NEW! Data443 Acquires Vaikora – Real-Time AI Runtime Control & Enforcement for AI Agent
Indicators of compromise (IOCs) are observable artifacts of malicious activity: file hashes, IP addresses, domain names, URLs, email senders, command-line patterns, registry keys, and process behaviors. IOCs are the unit of currency for threat-intel sharing and detection rules. Cyren produces and consumes IOCs as part of its threat intelligence operation.
Detection rules across SIEM, EDR, and email security platforms ultimately resolve to IOC matches. The same Snort rule, YARA pattern, or Sigma query can be expressed as a set of IOCs the system is watching for. Standardizing on IOCs as the exchange format made the entire detection ecosystem composable: a customer can subscribe to multiple feeds and union them.
The flip side is IOC churn. Attackers rotate infrastructure to invalidate old IOCs. The half-life of a malicious domain is hours to days; the half-life of a malware hash is days to weeks. IOC feeds that update fast and decay old indicators automatically are more useful than static lists.
IOCs are the data payload of threat intelligence. URL reputation and IP reputation are score-form expressions of IOC observations.
A SOC ingests a STIX bundle from a CTI provider containing 14,000 new IOCs across the last hour: 9,000 URLs, 3,200 IPs, and 1,800 file hashes. Detection rules across the SIEM automatically reload. A second example: an IR team responding to a confirmed breach extracts IOCs from forensic artifacts, contributes them back to their CTI provider through STIX/TAXII, and the IOCs propagate to other customers within minutes.
IOCs are artifacts. TTPs (tactics, techniques, procedures) are behavioral patterns. TTPs survive infrastructure rotation; IOCs do not. Mature detection programs use both.
STIX 2.x defines the data format. TAXII defines the transport. Most modern CTI providers and SIEMs support both. Older formats (OpenIOC, custom JSON) still exist but are declining.
Hours to weeks depending on type. URLs and IPs rotate fastest. File hashes survive longer because attackers reuse malware families. CTI feeds typically apply automatic decay to keep their working set fresh.
Both. Cyren ingests telemetry from its global sensor network, derives IOCs, scores them, and publishes them through standard formats. Customers can also feed their own IOCs into Cyren for enrichment.
Last updated: 2026-05-20.
