endpoints to ask a direct question: has this appeared in my environment?
IOCs power detection and hunting. A feed of threat intelligence supplies indicators tied to active campaigns, and defenders match them against firewall logs, DNS records, and endpoint telemetry to find footholds the attacker left behind. When a hash or domain matches, it points the team straight to the affected host.
The limitation is shelf life. Atomic indicators change easily: an attacker rotates a domain, recompiles a binary to shift its hash, or moves to new infrastructure overnight. That is why analysts pair IOCs with tactics, techniques, and procedures, which describe how a threat actor operates and hold up far better over time.
In a Trickest workflow, you ingest IOC feeds, enrich them against sources like passive DNS to expand related infrastructure, then match the enriched set against your own assets and alert on hits.
Related terms