An indicator is a data point that helps identify, track, or validate a suspected security event. Common examples include file hashes, domain names, IP addresses, filenames, email addresses, registry keys, or ransom-note text. In cyber security, these clues are used to connect separate observations to the same activity, even when the full attack chain is not yet known.
Indicators matter because they support both detection and verification. Defenders can search logs, endpoint telemetry, DNS records, and threat feeds for matching values to find related systems or confirm exposure. Attackers also publish or reuse indicators, such as a victim domain or a hash-like identifier, to make a claim look credible or to signal control over a target. An indicator by itself is not proof of compromise; it is evidence that must be checked against forensic data.