Indicators of Attack vs. Indicators of Compromise

For many years, the information security community has relied on indicators of compromise (IOC) as the first indication that a system or organization has been breached. An IOC is often described in the forensics world as evidence on a computer that indicates that the security of the network has been compromised. Investigators usually gather this data after being informed of a suspicious incident, on a scheduled basis, or after the discovery of unusual call-outs from the network. Ideally,
this information is gathered to create “smarter” tools that can detect and quarantine suspicious files in the future.

Unfortunately, IOC monitoring is reactive in nature, which means that if an organization finds an indicator, it is almost certain that they have already been compromised.

An Indicator of Attack (IOA) is related to an IOC in that it is a digital artifact. However, unlike IOCs, IOAs are active in nature and focus on identifying a cyberattack that is in process.

Download this white paper to better understand the fundamental difference between Indicators of Compromise and Indicators of Attack and look at IOAs in action.


  • OS icon
  • deployment icon
  • installation icon

For technical information on installation, policy configuration and more, please visit the CrowdStrike Tech Center.

Visit the Tech Center