What Is an Indicator of Compromise (IOC)?

Common Types of IOC

• Network IOCs — malicious IPs, domains, URLs, JA3/JA4 fingerprints, SSL certificates.
• File IOCs — MD5/SHA1/SHA256 hashes, filenames, file paths.
• Host IOCs — registry keys, scheduled tasks, mutex names, suspicious processes.
• Behavioral IOCs — sequences of system calls, command-line patterns, beaconing intervals.

Sharing IOCs

Threat-intelligence vendors and CERTs publish IOCs continuously. Common formats include:

• STIX — structured representation of indicators, threat actors, campaigns, and TTPs.
• TAXII — protocol for exchanging STIX feeds between organizations.
• MISP — open-source platform for sharing IOCs and adversary attributes.
• Plain text / CSV / OpenIOC — older formats, still widely used.

Why IOCs Get Stale Fast

IOCs sit at the bottom of David Bianco's Pyramid of Pain. Hashes change every build; domains rotate; IPs can be swapped in minutes. Defenders who block only IOCs are always reacting. Higher-level indicators — TTPs, infrastructure patterns, registration behavior — are harder for attackers to change and produce longer-lived detections.

IOCs vs. Indicators of Attack (IOAs)

IOCs describe what a compromise looked like after the fact. IOAs describe an attack pattern in motion — the behavior, regardless of which exact IP or hash is involved. Mature security programs run both.

IOCs in Whisper

Whisper joins IOCs to the rest of the infrastructure graph. A flagged IP is no longer a flat string in a watchlist — it is a node connected to its ASN, its co-hosted domains, its WHOIS history, and every threat feed that has ever named it. Analysts pivot from one IOC to the full campaign infrastructure in a single query.