1 article with this tag
An IOA (Indicator of Attack) spots a breach by the behavior of an attack in progress (privilege escalation → lateral movement → exfiltration). It's the counterpart to the after-the-fact IOC. Attackers swap hashes and IPs instantly, but the technique (behavior) is hard to change — so IOAs last. Even small teams can approach it by watching for behavior that differs from normal.