Indicators of Attack vs. Indicators of Compromise

For many years, the information security community has relied on indicators of compromise (IOC) as the first indication that a system or organization has been breached. An IOC is often described in the forensics world as evidence on a computer that indicates that the security of the network has been compromised. Investigators usually gather this data after being informed of a suspicious incident, on a scheduled basis, or after the discovery of unusual call-outs from the network. Ideally,
this information is gathered to create “smarter” tools that can detect and quarantine suspicious files in the future.

Recording and gathering Indicators of Attack (IOA), and analyzing them enables your team to view activity in real time and react in the present and provides first responders with the tools necessary to instantly reconstruct the crime scene – or even intervene while an attack is still in progress.

Download this white paper to better understand the fundamental difference between Indicators of Compromise and Indicators of Attack and look at IOAs in action.


  • OS icon
  • deployment icon
  • installation icon

For technical information on installation, policy configuration and more, please visit the CrowdStrike Tech Center.

Visit the Tech Center