In AP Cybersecurity, an IoC (indicator of compromise) is a piece of forensic evidence that signals a security breach, such as a malicious file hash, suspicious IP address, or unusual registry entry. Signature-based detection works by matching network data against a database of known IoCs.
An IoC, short for indicator of compromise, is a digital clue that tells you an attack has happened or is happening. Think file hashes, suspicious IP addresses, weird registry entries, or odd traffic patterns. If something on your network leaves a fingerprint that points to malicious activity, that fingerprint is an IoC.
In the CED, IoCs are the backbone of signature-based detection (EK 3.5.C.1). A signature is just a known IoC stored in a database. When a detection tool sees data on the network, it compares that data against its signature database. A match means a known attack. This is why signature databases have to be constantly updated with the IoCs of the newest attacks. If an IoC isn't in the database yet, the tool can't catch it.
IoCs live in Unit 3: Securing Networks, specifically Topic 3.5 (Detecting Network Attacks). They show up across several learning objectives. AP Cybersecurity 3.5.C asks you to determine a detection method, and signature-based detection is defined entirely around matching IoCs. AP Cybersecurity 3.5.E asks you to apply detection techniques by analyzing log files, which is where you spot IoCs in real data. Knowing what counts as an IoC is the difference between recognizing an attack and missing it. It's the vocabulary that ties detection tools (NIDS, NIPS) to the evidence they actually hunt for.
Keep studying AP Cybersecurity Unit 3
Visual cheatsheet
view gallerySignature-Based Detection (Unit 3)
Signature-based detection IS the practice of comparing network data to a database of known IoCs. No IoCs, no signatures. That's why it only catches attacks it has already seen and why databases must be updated constantly.
Anomaly-Based Detection (Unit 3)
Anomaly-based detection flips the logic. Instead of matching known IoCs, it learns what normal traffic looks like and flags anything that deviates. This is how you catch brand-new attacks that have no IoC in any database yet.
Log Files and AI Threat Detection (Unit 3)
IoCs hide inside the millions of log entries a network generates daily (EK 3.5.B.1). Humans can't read that much data, so AI algorithms classify patterns as malicious or normal, essentially scaling up the hunt for IoCs.
IoC Categories: File-Based, Host-Based, Behavior-Based (Unit 3)
IoCs come in flavors. A malicious file hash is a file-based IoC, a suspicious registry entry is a host-based IoC, and unusual traffic patterns are behavior-based IoCs. The exam expects you to recognize all three as forms of the same idea.
Expect MCQ stems that describe a scenario and ask you to name the concept. One practice question describes a team documenting specific file hashes, suspicious IP addresses, and unusual registry entries, then asks which term fits. The answer is indicators of compromise. Another describes packet captures showing connections to known malicious IPs, traffic spikes, and mismatched ports, again pointing to IoCs. Your job is to read the list of forensic clues and label them as IoCs, then connect them to signature-based detection. No released FRQ uses 'IoC' verbatim, but the term supports any question asking you to determine or evaluate a detection method (AP Cybersecurity 3.5.C and 3.5.D).
An IoC is a known clue, and signature-based detection matches against a database of those clues. Anomaly-based detection doesn't use a database of IoCs at all. It builds a model of normal behavior and flags whatever looks abnormal. So signature-based detection needs IoCs to work, while anomaly-based detection is designed specifically to catch attacks that have no IoC yet.
An IoC (indicator of compromise) is forensic evidence that an attack happened, such as a malicious file hash, suspicious IP address, or unusual registry entry.
Signature-based detection works by comparing network data against a database of known IoCs called signatures.
Signature databases must be updated constantly, because an IoC that isn't in the database can't be detected.
IoCs come in types: file-based (file hashes), host-based (registry entries), and behavior-based (traffic patterns).
Signature-based detection (IoC matching) is faster and cheaper, but anomaly-based detection is what catches brand-new attacks with no known IoC.
An IoC, or indicator of compromise, is a piece of evidence that signals a security breach, like a malicious file hash, a suspicious IP address, or an unusual registry entry. In signature-based detection, IoCs are stored as signatures and used to match incoming network data against known attacks.
No. Signature-based detection only catches attacks whose IoCs are already in its database. To catch brand-new attacks with no known signature, you need anomaly-based detection, which flags deviations from normal traffic instead of matching known clues.
An IoC is a specific known clue, and anomaly-based detection doesn't rely on those clues at all. Signature-based detection matches data to a database of IoCs, while anomaly-based detection builds a model of normal behavior and flags anything unusual, even attacks no one has seen before.
Yes. File hashes are file-based IoCs, suspicious IP addresses and traffic patterns are behavior-based IoCs, and registry entries are host-based IoCs. They're all forms of the same idea: evidence pointing to a compromise.
Because signature-based detection can only catch attacks whose IoCs it already knows. New malware and attacks create new IoCs, so if the database isn't updated with the latest signatures, those attacks slip through undetected.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.