Which of the following statements best describes an Indicator of Compromise (IOC)?

Indicators of Compromise are observable signs left by attackers or malware that suggest a system has been breached or is under malicious activity. These artifacts are concrete and recognizable, such as a domain known for hosting malware, a file hash tied to a known malicious sample, or a distinctive network pattern. They’re used to detect and triage potential incidents by cross-referencing logs, alerts, and threat intel. They’re not general records of user actions, nor a broad threat model document, nor a routine maintenance checklist—those serve different purposes. The value of an IOC lies in providing concrete, actionable signals that, when correlated with other data, indicate a possible compromise.