Indicators of compromise are observable signs that suggest a system or account may already have been compromised.
Indicators of compromise, often shortened to IOCs, are observable signs that a compromise may already have occurred. In plain language, they are clues defenders use to recognize that a system, account, or environment may have been affected by malicious activity.
IOCs matter because defenders need ways to identify and scope incidents. Suspicious domains, unusual file artifacts, unexpected processes, or abnormal authentication records can help analysts determine whether the organization is dealing with a real compromise rather than a false alarm.
They also matter because incident response depends on evidence. Observable indicators help teams search for affected systems, understand impact, and decide which containment or remediation actions are necessary.
IOCs appear in threat intelligence, detection engineering, SOC investigations, endpoint analysis, and incident scoping. Teams use them in SIEM, EDR platforms, network investigations, and hunt workflows to locate related activity across the environment.
Security teams often compare IOCs with Indicators of Attack. IOCs usually emphasize evidence that compromise may already exist, while IOAs often emphasize attacker behavior or techniques in progress.
An analyst investigating suspicious activity finds repeated connections from several endpoints to the same unusual external host, along with a matching file artifact on those systems. Those observable signs can serve as indicators of compromise and help the team identify which devices to investigate and contain.
IOCs are not proof that every system with one matching indicator is fully compromised. They are investigative signals that need context and validation.
They are also different from Indicators of Attack, which focus more on the behavior or technique being used rather than only on artifacts left behind or observed after the fact.