An Indicator of Compromise (or IOC) is found normally in the context of a threat feed as an item shared that might lead to discovery of an exploit or malware. An IOC is the result of research by third parties or investigators who are observing and documenting rogue behavior of attackers and malware. IOCs typically produce high false positives (i.e. alarms that aren’t real). Related terms include IOA (q.v.) and "Tactics, Techniques and Practices" (TTP).

Controversy: IOCs are seen as less interesting to the industry than TTPs, which is the equivalent to an IOC with respect to specific attackers and attacker groups.

Indicator of Compromise