Indicators of compromise, often called IOCs, are technical clues that suggest a system, account, or network may have been attacked. Common examples include malicious IP addresses, domain names, file hashes, registry changes, suspicious process names, and unusual login artifacts. Security teams use IOCs to detect known threats by matching them against logs, endpoint alerts, DNS activity, email gateways, and network traffic.
IOCs matter because they turn fragments of an attack into actionable detection data. A single hash may identify a malware sample; a domain may reveal command-and-control infrastructure; repeated IP activity may point to scanning or exfiltration. In defense, IOCs feed threat intelligence platforms, SIEM rules, EDR detections, and blocklists. In attacks, adversaries often rotate infrastructure or modify malware to avoid being matched by old indicators, which is why IOCs are useful but rarely sufficient on their own. They work best when combined with behavior-based detection, context, and rapid sharing across trusted defenders.