IOC vs TTP: What Is the Difference and Why It Matters for Your Defenses

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
When a threat intelligence report arrives after an incident, it typically contains a list of file hashes, IP addresses, and domain names used in the attack. Most organizations immediately block those artifacts. This is correct but insufficient: by the time the report is written, the attacker has already moved to different infrastructure.
The difference between IOCs and TTPs is the difference between reactive blocking and durable detection. Both are useful. Neither alone is sufficient.
What IOCs Are and Why They Have a Short Shelf Life
IOCs are the specific artifacts produced by a past attack. The Pyramid of Pain, published by David Bianco in 2013 and still the most useful mental model for this concept, categorizes IOCs from easiest to most difficult for attackers to change:
Hash values (easiest to change): A file hash changes with any modification to the file: adding a single byte, recompiling the same source code, or packing with a different packer produces a completely new hash. Sophisticated threat actors rotate malware hashes between campaigns as a matter of routine operational security. A hash IOC that was accurate yesterday may not match tomorrow's version of the same malware.
IP addresses: Attackers change C2 infrastructure constantly. Bulletproof hosting, fast-flux DNS, and cloud provider accounts rotate IP addresses in hours. Blocking an IP address from a published threat intel report blocks yesterday's infrastructure, not tomorrow's.
Domain names: Harder to rotate than IPs because domain registration and DNS propagation take time: but not hard enough. Sophisticated groups maintain large inventories of pre-registered domains and rotate between them routinely.
Network and host artifacts: File paths, registry keys, mutex names, and user-agent strings used by specific malware families. Easier for defenders to detect but also easier for attackers to change than TTPs.
The critical insight: IOC-based blocking is accurate for the specific campaign that generated the IOCs. Once the attacker changes infrastructure (which sophisticated groups do within hours of exposure), the blocks are worthless against the next campaign from the same group.
What TTPs Are and Why They Are Durable
TTPs describe how attackers achieve their objectives, not the specific artifacts they use to do it.
Tactics are the high-level goals: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact. These map to MITRE ATT&CK's 14 tactic categories.
Techniques are the specific methods used to achieve each tactic: for Credential Access, techniques include LSASS memory dumping, Kerberoasting, credential stuffing, and keylogging. For Persistence, techniques include scheduled task creation, registry run key modification, and malicious service installation.
Procedures are the specific implementations: the exact tools, commands, and configuration choices used in a particular campaign. Procedures are more specific than techniques but less specific than IOCs: they describe the method of execution without identifying a specific file hash.
Why TTPs persist: attackers invest significant time and resources learning and operationalizing their methods. Changing a domain name costs nothing. Changing a TTP requires retraining, developing new tooling, and testing new methods against security controls: a high-cost, high-effort change that sophisticated groups only make when forced to by detection pressure. APT34, APT28, and Lazarus Group have used recognizably consistent TTPs across documented campaigns spanning 5-10 years, regardless of how many times their IOCs were published and blocked.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
The Practical Difference in Your Security Stack
IOC-based defenses:
Firewall blocklists, DNS sinkholes, SIEM rules filtering by known-bad IP ranges, and hash-based blocking in endpoint security are all IOC-based controls. They are valuable because they stop confirmed-bad activity immediately, require minimal configuration once the IOC list is ingested, and produce high-confidence alerts when they fire (a known-malicious hash executing is a confirmed true positive).
Limitation: zero coverage against any infrastructure or file not on your blocklist, including the same attacker operating with new IOCs.
TTP-based defenses:
SIEM rules based on behavioral patterns (encoded PowerShell execution, scheduled task creation in temp directories, LSASS memory access from unexpected processes) and threat hunting hypotheses grounded in technique knowledge. These detect attacker behavior regardless of which specific tools or infrastructure are used.
Example: An IOC-based defense blocks APT34's known C2 domain. When APT34 registers a new domain, that defense provides zero coverage. A TTP-based defense that detects DNS queries to high-entropy domains from endpoints that do not typically make such queries catches APT34's new domain before it is added to any blocklist.
Limitation: TTP-based rules produce more false positives than IOC-based rules because the behaviors they detect (PowerShell execution, scheduled task creation) are also performed by legitimate software. Tuning is required.
How to Use Both Together
The correct security posture uses IOCs and TTPs at different layers of the detection stack.
IOCs at the perimeter and endpoint as immediate blockers: Ingest threat intelligence feeds (CISA, ISACs, commercial feeds, peer sharing) into your firewall, DNS resolver, and EDR platform. IOC blocks stop confirmed-bad activity immediately and generate high-confidence alerts for the specific campaigns that generated the intelligence.
TTPs in your SIEM as behavioral detection: Build SIEM rules based on MITRE ATT&CK techniques rather than (or in addition to) IOC-based filters. These rules detect attacker behavior without requiring prior knowledge of the specific tools or infrastructure.
Threat hunting with TTPs as your hypothesis: When new threat intelligence arrives about an APT group, extract their TTPs from the report (or look them up in ATT&CK's Group pages) and hunt for those behaviors in your environment. You may not have their IOCs in your blocklist, but you can look for their operational patterns.
Prioritize TTP coverage over IOC coverage as your program matures. IOC coverage is easier to implement (import a list, update a rule) but provides diminishing returns as attacker infrastructure rotation accelerates. TTP-based detection requires more development time but provides coverage that does not expire when the attacker changes their domain registration.
The CISA advisories published for APT34 (OilRig), APT28, and Lazarus Group all include both IOCs and TTPs. The IOCs are useful for the current campaign; the TTPs are useful forever.
The bottom line
IOCs are specific artifacts from past attacks: file hashes, IPs, domains: that attackers rotate within hours of exposure. TTPs are the behavioral methods attackers use that persist across campaigns for years. IOC-based blocking is accurate but perishable. TTP-based detection is harder to build but does not expire when the attacker changes infrastructure. A mature threat intelligence program ingests IOCs for immediate blocking while building SIEM detection and hunting capabilities grounded in TTP knowledge. Both are required; neither alone is sufficient.
Frequently asked questions
What is the difference between an IOC and a TTP in cybersecurity?
An IOC (Indicator of Compromise) is a specific artifact from a past attack: a file hash, IP address, or domain: that confirms compromise when detected. A TTP (Tactic, Technique, and Procedure) describes how an attacker achieves their objectives: the behavioral method rather than a specific artifact. Attackers rotate IOCs in hours; TTPs persist for years because changing them requires significant investment.
Why is TTP-based detection better than IOC-based detection?
TTP-based detection is more durable because attacker behavior patterns persist across campaigns even when specific tools and infrastructure are replaced. An IOC block becomes ineffective as soon as the attacker registers a new domain or changes a file hash. A TTP-based rule that detects encoded PowerShell execution from a Word document catches the same technique regardless of which specific malware payload or C2 domain is used.
Where do threat intelligence IOCs come from?
IOCs are collected from multiple sources: malware sandbox analysis (file hashes, C2 IP addresses, registry keys from detonated samples), threat intelligence feeds (commercial vendors like Recorded Future, CrowdStrike Falcon Intel, or free feeds like Abuse.ch MISP), incident response investigations (IOCs extracted from forensic analysis of compromised systems), and information sharing communities (ISACs, ISAO, and MISP instances shared among industry peers). IOC quality varies significantly by source: freshness, false positive rate, and context all differ.
What is the IOC pyramid of pain?
The Pyramid of Pain (David Bianco, 2013) describes how difficult it is for an attacker to change each type of IOC when defenders detect and block it. Hash values and IP addresses are at the bottom: trivial for attackers to change. Domain names and network artifacts are in the middle. TTPs (tactics, techniques, and procedures) are at the top: the most painful for attackers to change because they require fundamentally altering how the attack works. Defenders who operate at the TTP level force attackers to completely redesign their operations; defenders operating only at the hash level impose no meaningful friction.
What is a STIX/TAXII feed and how is it used?
STIX (Structured Threat Information Expression) is a standardized JSON format for representing threat intelligence including indicators, campaigns, threat actors, and TTPs. TAXII (Trusted Automated Exchange of Intelligence Information) is the transport protocol for sharing STIX content between platforms. Commercial threat intel platforms and government feeds (CISA AIS, ISACs) publish STIX over TAXII. SIEMs and threat intel platforms with TAXII connectors can ingest these feeds automatically, applying IOCs as detection rules or enrichment context for alerts without manual import.
How do I evaluate whether a commercial threat intelligence feed is worth the investment?
Threat intelligence feed quality varies significantly, and the marketing materials do not reliably distinguish useful feeds from noisy ones. Evaluate a feed before committing to a contract by requesting a trial or sample data set and measuring four dimensions. First, freshness: how quickly do IOCs appear in the feed after a campaign is observed in the wild? A feed that publishes IOCs three weeks after an incident has already closed its detection window. Compare the feed's IOC publication timestamps against public incident reporting to measure lag. Second, false positive rate: what percentage of the feed's IOCs, if blocked, would affect legitimate traffic in your environment? Test a sample of the feed's IP and domain IOCs against your DNS and proxy logs from the past 30 days to see how many appear in legitimate traffic. High false positive rates mean the feed will generate alert fatigue or break legitimate services if enforced as blocks. Third, TTP coverage: does the feed include technique information and adversary attribution beyond raw IOCs? A feed that provides only IP addresses and hashes with no adversary context cannot support threat hunting or detection engineering work. Fourth, relevance: are the threat actors and campaigns covered by this feed actually targeting your industry and geography? A financial services firm has different threat intelligence needs than a healthcare provider. The most expensive feed is not necessarily the most relevant to your specific threat model.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
