In cyberspace operations, what is an indicator of compromise (IOC) and how is it used?

An indicator of compromise is forensic evidence of a compromise—artifacts observed during analysis that signal malicious activity. Examples include hashes of known malware, IP addresses used by attackers, domain names tied to attacker infrastructure, and file signatures. These indicators are used to detect intrusions across security sensors, help attribute activity to specific threat actors or campaigns, and guide the incident response process—diagnosing the breach, containing it, eradicating the threat, and restoring systems. They also feed into security tools and threat intelligence feeds to improve detection, enable rapid hunting, and automate responses. This concept isn’t about system uptime, encryption methods, or log retention policies, which is why those options don’t fit.