An indicator of compromise (IOC) is a technical artifact or data point that suggests a system or network may be breached or maliciously affected.
An indicator of compromise (IOC) is a technical artifact, pattern, or data point that suggests a system, device, or network may have been breached, misused, or otherwise affected by malicious activity. In industrial and regulated environments, IOCs are used by OT and IT security teams to detect, investigate, and respond to potential cyber incidents affecting production systems, corporate networks, and connected equipment.
IOCs commonly refer to observable items such as:
In cyber threat intelligence, IOCs are typically considered a form of technical or tactical intelligence, because they can be directly consumed by tools such as firewalls, IDS/IPS, SIEMs, endpoint protection, and OT monitoring platforms.
The term usually does not refer to:
In industrial and regulated environments, IOCs are often:
Indicator of compromise vs. indicator of attack (IOA): An indicator of compromise usually reflects evidence that a compromise may have already occurred (for example a known malware hash found on a system). An indicator of attack focuses more on behaviors and sequences of actions that suggest an attack is in progress, even before a clear compromise artifact exists. Many operational security programs use both IOCs and IOAs together.
Within cyber threat intelligence, IOCs are one of the main outputs of tactical and technical CTI. They translate higher-level knowledge about adversaries and campaigns into concrete, machine-readable items that OT and IT teams can deploy in sensors, gateways, and monitoring tools across industrial environments.