mlab mlab Academy
Fundamentals

What is an IOC?

Clues of a cyberattack: learning to recognize indicators of compromise.

1 Introduction

An IOC (Indicator of Compromise) is like a clue at a crime scene. Just as a detective looks for fingerprints, footprints, and DNA traces to identify a criminal, cybersecurity analysts look for IOCs to detect and track cyber attacks. An IOC is any observable piece of data that suggests a system has been compromised: an IP address, a domain name, a file hash, a URL, or even an email address linked to malicious activity.

5 types

Main categories of IOCs

Millions

New IOCs shared daily across threat intel feeds

< 24h

Average lifespan of an attacker's infrastructure

2 How It Works

Use the IOC detector below to identify and classify indicators of compromise. Paste any suspicious value -- an IP, domain, hash, URL, or email -- and the tool will tell you what type of IOC it is and provide context about it.

The 5 main types of IOCs

IP Addresses

Servers used by attackers for command-and-control, data exfiltration, or hosting malicious content.

185.220.101.42

Domains

Malicious or compromised domain names used in phishing, malware delivery, or C2 communication.

evil-update.com

File Hashes

Unique fingerprints of malicious files (MD5, SHA1, SHA256). The most precise type of IOC.

d41d8cd98f00...

URLs

Full web addresses pointing to phishing pages, exploit kits, or malware downloads.

http://evil.com/payload.exe

Email Addresses

Sender addresses used in phishing campaigns or associated with threat actor infrastructure.

[email protected]

3 Detailed Analysis

The Pyramid of Pain

Not all IOCs are equally useful. Security researcher David Bianco created the Pyramid of Pain to illustrate this. At the bottom are IOCs that are easy to find but also easy for attackers to change (like IP addresses). At the top are behavioral indicators that are much harder for attackers to modify.

Hash values (trivial to change)

An attacker can recompile their malware to get a completely new hash. Useful for exact matching, but easily evaded.

IP addresses (easy to change)

Attackers can switch servers, use proxies, or rotate through cloud providers. Blocking one IP is a temporary fix.

Domain names (moderate to change)

Registering new domains takes time and money. Taking down a domain is more impactful than blocking an IP.

TTPs -- Tactics, Techniques, Procedures (hard to change)

The attacker's behavior and methods. Forcing an attacker to change their entire approach is the most effective defense.

Where do IOCs come from?

IOCs are collected from incident response investigations, malware analysis, honeypots, dark web monitoring, and shared through threat intelligence feeds and platforms like MISP, OpenCTI, or commercial providers. The cybersecurity community relies on rapid IOC sharing to protect everyone faster.

Try it on mlab.sh

Paste any text and automatically extract all IOCs -- IP addresses, domains, hashes, URLs, and email addresses. Quickly classify and investigate indicators from reports or logs.

Extract IOCs on mlab.sh

4 Red Flags

Multiple IOC types pointing to the same threat

When you find a suspicious IP, a related domain, and a matching file hash all linked together, confidence in the threat is very high.

IOC matches a known threat actor

If an IOC in your network matches infrastructure attributed to a known APT group, treat this as a critical alert requiring immediate investigation.

Outdated IOCs generating false positives

IOCs have a shelf life. An IP used by an attacker six months ago may now belong to a legitimate service. Always check the age and context of an IOC.

Single IOC with no context

A lone IP address without any context is almost useless. Good threat intelligence always provides who, what, when, and why alongside the raw indicator.

IOC found in outbound traffic

If a machine on your network is connecting to a known malicious IP or domain, it may already be compromised. Investigate immediately.

Powered by mlab.sh

Related Modules

What is a file hash?

Understanding digital fingerprints: how a hash uniquely identifies a file.

Reading an IP reputation

Assessing the danger of an IP address using reputation databases and threat intelligence.

What is a threat intel feed?

Threat intelligence feeds: how they work and why they are essential.