---
title: "IoC — AP Cybersecurity Definition & Exam Guide"
description: "An IoC (indicator of compromise) is a digital clue that an attack happened, like a malicious file hash or IP. Key to signature-based detection in AP Cybersecurity Unit 3."
canonical: "https://fiveable.me/ap-cybersecurity/key-terms/ioc"
type: "key-term"
subject: "AP Cybersecurity"
unit: "Unit 3"
---

# IoC — AP Cybersecurity Definition & Exam Guide

## Definition

In AP Cybersecurity, an IoC (indicator of compromise) is a piece of forensic evidence that signals a security breach, such as a malicious file hash, suspicious IP address, or unusual registry entry. Signature-based detection works by matching network data against a database of known IoCs.

## What It Is

An **IoC**, short for **[indicator of compromise](/ap-cybersecurity/key-terms/indicator-of-compromise "fv-autolink")**, is a digital clue that tells you an attack has happened or is happening. Think file hashes, suspicious [IP addresses](/ap-cybersecurity/unit-3/detecting-network-attacks/study-guide/5kYH3dgJpqFp57SUnjEX "fv-autolink"), weird registry entries, or odd traffic patterns. If something on your network leaves a fingerprint that points to malicious activity, that fingerprint is an IoC.

In the CED, IoCs are the backbone of **signature-based detection** (EK 3.5.C.1). A [signature](/ap-cybersecurity/unit-4/protecting-devices/study-guide/n86HF5aR65a2DLQwNHDn "fv-autolink") is just a known IoC stored in a database. When a detection tool sees data on the network, it compares that data against its signature database. A match means a known attack. This is why signature databases have to be **constantly updated** with the IoCs of the newest attacks. If an IoC isn't in the database yet, the tool can't catch it.

## Why It Matters

IoCs live in **[Unit 3](/ap-cybersecurity/unit-3 "fv-autolink"): Securing Networks**, specifically Topic 3.5 (Detecting Network Attacks). They show up across several learning objectives. **[AP Cybersecurity](/ap-cybersecurity "fv-autolink") 3.5.C** asks you to determine a detection method, and signature-based detection is defined entirely around matching IoCs. **AP Cybersecurity 3.5.E** asks you to apply detection techniques by analyzing log files, which is where you spot IoCs in real data. Knowing what counts as an IoC is the difference between recognizing an attack and missing it. It's the vocabulary that ties detection tools (NIDS, NIPS) to the evidence they actually hunt for.

## Connections

### [Signature-Based Detection (Unit 3)](/ap-cybersecurity/key-terms/signature-based-detection)

[Signature-based detection](/ap-cybersecurity/key-terms/signature-based-detection "fv-autolink") IS the practice of comparing network data to a database of known IoCs. No IoCs, no signatures. That's why it only catches attacks it has already seen and why databases must be updated constantly.

### [Anomaly-Based Detection (Unit 3)](/ap-cybersecurity/key-terms/anomaly-based-detection)

[Anomaly-based detection](/ap-cybersecurity/key-terms/anomaly-based-detection "fv-autolink") flips the logic. Instead of matching known IoCs, it learns what normal traffic looks like and flags anything that deviates. This is how you catch brand-new attacks that have no IoC in any database yet.

### Log Files and AI Threat Detection (Unit 3)

IoCs hide inside the millions of log entries a network generates daily (EK 3.5.B.1). Humans can't read that much data, so AI algorithms classify patterns as malicious or normal, essentially scaling up the hunt for IoCs.

### IoC Categories: File-Based, Host-Based, Behavior-Based (Unit 3)

IoCs come in flavors. A malicious file [hash](/ap-cybersecurity/key-terms/hash "fv-autolink") is a file-based IoC, a suspicious registry entry is a host-based IoC, and unusual traffic patterns are behavior-based IoCs. The exam expects you to recognize all three as forms of the same idea.

## On the AP Exam

Expect MCQ stems that describe a scenario and ask you to name the concept. One practice question describes a team documenting specific file hashes, suspicious IP addresses, and unusual registry entries, then asks which term fits. The answer is indicators of compromise. Another describes packet captures showing connections to known malicious IPs, traffic spikes, and mismatched ports, again pointing to IoCs. Your job is to read the list of forensic clues and label them as IoCs, then connect them to signature-based detection. No released FRQ uses 'IoC' verbatim, but the term supports any question asking you to determine or evaluate a detection method (AP Cybersecurity 3.5.C and 3.5.D).

## IoC vs anomaly-based detection

An IoC is a known clue, and signature-based detection matches against a database of those clues. Anomaly-based detection doesn't use a database of IoCs at all. It builds a model of normal behavior and flags whatever looks abnormal. So signature-based detection needs IoCs to work, while anomaly-based detection is designed specifically to catch attacks that have no IoC yet.

## Key Takeaways

- An IoC (indicator of compromise) is forensic evidence that an attack happened, such as a malicious file hash, suspicious IP address, or unusual registry entry.
- Signature-based detection works by comparing network data against a database of known IoCs called signatures.
- Signature databases must be updated constantly, because an IoC that isn't in the database can't be detected.
- IoCs come in types: file-based (file hashes), host-based (registry entries), and behavior-based (traffic patterns).
- Signature-based detection (IoC matching) is faster and cheaper, but anomaly-based detection is what catches brand-new attacks with no known IoC.

## FAQs

### What is an IoC in AP Cybersecurity?

An IoC, or indicator of compromise, is a piece of evidence that signals a security breach, like a malicious file hash, a suspicious IP address, or an unusual registry entry. In signature-based detection, IoCs are stored as signatures and used to match incoming network data against known attacks.

### Can signature-based detection catch attacks that have no known IoC?

No. Signature-based detection only catches attacks whose IoCs are already in its database. To catch brand-new attacks with no known signature, you need anomaly-based detection, which flags deviations from normal traffic instead of matching known clues.

### How is an IoC different from anomaly-based detection?

An IoC is a specific known clue, and anomaly-based detection doesn't rely on those clues at all. Signature-based detection matches data to a database of IoCs, while anomaly-based detection builds a model of normal behavior and flags anything unusual, even attacks no one has seen before.

### Are file hashes and suspicious IP addresses both IoCs?

Yes. File hashes are file-based IoCs, suspicious IP addresses and traffic patterns are behavior-based IoCs, and registry entries are host-based IoCs. They're all forms of the same idea: evidence pointing to a compromise.

### Why do signature databases need constant updates?

Because signature-based detection can only catch attacks whose IoCs it already knows. New malware and attacks create new IoCs, so if the database isn't updated with the latest signatures, those attacks slip through undetected.

## Related Study Guides

- [3.5 Detecting Network Attacks](/ap-cybersecurity/unit-3/detecting-network-attacks/study-guide/5kYH3dgJpqFp57SUnjEX)

## Structured Data

```json
{"@context":"https://schema.org","@graph":[{"@type":"LearningResource","@id":"https://fiveable.me/ap-cybersecurity/key-terms/ioc#resource","name":"IoC — AP Cybersecurity Definition & Exam Guide","url":"https://fiveable.me/ap-cybersecurity/key-terms/ioc","learningResourceType":"Concept explainer","educationalLevel":"AP® / High School","about":{"@id":"https://fiveable.me/ap-cybersecurity/key-terms/ioc#term"},"audience":{"@type":"EducationalAudience","educationalRole":"student"},"dateModified":"2026-06-15T18:59:30.136Z","isPartOf":{"@type":"Collection","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"publisher":{"@type":"Organization","name":"Fiveable","url":"https://fiveable.me"}},{"@type":"DefinedTerm","@id":"https://fiveable.me/ap-cybersecurity/key-terms/ioc#term","name":"IoC","description":"In AP Cybersecurity, an IoC (indicator of compromise) is a piece of forensic evidence that signals a security breach, such as a malicious file hash, suspicious IP address, or unusual registry entry. Signature-based detection works by matching network data against a database of known IoCs.","url":"https://fiveable.me/ap-cybersecurity/key-terms/ioc","inDefinedTermSet":{"@type":"DefinedTermSet","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"educationalAlignment":[{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 3, Topic 3.5, LO 3.5.A"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 3, Topic 3.5, LO 3.5.B"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 3, Topic 3.5, LO 3.5.C"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 3, Topic 3.5, LO 3.5.D"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 3, Topic 3.5, LO 3.5.E"}]},{"@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What is an IoC in AP Cybersecurity?","acceptedAnswer":{"@type":"Answer","text":"An IoC, or indicator of compromise, is a piece of evidence that signals a security breach, like a malicious file hash, a suspicious IP address, or an unusual registry entry. In signature-based detection, IoCs are stored as signatures and used to match incoming network data against known attacks."}},{"@type":"Question","name":"Can signature-based detection catch attacks that have no known IoC?","acceptedAnswer":{"@type":"Answer","text":"No. Signature-based detection only catches attacks whose IoCs are already in its database. To catch brand-new attacks with no known signature, you need anomaly-based detection, which flags deviations from normal traffic instead of matching known clues."}},{"@type":"Question","name":"How is an IoC different from anomaly-based detection?","acceptedAnswer":{"@type":"Answer","text":"An IoC is a specific known clue, and anomaly-based detection doesn't rely on those clues at all. Signature-based detection matches data to a database of IoCs, while anomaly-based detection builds a model of normal behavior and flags anything unusual, even attacks no one has seen before."}},{"@type":"Question","name":"Are file hashes and suspicious IP addresses both IoCs?","acceptedAnswer":{"@type":"Answer","text":"Yes. File hashes are file-based IoCs, suspicious IP addresses and traffic patterns are behavior-based IoCs, and registry entries are host-based IoCs. They're all forms of the same idea: evidence pointing to a compromise."}},{"@type":"Question","name":"Why do signature databases need constant updates?","acceptedAnswer":{"@type":"Answer","text":"Because signature-based detection can only catch attacks whose IoCs it already knows. New malware and attacks create new IoCs, so if the database isn't updated with the latest signatures, those attacks slip through undetected."}}]},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"AP Cybersecurity","item":"https://fiveable.me/ap-cybersecurity"},{"@type":"ListItem","position":2,"name":"Key Terms","item":"https://fiveable.me/ap-cybersecurity/key-terms"},{"@type":"ListItem","position":3,"name":"Unit 3","item":"https://fiveable.me/ap-cybersecurity/unit-3"},{"@type":"ListItem","position":4,"name":"IoC"}]}]}
```
