Indicators of attack are behavioral signs that suggest malicious activity or attacker techniques are being used, even when a clear compromise artifact is not yet known.
Indicators of attack, often shortened to IOAs, are behavioral signs that suggest malicious activity or attacker techniques are being used. In plain language, they focus on what appears to be happening rather than only on artifacts that may remain afterward.
IOAs matter because defenders do not always have a neat artifact to match against. Suspicious behavior patterns, unusual privilege changes, odd process relationships, or unexpected access flows may provide earlier warning than traditional compromise indicators alone.
They also matter because behavior-focused detection can remain useful even when malicious artifacts change. Defenders often gain stronger resilience when they can recognize suspicious patterns rather than only known static evidence.
IOAs appear in EDR detections, SOC analytics, behavioral monitoring, threat hunting, and incident investigations. Teams use them to recognize suspicious sequences such as unusual credential use, abnormal process chains, or unexpected administration patterns even before a compromise is fully confirmed.
Security teams compare IOAs with Indicators of Compromise because both support response, but they answer slightly different questions: behavior in progress versus compromise evidence already observed.
An analyst sees an unusual sequence in which a standard user account authenticates from a new location, rapidly queries sensitive systems, and then performs uncommon administrative actions. Even if the team has not yet tied the activity to a known malicious artifact, those patterns can act as indicators of attack.
IOAs are not always definitive proof of malicious intent. Behavior-based signals require validation because legitimate maintenance or unusual but authorized operations can sometimes look suspicious.
They are also different from IOCs. IOCs usually emphasize evidence that a compromise may already exist, while IOAs emphasize suspicious actions or techniques being carried out.