Indicators of Compromise
Observable artifacts — such as IPs, domains, file hashes, URLs, file paths, and registry keys — that indicate a system or network may have been breached.
Definition
Indicators of Compromise (IOCs) are forensic artifacts collected from a network, host, or email that signal a potential or confirmed intrusion. Common IOC types include IP addresses, domain names, file hashes (MD5, SHA-1, SHA-256), URLs, email addresses, file paths, and registry keys. IOCs are used to detect, contain, and attribute attacks.
Why It Matters
IOCs form the foundation of threat detection and incident response. They allow security teams to search retrospectively across logs and telemetry for signs of compromise, build detection rules, share threat data across organizations, and understand attacker tooling and infrastructure. Without IOC collection and enrichment, analysts have no systematic way to connect individual alerts to broader attack campaigns.
How It Works
IOCs are extracted from malware samples, threat intelligence feeds, sandbox reports, and forensic investigations. Once collected, they are enriched — cross-referenced against reputation databases, passive DNS records, WHOIS data, and sandboxing results — to assess confidence and context. Enriched IOCs are then deployed as detection signatures in SIEMs, firewalls, and EDR platforms, or shared via structured formats such as STIX/TAXII.
DFIR Platform
IOC Enrichment
The DFIR Lab IOC Enrichment API accepts IPs, domains, file hashes (MD5/SHA-1/SHA-256), and URLs and performs multi-source lookups across 14+ threat intelligence providers in a single request. The Phishing Email Checker also automatically extracts IOCs from analyzed emails — including links, attachment hashes, and sender infrastructure — and returns enriched results
View DocumentationRelated Concepts
Try these concepts in practice
Free tier with 100 credits/month. No credit card needed.