Skip to content
Log in

Initial indicator of compromise (IoC)

Definition

The first observable artefact or event that triggers the investigation: a hash match, a suspicious process, an anomalous login, or an alert from a detection rule. The IoC is the starting point for scoping, not the conclusion.

Related terms

Blast radius
The full set of systems, accounts, and data that an attacker has accessed or could access given their current level of compromise....
Corroboration
The practice of confirming an observed attacker action by finding evidence of the same action in at least two independent data sources,...
Declaration threshold
The criteria defined in an organisation's IR plan that a suspected event must meet before it is formally declared a confirmed incident,...
Dwell time
The period between an attacker gaining initial access and their detection. Reducing dwell time is a primary goal of threat hunting. The...
Lateral movement
Attacker activity after initial compromise in which the threat actor traverses from one internal system to another, typically to escalate privileges, access...

Explained in

  • Scoping and Confirming an IncidentThe first observable artefact or event that triggers the investigation: a hash match, a suspicious process, an anomalous login, or an alert from a detection ru...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account