Back to All Insights Subscribe on Substack

IOCs Are Dead. Long Live IOCs.

Published on

At 2,517 words, this post will take 10 minutes to read.

A german shepherd with a red ball.

A foot of snow fell in Maryland the other week. My German shepherd Mango has a red ball she’d trade her life for. I pushed it down the hill.

She watched it bounce. Stomped her feet. Barked at the sky. Launched herself.

Up up up. Down down down. Face first. POW.

Snow everywhere. Ball nowhere near her.

Mango’s problem is that she always seems to jump to where the ball was. She commits with everything she has and arrives with a snout full of snow but long after the ball has already moved on.

This is what we’re doing with indicators of compromise.

The indicator of compromise (the hash, the IP, the domain) is the fundamental currency of threat intelligence. That currency collapses a little more each quarter. Ninety percent of command-and-control infrastructure dies within five days; the average shared IOC arrives 33 days later, after the server it describes has already gone dark. Adversaries industrialized signature production. Nation-state campaigns increasingly generate unique code per target, and commodity crimeware trends the same direction as offensive toolkits democratize, modular C2 frameworks lower the barrier to entry, and AI-assisted development accelerates payload generation. The gap between state-sponsored and criminal infrastructure narrows by the month. The IOC might yet survive. Repositioned as raw material inside a contextual intelligence pipeline that routes the right intelligence to the right consumer at the right time for the right reasons, the indicator can still carry weight. The finished product of intelligence just looks different now.

The Dead Letter Office

The empirical case continues to stack fast against legacy indicators of compromise.

Censys research found the median Cobalt Strike C2 server lives for five days. A 2022 IoT botnet study corroborated the finding that 90% of C2 servers died within five days and 93% within fourteen. Recorded Future documented a 33-day average delay between initial detection of a C2 server and the moment that indicator surfaces in a published threat report.

The indicator expires long before a defender even knows to use it.

The malware story is no different. The agility of malware developers to ship new code swamps the ability for legacy IOCs to have a meaningful impact. Mandiant’s M-Trends 2025, drawn from 450,000+ hours of investigations, catalogued 632 new malware families in 2024. Total tracked families exceeded 5,500. The volume of unique signatures now outpaces any single organization’s capacity to consume them, let alone operationalize them against a live threat.

Academics formalized what practitioners already knew. Tostes et al. published the first real-world evaluation of IOC aging thresholds in 2023, demonstrating that indicator reliability degrades on predictable curves. Barnhart and Lee followed in October 2025 with adversary-aware retention modeling through SANS, confirming that threat actors cycle infrastructure at different rates and that uniform decay models waste analyst hours chasing dead indicators.

Three independent lines of evidence. Same conclusion. The platforms themselves conceded the point. MISP built formal decay scoring into its platform. OpenCTI 6.0 shipped configurable decay rules with automatic revocation when indicator scores drop below thresholds. Dragos published end-of-life guidance advising that IP-based indicators should carry expiration dates. When your tooling needs a built-in expiration system for the data it processes, the data model carries a structural defect.

The data establishes that IOCs are dying. The harder question is why. The hardest question is what to do about it.

How the Mint Broke

Offense industrialized.

Hundreds of specialized firms now provide discrete kill chain services across the Chinese cyber ecosystem. One company handles reconnaissance, another brokers initial access. A third provides command infrastructure. A fourth manages exfiltration. Each firm perfects one phase and sells it as a service. The ecosystem scales horizontally, like a manufacturing supply chain producing custom goods at commodity speed. Attribution fragments along the same lines: organizational boundaries, tooling, and tradecraft shift at every phase of an operation, making it nearly impossible to trace a full campaign to a single actor.

ShadowPad illustrates the production model. SentinelLABS tracked the PurpleHaze activity cluster spanning July 2024 to March 2025, linking ShadowPad deployments across 70+ organizations and leveraging Operational Relay Box networks operated from China. Trend Micro documented updated variants targeting 21 companies across 15 countries in February 2025. Secureworks CTU ties ShadowPad clusters to MSS and PLA-affiliated groups. Darktrace independently confirmed ShadowPad detections in customer environments. The toolkit remains in active development. A living product line, refined and shipped with the regularity of a commercial software release.

The infrastructure hosting that C2 traffic sits inside the same cloud environment defenders depend on. AWS and Google restricted classic domain fronting in 2018 (Signal documented the impact. AWS published enhanced domain protections) after the Telegram-Russia blocking crisis drove collateral damage across 15.8 million IP addresses. Threat actors adapted. They stopped disguising traffic through CDNs and moved into the infrastructure itself. ShadowPad C2 now uses spoofed TLS certificates impersonating Intel and Dell, hosted on commercial providers. Your adversary’s command server and your production workload share a subnet.

Meanwhile, modular C2 frameworks exploded in adoption. Sliver, Havoc, Brute Ratel C4, and Mythic displaced Cobalt Strike as operators’ tools of choice. Each generates unique beacons per deployment. The C2 framework market also industrialized. Unique infrastructure generation became trivial for operators at every sophistication tier, from state-sponsored teams to ransomware affiliates running weekend operations out of a Discord server.

The ball accelerates. And we built a machine that manufactures new balls.

The Gold Standard After the Gold Ran Out

The intelligence-sharing economy was designed around the assumption that signatures carry reusable detection value across organizations. ISACs distribute indicators. Government bulletins circulate hashes and IPs. Vendors sell threat feeds built on the same premise that knowing what’s “bad” protects you from it. MISP stores and correlates those indicators, STIX/TAXII formats the transport, and the IETF formalized the concept in RFC 9424. Every layer of the cooperative architecture between defenders trades in the IOC currency.

Think about what that means beyond any single organization’s detection capability. ISACs built their entire coordination model on IOC exchange. Government cybersecurity bulletins circulate IOCs as their primary unit of cooperation and value creation. Vendor relationships between threat intelligence providers and their customers are denominated in indicators per feed. Alliance frameworks in the Indo-Pacific, across NATO, between Five Eyes partners, all assume that sharing “known bad” signatures constitutes meaningful cooperation. When the underlying unit of exchange loses reliability, the connective tissue between defenders degrades, and the cooperative infrastructure that took three decades to build across sectors, across alliances, across public-private partnerships starts to fray at every junction. Every ISAC meeting, every government alert, every threat feed subscription becomes a transaction conducted in a currency that buys less and less each quarter.

IOCs didn’t devalue like fiat currency through lost faith in an issuing authority. Adversaries made the underlying asset (a static signature) trivially reproducible. This is the equivalent of monetary counterfeiting. Adversaries flooded the market with unique signatures the way a counterfeiter floods an economy with bills, draining each individual indicator of value while the category of ‘indicator’ retains the same theoretical worth that the concept of ‘currency’ retains after hyperinflation. The platforms themselves conceded the point years ago, building expiration systems into the data they process. Everyone still trades in the currency because no alternative exchange mechanism exists. The infrastructure persists because switching costs run high and no replacement clearing house has been built.

The IOC-centric model of threat intelligence is failing. The response: stop treating the indicator as the finished product.

What Lives On

David Bianco proposed the Pyramid of Pain in 2013 (SANS maintains a reference). Hash values at the bottom, trivial for attackers to change. TTPs at the top, expensive to alter. Thirteen years later, the hierarchy maps directly onto what practitioners say they want: stop pouring resources into the bottom of the pyramid and start climbing.

The hash, the IP, the domain: these persist as anatomical components inside a richer intelligence organism. They carry forensic value. They anchor attribution chains. They catch commodity crimeware. And they belong inside a larger system as raw inputs, components that a pipeline digests and transforms into actionable intelligence. The IOC goes in as raw material. Contextual, time-bound, consumer-specific intelligence comes out. Each tier of the pipeline performs a different metabolic function, and the organism produces something the raw indicator could never be on its own.

I’m proposing a three-tier intelligence pipeline.

Tier 1: Tactical automation. Atomic indicators get ingested, time-bounded using adversary-aware decay models, and scanned against environmental assets. This last part is key because it defines the context. Intelligence is useful without it. Indicators need salience and context to be usable. We still haven’t solved this problem and no, EDR/MDR/XDR doesn’t meet the need. Environments are more complex than a jumble of endpoints. The indicator needs a system that knows whether it matters to this environment and whether the indicator still breathes, not an analyst spending twenty minutes triaging a dead IP against hundreds of end user devices or a static malware hash against three dozen OS versions.

Tier 2: Operational TTP routing. Campaign behavior, technique patterns, and behavioral indicators get routed to threat hunting teams who translate them into environment-specific hypotheses. MITRE ATT&CK provides the taxonomy. Tools like TRAM and emerging ML classifiers (AC_MAPPER showing ~93% accuracy on benchmarks) accelerate extraction, but human analysts remain essential for validation and environmental translation. A detection rule that works in one network architecture may fire false positives in another. The analyst bridges that gap.

Tier 3: Strategic business intelligence. High-level threat landscape, sector-specific trends, and incident context packaged for business leaders and client-facing teams. No hashes or IPs. Situational awareness stripped of technical granularity. The executive receiving a strategic intelligence product shouldn’t need to know what a C2 server is. They need to know whether their risk profile changed this quarter.

SOC practitioners describe wanting exactly this model. Time-bounded indicators automated. TTPs routed to hunters. Strategic intelligence pushed to business leadership, where a CISO or a client-facing executive can walk into a meeting and say I read about that incident, here’s our exposure without parsing a STIX bundle. The model maps to existing organizational roles and consumption patterns. It works because it routes intelligence to the consumer who can act on it based on context, rather than dumping everything into a shared feed and hoping the right person finds the right needle in a sea of needles.

The problem runs deeper than design.

Everyone knows what the replacement looks like. The pieces sit on the table. The tools exist in fragments. The capabilities and technologies are right there for the taking. And yet, nobody has built it. Why?

Why Nobody Built the Replacement

Every sophisticated defender knows IOCs are degrading. The replacement model (contextual pipelines, behavioral baselines, TTP detection) is well-understood theoretically. Everyone points to cost and complexity. The deeper answer sits in the incentive structure.

The data moat holders who won’t share. Behavioral baselines require years of historical telemetry across diverse environments. The organizations that already have this depth (large MSSPs, hyperscalers, major carriers with network-level visibility) carry zero incentive to commoditize it. Their competitive advantage is the baseline. Productizing that depth as accessible infrastructure destroys the moat. The entities best positioned to build the replacement have the least incentive to make it accessible. A natural monopoly dynamic forms, concentrating defensive capability among incumbents and discouraging new entrants.

The platform hosts who won’t constrain. AWS, Azure, and Google Cloud have the scale, compute, and telemetry to build contextual enrichment pipelines as platform services. They also host the adversary’s C2 infrastructure. ShadowPad C2 runs on the same cloud providers that sell security products to the defenders tracking it. The hyperscaler revenue model depends on frictionless provisioning. The same frictionless provisioning that lets threat actors spin up disposable infrastructure in minutes. They build security products. Detection layers bolted onto the platform that’s at best insecure by design and at worst actively malicious. They don’t build architectural constraints that restrict adversary operations because those constraints would restrict legitimate customers and slow growth.

The standards that don’t exist. STIX/TAXII solved the transport problem for IOC exchange. No equivalent standard exists for behavioral pattern exchange. You can share a hash in a structured format that any tool can ingest. You cannot share “this is what abnormal lateral movement looks like in a hybrid Azure AD environment with legacy on-prem domain controllers” in a machine-readable format that another organization can operationalize. MITRE ATT&CK provides taxonomy, the language for describing techniques, but not operational detection logic. The Sigma rule project comes closest with shareable detection rules mapped to techniques. Adoption remains fragmented. Coverage stays incomplete. Without a transport standard for behavioral intelligence, the replacement economy can’t form. There is no clearing house because there is no common denomination.

Specialization created revenue for each kill chain provider, the ecosystem’s modularity allowed each participant to optimize independently without coordinating with the others, and the entire apparatus scaled because every incentive pointed in the same direction at the same time. Defense hasn’t industrialized because the incentives oppose it. The defenders who build infrastructure profit from keeping it proprietary. The platforms that could enforce architectural constraints profit from permissiveness. And the standards that would enable exchange don’t exist.

The government, which historically forced coordination through mandates (EO 14028 required SBOMs for federal software), can mandate formats. It cannot mandate baselines. You can require organizations to produce a Software Bill of Materials. You cannot require them to maintain a decade of behavioral telemetry and share deviation patterns with their competitors.

The defense industrialization gap persists by design. The two-tier security landscape, where organizations with resources build contextual pipelines while everyone else consumes degrading IOC feeds, has the structure of a permanent equilibrium.

My Prediction

Three things could break the deadlock.

A catastrophic event that forces open behavioral intelligence sharing, the cyber equivalent of September 11th restructuring the entire U.S. intelligence community under a Director of National Intelligence (unlikely to occur anytime). A regulatory mandate with real teeth on behavioral telemetry exchange, moving beyond format requirements to capability requirements (unlikely to occur anytime soon). Or a market entrant that cracks the economics of defensive infrastructure as a platform without destroying the data moat that makes it valuable (the only feasible option). The AWS of cyber defense.

I don’t know which one arrives first. I suspect the catastrophic event and the regulation pathways just never materialize to the degree needed to drive real change. What I do know is that the current trajectory hardens the two-tier landscape quarter by quarter. The IOC-sharing economy degrades. The gap between resourced defenders and everyone else widens. And the organizations consuming stale indicator feeds today will look up in eighteen months wondering why their detection rates collapsed while their threat feed subscription costs grew another 6%.

The question for every organization reading this: Are you building the contextual pipeline, the three-tier model that gives IOCs a meaningful role inside a richer intelligence organism? Or are you waiting for someone else to build it for you?

Because Mango is still running to where the ball was. And the ball keeps picking up speed.