An Indicator of Attack (IOA) is differentiated from an IOC (q.v.) by quality and a lower incidence of false positives. It can be thought of as a higher quality indicator of a true attack. ASERT differentiates IOAs from IOCs on the basis of quality and insight. IOCs are mere indicators of malicious software, while IOAs from the Arbor perspective are high fidelity and help identify malice and intent in the form of Campaigns (i.e. directed, persistent efforts by a proven Attackers).

Controversy: IOA as a term was coined recently by Counterstrike (a Threat Intelligence provider) and as such is not as well-known as IO, may change definition readily and may lead to some confusion among vendors who try to co-opt the term (as Arbor has done).

Incident of Attack