An indicator of compromise (IoC) is a piece of forensic evidence, like a known malicious IP address or file signature, that signals an attack is happening or has happened on a network. Signature-based detection compares network data against a database of known IoCs to flag threats.
An indicator of compromise (IoC) is basically a fingerprint left behind by an attack. Think of it like a wanted poster: if your detection system sees something that matches a known bad pattern, it raises the alarm. IoCs can be things like a malicious IP address, a suspicious file hash, an unusual ARP message, or a fake SSID broadcasting near your network.
IoCs are the heart of signature-based detection (EK 3.5.C.1). A signature database is just a giant list of known IoCs. The detection tool compares the data flowing through your network against that list, and when it finds a match, it generates an alert. Because it's matching against a known list, signature-based detection runs fast, which is why it works well on high-traffic networks. The catch: the database has to be constantly updated with IoCs for the newest attacks, or it'll miss anything brand new.
IoCs live in Unit 3: Securing Networks, specifically Topic 3.5 (Detecting Network Attacks). They tie directly into [AP Cybersecurity 3.5.C], where you determine a detection method, and [AP Cybersecurity 3.5.E], where you apply detection techniques by analyzing log files. The whole logic of signature-based detection rests on IoCs, so you can't explain why it's fast or why it misses zero-day attacks without understanding what an IoC is. This is also where the exam tests your ability to read evidence (firewall logs, packet captures) and name the specific indicator you're looking at.
Keep studying AP Cybersecurity Unit 3
Visual cheatsheet
view gallerySignature-Based Detection (Unit 3)
Signature-based detection is just IoCs in action. The signature database IS a list of known IoCs, and detection means matching live traffic against that list. Fast, but blind to attacks it hasn't seen before.
Anomaly-Based Detection (Unit 3)
Anomaly-based detection takes the opposite approach. Instead of matching known IoCs, it learns what normal looks like and flags anything weird. That's why it can catch new attacks that have no IoC yet, but it's slower and pricier.
False Positive and False Negative (Unit 3)
An outdated IoC database produces false negatives because new attacks slip through unmatched. Overly broad IoCs can trigger false positives, flagging legit traffic and feeding alert fatigue for analysts.
Network Intrusion Detection System / NIDS (Unit 3)
A NIDS is the tool that actually scans traffic for IoCs and fires an alert when it finds one (EK 3.5.A.2). The IoC is the evidence; the NIDS is the detector holding the wanted poster.
Expect multiple-choice questions that hand you a scenario and ask you to name the IoC. A classic stem describes a workstation connecting to an external IP known to host malware, then asks which network-based IoC the analyst spotted. Others give you firewall logs showing repeated connection attempts across many ports (a port scan) or packet captures with suspicious patterns. Your job is to read the evidence and identify the specific indicator. You may also be asked which IoC a signature-based system would use, which tests whether you understand that signatures are stored, known IoCs. Practice scanning a log file and pinpointing the one line that's the smoking gun.
An IoC is a specific, known piece of evidence that matches a signature in a database. An anomaly is just behavior that deviates from the normal baseline, with no prior match required. IoCs say 'I've seen this exact attack before'; anomalies say 'this looks unusual, even if I don't know what it is.'
An indicator of compromise (IoC) is forensic evidence, like a malicious IP, file hash, or suspicious SSID, that signals an attack is or was happening.
Signature-based detection works by comparing network data against a database of known IoCs, which is why it's fast but only catches attacks it already knows.
Signature databases must be updated constantly with new IoCs, or the system produces false negatives and misses fresh attacks.
On the exam you'll read log files or packet captures and identify the specific IoC, such as a connection to a known malware-hosting IP.
IoCs are network-based (traffic patterns, IPs) or host-based and file-based (file hashes on a device), and the question wording tells you which type to name.
It's a piece of forensic evidence, like a known malicious IP address or file hash, that signals a network attack is occurring or already happened. IoCs are the matched signatures that signature-based detection systems use to fire alerts (Topic 3.5).
No. An IoC is a known, specific signature stored in a database, so signature-based detection matches against it. An anomaly is just any deviation from the normal baseline, which anomaly-based detection catches without needing a prior match. IoCs catch known attacks; anomalies can catch new ones.
Because signature-based detection can only catch attacks whose IoCs are already in the database. If a brand-new attack appears and its IoC isn't listed yet, the system won't match it and you get a false negative. Constant updates keep the database current with the latest threats.
A network-based IoC shows up in traffic, like an internal machine connecting to a known malware IP or a flood of connection attempts across ports. A host-based or file-based IoC lives on a device, like a malicious file hash. Question wording tells you which one to name.
Look for the one line that doesn't belong: a connection to a known-bad external IP, repeated attempts across many ports (a scan), or unusual ARP messages. Match what you see to the named attack, then state the specific indicator the analyst found.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.