A host-based indicator of compromise (host-based IoC) is forensic evidence of a security breach found on an individual device, such as suspicious files, processes, registry edits, or unusual log entries, that detection tools compare against known signatures to spot malicious activity.
An indicator of compromise (IoC) is any piece of forensic evidence that says "something bad happened here." A host-based IoC is that evidence when it lives on a single device, a server, a laptop, a router, rather than out on the wire. Think of a strange new file, an unexpected process running, a modified system setting, or a weird log entry. These are the breadcrumbs an attacker leaves on the machine itself.
This ties directly to topic 3.5, where automated detection tools analyze data collected from devices like switches, servers, firewalls, and user computers (EK 3.5.A.1). A lot of that data ends up in log files. Host-based IoCs are the clues you hunt for inside those logs. In signature-based detection, the tool compares what it sees against a database of known IoCs called signatures (EK 3.5.C.1). If a host-based IoC matches a known signature, the system flags it as malicious. The contrast is a network-based IoC, which shows up in traffic moving across the network instead of on one box.
Host-based IoCs sit at the heart of Unit 3: Securing Networks, specifically topic 3.5 (Detecting Network Attacks). They support learning objective AP Cybersecurity 3.5.A (identifying automated detection tools), 3.5.C (determining a detection method using signature-based detection and its IoC database), and especially 3.5.E (applying detection techniques to identify indicators of network attacks by analyzing log files). Knowing where evidence lives (on a host versus on the network) is what lets you pick the right tool and read a log correctly. That log-analysis skill is exactly what 3.5.E asks you to perform.
Keep studying AP Cybersecurity Unit 3
Visual cheatsheet
view gallerySignature-based detection (Unit 3)
Signature-based detection works by matching live data against a database of known IoCs. A host-based IoC is one of the breadcrumbs that gets stored as a signature, so the two ideas are basically the clue and the tool that recognizes the clue.
Indicator of compromise (IoC) (Unit 3)
Host-based IoC is just one flavor of the broader IoC family. The "host-based" label tells you the location of the evidence (one device), the way "file-based" or "behavior-based" labels tell you the form the evidence takes.
Analyzing log files for attacks (Unit 3)
EK 3.5.E covers spotting attacks like ARP poisoning by reading logs. Host-based IoCs are precisely the entries you scan for, so this term is the noun that connects directly to the log-analysis skill the exam wants you to demonstrate.
AI-enhanced threat detection (Unit 3)
A medium network logs millions of data points a day (EK 3.5.B.1), far too many for humans to sift. AI models are trained to classify those host and network IoCs as malicious or normal, which is why automation matters once the volume of indicators explodes.
Expect host-based IoC to show up in MCQ stems that ask you to classify where evidence was found or to pick the right detection method for a scenario. A common setup gives you a log snippet from a server or user computer and asks what kind of indicator it represents. For free response, the 3.5.E skill of analyzing log files is the most likely place this lands, where you read entries and explain which ones flag a compromise. No released FRQ has used "host-based IoC" verbatim, but it directly supports the log-analysis and detection-method reasoning topic 3.5 tests. Be ready to explain why an IoC on a single device differs from one seen in network traffic.
A host-based IoC is evidence found on one device, like a strange file, an altered registry key, or a suspicious process. A network-based IoC shows up in traffic moving between devices, like odd ARP messages or connections to a known malicious IP. Same idea (evidence of compromise), different location. Ask yourself: is the clue sitting on the machine, or flowing across the wire?
A host-based IoC is forensic evidence of an attack found on a single device, such as a suspicious file, process, registry change, or log entry.
Host-based IoCs are stored as signatures, so signature-based detection can match live data against them and raise an alert (EK 3.5.C.1).
Most host-based IoCs are hunted inside log files, which ties this term directly to the 3.5.E skill of analyzing logs to identify attacks.
The key contrast is location: a host-based IoC lives on the device, while a network-based IoC appears in traffic crossing the network.
Because networks log millions of data points a day, AI is increasingly used to classify host and network IoCs as malicious or normal (EK 3.5.B.1).
It's an indicator of compromise found on a single device, like a server or laptop, such as a suspicious file, an unexpected process, a registry change, or a strange log entry. It maps to topic 3.5 and the log-analysis skill in EK 3.5.E.
No. Both are evidence of a breach, but a host-based IoC lives on one device while a network-based IoC shows up in traffic moving across the network. The quick test is whether the clue sits on the machine or flows across the wire.
Signature-based detection compares live data to a database of known IoCs called signatures (EK 3.5.C.1). A host-based IoC is one of those known clues, so the IoC is the evidence and signature-based detection is the tool that recognizes it.
Usually in log files. EK 3.5.A.1 says detection tools collect device data into logs, and EK 3.5.E asks you to analyze those logs, so reading a server or computer log for suspicious entries is the most likely place this gets tested.
A medium-sized network logs millions of data points a day (EK 3.5.B.1), far more than even a large team can review. That's why organizations train AI models to classify those indicators as malicious or normal.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.