Cyber Doc logo Cyber Doc
Cybersecurity Term

What are indicators of compromise?

Clues such as unusual logins, files, or settings that may point to compromise.

Incident Response Last reviewed: 2026-05-20

← Back to Learn Centre

What are indicators of compromise?

Indicators of compromise, or IOCs, are clues that suggest suspicious or malicious activity may have occurred.

Simple example

Examples include unusual login locations, suspicious files, unexpected mailbox rules, or known malicious IP addresses.

Why it matters

IOCs help responders search for related activity and understand the scope of an incident.

Common warning signs

  • The activity is unexpected or unusual for the business context.
  • The request or system behaviour creates pressure to act quickly.
  • Normal approval, verification, or security processes are bypassed.
  • There are signs of unauthorised access, data exposure, or system change.
  • Staff are unsure whether the request, message, or system behaviour is legitimate.

Cyber Doc view

This term should be understood in business context, not only as a technical issue. Good protection usually combines clear processes, appropriate technical controls, staff awareness, and a calm response plan.

What to do

Proactive steps

  • Collect and retain useful logs.
  • Use endpoint and email security tools where possible.
  • Monitor unusual account activity.
  • Keep asset information up to date.
  • Create a process for reporting suspicious signs.

Reactive steps

  • Record the indicator and where it was found.
  • Search for the same indicator across other systems.
  • Preserve logs and affected files.
  • Use indicators to help scope the incident.
  • Do not assume one indicator tells the whole story.

Related terms

  • Security monitoring
  • Forensics
  • Incident response