Indicator of Compromise
A piece of forensic evidence — such as a suspicious IP address, file hash, or domain — that suggests a system has been breached or is under attack.
Also known as: IoC, compromise indicator, threat indicator
Last reviewed: 1 June 2026
An indicator of compromise (IoC) is an artefact observed in a network or on a device that, with high confidence, indicates malicious activity has occurred or is in progress. Common IoCs include unusual outbound network connections to known malicious IP addresses, file hashes matching known malware samples, suspicious domain names appearing in DNS logs, unexpected registry key modifications, and anomalous user-account behaviour such as login attempts from unfamiliar countries.
Security teams use IoCs as the basis for threat hunting, incident response, and automated detection rules. When a new malware campaign is discovered, researchers extract its IoCs and share them through threat intelligence feeds so that defenders elsewhere can update their filters before being hit.
For scam victims and fraud investigators, IoC thinking also applies at a higher level: a sudden unexpected password-reset email, an unfamiliar device appearing in account login history, or a new email-forwarding rule that no one created are all indicators that an account may have been compromised.
Examples
- An IT analyst notices DNS queries to an unfamiliar domain that appears in a threat intelligence feed as a known command-and-control server — this is an indicator of compromise suggesting active malware.